CCM-14499: Pinning all GitHub Actions to SHAs

Author: damientobin1

.github/actions/acceptance-tests/action.yaml

@@ -24,7 +24,8 @@ runs:
 
   steps:
     - name: Fetch terraform output
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7      with:
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+      with:
         name: terraform-output-${{ inputs.targetComponent }}
 
     - name: Get Node version

.github/actions/build-docs/action.yml

@@ -23,7 +23,8 @@ runs:
         working-directory: "./docs"
     - name: Setup Pages
       id: pages
-      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5    - name: Build with Jekyll
+      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+    - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
@@ -33,6 +34,7 @@ runs:
         JEKYLL_ENV: production
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
-      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3      with:
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+      with:
         path: "docs/_site/"
         name: jekyll-docs-${{ inputs.version }}

.github/actions/create-lines-of-code-report/action.yaml

@@ -32,7 +32,8 @@ runs:
       run: zip lines-of-code-report.json.zip lines-of-code-report.json
     - name: "Upload CLOC report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7      with:
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      with:
         name: lines-of-code-report.json.zip
         path: ./lines-of-code-report.json.zip
         retention-days: 21
@@ -43,7 +44,8 @@ runs:
         echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4      with:
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+      with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
     - name: "Send the CLOC report to the central location"

.github/actions/node-install/action.yaml

@@ -10,7 +10,8 @@ runs:
   using: 'composite'
   steps:
     - name: 'Use Node.js'
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4      with:
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      with:
         node-version-file: '.tool-versions'
         registry-url: 'https://npm.pkg.github.com'
         scope: '@nhsdigital'

.github/actions/scan-dependencies/action.yaml

@@ -32,7 +32,8 @@ runs:
       run: zip sbom-repository-report.json.zip sbom-repository-report.json
     - name: "Upload SBOM report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7      with:
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      with:
         name: sbom-repository-report.json.zip
         path: ./sbom-repository-report.json.zip
         retention-days: 21
@@ -46,7 +47,8 @@ runs:
       run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
     - name: "Upload vulnerabilities report as an artefact"
       if: ${{ !env.ACT }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7      with:
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      with:
         name: vulnerabilities-repository-report.json.zip
         path: ./vulnerabilities-repository-report.json.zip
         retention-days: 21
@@ -56,7 +58,8 @@ runs:
       run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4      with:
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+      with:
         role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
         aws-region: ${{ inputs.idp_aws_report_upload_region }}
     - name: "Send the SBOM and vulnerabilities reports to the central location"

.github/workflows/cicd-3-deploy.yaml

@@ -108,5 +108,6 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5        with:
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
+        with:
           artifact_name: jekyll-docs-${{steps.get-asset-version.outputs.release_version}}

.github/workflows/scheduled-repository-template-sync.yaml

@@ -30,7 +30,8 @@ jobs:
 
     - name: Create Pull Request
       if: ${{ !env.ACT }}
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8      with:
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
+      with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: Drift from template
         branch: scheduledTemplateRepositorySync

.github/workflows/scorecard.yml

@@ -59,7 +59,8 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7        with:
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
           name: SARIF file
           path: results.sarif
           retention-days: 5

.github/workflows/stage-2-test.yaml

@@ -70,13 +70,15 @@ jobs:
         run: |
           make test-unit
       - name: "Save the result of fast test suite"
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7        with:
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
           name: unit-tests
           path: "**/.reports/unit"
           include-hidden-files: true
         if: always()
       - name: "Save the result of code coverage"
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7        with:
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
           name: code-coverage-report
           path: ".reports/lcov.info"
   test-lint:
@@ -135,7 +137,8 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2        with:
           fetch-depth: 0 # Full history is needed to improving relevancy of reporting
       - name: "Download coverage report for SONAR"
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7        with:
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        with:
           name: code-coverage-report
       - name: "Perform static analysis"
         uses: ./.github/actions/perform-static-analysis

.github/workflows/stage-4-acceptance.yaml

@@ -48,7 +48,8 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: "Use Node.js"
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4        with:
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
           node-version: "${{ inputs.nodejs_version }}"
           registry-url: "https://npm.pkg.github.com"
           scope: "@nhsdigital"