fix: pin GitHub Actions to full SHA (CLOUDEVOPS-4942)

.github/workflows/ScanSecrets.yaml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 10
       - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@6171fa9f6676edf21e15bba41f049b18399d7372 # main
         with:
           extra_args: --exclude-paths=.script/SecretScanning/Excludepathlist --only-verified

.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml

@@ -15,7 +15,7 @@ jobs:
       hasAutoDetectionComment: ${{ steps.job1.outputs.hasAutoDetectionComment }}
     steps:
       - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/aws-s3-bundle-update.yaml

@@ -33,13 +33,13 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
         with:
           app-id: ${{ secrets.APPLICATION_ID }}
           private-key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
 
       - name: Checkout PR branch with sparse checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
           ref: ${{ github.event.pull_request.head.ref }}

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
 
     # ℹ️ Setup DotNet Versions to building C# projects
     - name: Setup DotNet Versions
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
       with:
         dotnet-version: | 
           6.0.x
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3

.github/workflows/content-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml

@@ -49,12 +49,12 @@ jobs:
           persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token.
           fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
       - name: Install python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3
         with:
           python-version: "3.x"
           architecture: "x64"
       - name: Install yamale package
-        uses: BSFishy/pip-action@v1
+        uses: BSFishy/pip-action@8f2d471d809dc20b6ada98c91910b6ae6243f318 # v1
         with:
           packages: |
             yamale
@@ -88,14 +88,14 @@ jobs:
             echo "Arm templates were changed. Changes were committed"
           fi
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         if: ${{ env.armTemplatesChanged == 'true' }}
         with:
           github_token: ${{ steps.generate_token.outputs.token }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           branch: ${{ github.head_ref }}
       - name: Add comment
-        uses: mshick/add-pr-comment@v1
+        uses: mshick/add-pr-comment@a96c578acba98b60f16c6866d5f20478dc4ef68b # v1
         if: ${{ env.armTemplatesChanged == 'true' }}
         with:
           message: |

.github/workflows/data-connector-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/detection-template-schema-validations.yaml

@@ -17,11 +17,11 @@ jobs:
       dotnetSdkVersion: 3.1.401
       PRNUM: ${{ github.event.pull_request.number }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Need HEAD and parent for git diff
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
         with:
           dotnet-version: ${{ env.dotnetSdkVersion }}
       - name: Run Detection template structure validation tests

.github/workflows/detection-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/documents-link-validation.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/json-syntax-validation.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/kql-validations.yaml

@@ -17,11 +17,11 @@ jobs:
       dotnetSdkVersion: 6.0.x
       PRNUM: ${{ github.event.pull_request.number }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Need HEAD and parent for git diff
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
         with:
           dotnet-version: ${{ env.dotnetSdkVersion }}
       - name: Run KQL Validation tests

.github/workflows/logo-validation.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/non-ascii-validations.yaml

@@ -17,11 +17,11 @@ jobs:
       buildConfiguration: Release
       dotnetSdkVersion: 3.1.401
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Need HEAD and parent for git diff
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
         with:
           dotnet-version: ${{ env.dotnetSdkVersion }}
       - name: Run Non-Ascii validation tests

.github/workflows/playbook-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/runAsimSchemaAndDataTesters.yaml

@@ -46,7 +46,7 @@ jobs:
     steps:
       - name: Checkout pull request branch
         if: github.event.pull_request != null
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -237,7 +237,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout pull request branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
             ref: ${{github.event.pull_request.head.sha}}
             repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -257,7 +257,7 @@ jobs:
                 exit 1
               fi
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
         with:
           python-version: '3.x'
       - name: Install dependencies
@@ -288,7 +288,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout pull request branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
             ref: ${{github.event.pull_request.head.sha}}
             repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -308,7 +308,7 @@ jobs:
                 exit 1
               fi
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.x'
       - name: Install dependencies
@@ -320,7 +320,7 @@ jobs:
               pip install azure-monitor-ingestion
               pip install azure-core
       - name: Login to Azure Public Cloud
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
         with:
           client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -349,15 +349,15 @@ jobs:
       contents: read
     steps:
       - name: Checkout pull request branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           persist-credentials: false
           fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
 
       - name: Login to Azure Public Cloud with AzPowershell
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
         with:
           client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -379,7 +379,7 @@ jobs:
             exit 1
           fi
       - name: Run ASIM Schema and Data tests PowerShell script
-        uses: azure/powershell@v2
+        uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2
         with:
           inlineScript: |
             $filePath = ".script/tests/asimParsersTest/runAsimTesters.ps1"
@@ -413,7 +413,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout pull request branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -433,7 +433,7 @@ jobs:
             exit 1
           fi
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
         with:
           python-version: '3.x'
       - name: Install dependencies
@@ -443,7 +443,7 @@ jobs:
               pip install azure-identity
               pip install azure-monitor-query
       - name: Login to Azure Public Cloud
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
         with:
           client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/sample-data-validation.yaml

@@ -21,10 +21,10 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: "20"
           cache: "npm"

.github/workflows/slash-command-armttk.yaml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - name: Get PR details and validate
         id: get-pr
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const { data: pr } = await github.rest.pulls.get({

.github/workflows/solution-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/solutionIntegration.yaml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout pull request branch
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       with:
         ref: ${{ github.event.pull_request.head.ref }}
         repository: ${{ github.event.pull_request.head.repo.full_name }}
@@ -64,7 +64,7 @@ jobs:
         "https://dev.azure.com/msazure/One/_apis/git/repositories/Sentinel-CATUtilities/items?path=/SolutionIntegrationTesting/config.json&api-version=6.0"
 
     - name: Setup Python Environment
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2
       with:
         python-version: '3.x'
 

.github/workflows/validateVersionChangedInDetections.yml

@@ -20,7 +20,7 @@ jobs:
     # check out and run the script
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1
 
       - name: Check that template version was updated
         run: bash .script/checkThatTemplatesVersionWasChanged.sh

.github/workflows/workbook-metadata-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/workbook-template-validations.yaml

@@ -21,7 +21,7 @@ jobs:
       GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
       SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 2 # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v