CCM-14499: Pinning all GitHub Actions to SHAs

Author: damientobin1

.github/actions/acceptance-tests/action.yml

@@ -24,8 +24,7 @@ runs:
 
   steps:
     - name: Fetch terraform output
-      uses: actions/download-artifact@v5
-      with:
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5      with:
         name: terraform-output-${{ inputs.targetComponent }}
 
     - name: Get Node version

.github/actions/build-docs/action.yml

@@ -11,8 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 22
         registry-url: 'https://npm.pkg.github.com'
@@ -23,16 +22,14 @@ runs:
       run: npm ci
       shell: bash
     - name: Setup Ruby
-      uses: ruby/setup-ruby@v1.180.1
-      with:
+      uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1      with:
         ruby-version: "3.2" # Not needed with a .ruby-version file
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
         cache-version: 0 # Increment this number if you need to re-download cached gems
         working-directory: "./docs"
     - name: Setup Pages
       id: pages
-      uses: actions/configure-pages@v5
-    - name: Build with Jekyll
+      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5    - name: Build with Jekyll
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
@@ -43,7 +40,6 @@ runs:
 
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
-      uses: actions/upload-pages-artifact@v3
-      with:
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3      with:
         path: "docs/_site/"
         name: jekyll-docs-${{ inputs.version }}

.github/actions/build-libraries/action.yml

@@ -11,8 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 22
         registry-url: 'https://npm.pkg.github.com'
@@ -31,42 +30,36 @@ runs:
         make build VERSION="${{ inputs.version }}"
 
     - name: Upload abstractions artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "src/server/abstractions/bin/Release"
         name: libs-abstractions-${{ inputs.version }}
         include-hidden-files: true
 
     - name: Upload data artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "src/server/data/bin/Release"
         name: libs-data-${{ inputs.version }}
         include-hidden-files: true
 
     - name: Upload letter artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "src/server/letter/bin/Release"
         name: libs-letter-${{ inputs.version }}
         include-hidden-files: true
 
     - name: Upload host artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "src/server/host/bin/Release"
         name: libs-host-${{ inputs.version }}
         include-hidden-files: true
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
     - run: mkdir -p ${{ runner.temp }}/myimage
       shell: bash
 
     - name: Build and export
-      uses: docker/build-push-action@v6
-      with:
+      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6      with:
         context: src/server
         file: src/server/Dockerfile
         tags: |
@@ -75,7 +68,6 @@ runs:
         outputs: type=docker,dest=${{ runner.temp }}/myimage/myimage.tar
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         name: libs-host-docker-${{ inputs.version }}
         path: ${{ runner.temp }}/myimage

.github/actions/build-oas-spec/action.yml

@@ -24,15 +24,13 @@ runs:
 
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.nodejs_version }}
         registry-url: 'https://npm.pkg.github.com'
 
     - name: "Cache node_modules"
-      uses: actions/cache@v4
-      with:
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4      with:
         path: |
           **/node_modules
         key: ${{ runner.os }}-node-${{ inputs.nodejs_version }}-${{ hashFiles('**/package-lock.json') }}
@@ -68,7 +66,6 @@ runs:
         fi
 
     - name: Upload API OAS specification artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "build"
         name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}

.github/actions/build-proxies/action.yml

@@ -36,8 +36,7 @@ runs:
   steps:
     - name: Download OAS Spec artifact from workflow
       if: ${{ inputs.isRelease == 'false' }}
-      uses: actions/download-artifact@v4
-      with:
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4      with:
         name: api-oas-specification-${{ inputs.apimEnv }}${{ inputs.version != '' && format('-{0}', inputs.version) || '' }}
         path: ./build
 
@@ -96,8 +95,7 @@ runs:
         echo "APIM_ENV=$APIM_ENV" >> $GITHUB_ENV
 
     - name: Upload OAS Spec
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         name: ${{ env.APIM_ENV }}-build-output
         path: ./build
 

.github/actions/build-sandbox/action.yml

@@ -13,8 +13,7 @@ runs:
 
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 22
         registry-url: 'https://npm.pkg.github.com'

.github/actions/build-sdk/action.yml

@@ -11,8 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 22
         registry-url: 'https://npm.pkg.github.com'
@@ -56,43 +55,36 @@ runs:
         make build VERSION="${{ inputs.version }}"
 
     - name: Upload html artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "sdk/html"
         name: sdk-html-${{ inputs.version }}
 
     - name: Upload swagger artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "sdk/swagger"
         name: sdk-swagger-${{ inputs.version }}
 
     - name: Upload ts artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "sdk/typescript"
         name: sdk-ts-${{ inputs.version }}
 
     - name: Upload python artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "sdk/python"
         name: sdk-python-${{ inputs.version }}
 
     - name: Upload csharp artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "sdk/csharp"
         name: sdk-csharp-${{ inputs.version }}
 
     - name: Upload artifact
-      uses: actions/upload-pages-artifact@v3
-      with:
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3      with:
         path: "sdk/html/"
         name: sdk-html-docs-${{ inputs.version }}
 
     - name: Upload swagger pages artifact
-      uses: actions/upload-pages-artifact@v3
-      with:
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3      with:
         path: "sdk/swagger/"
         name: sdk-swagger-docs-${{ inputs.version }}

.github/actions/build-server/action.yml

@@ -11,8 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4    - uses: actions/setup-node@v4
       with:
         node-version: 22
         registry-url: 'https://npm.pkg.github.com'
@@ -36,13 +35,11 @@ runs:
         make build VERSION="${{ inputs.version }}"
 
     - name: Upload csharp-server artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "server/csharp-server"
         name: server-csharp-${{ inputs.version }}
 
     - name: Upload csharp-server docker artifact
-      uses: actions/upload-artifact@v6
-      with:
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6      with:
         path: "server/Dockerfile"
         name: server-csharp-docker-${{ inputs.version }}

.github/actions/node-install/action.yaml

@@ -10,8 +10,7 @@ runs:
   using: 'composite'
   steps:
     - name: 'Use Node.js'
-      uses: actions/setup-node@v6
-      with:
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6      with:
         node-version-file: '.tool-versions'
         registry-url: 'https://npm.pkg.github.com'
         scope: '@nhsdigital'

.github/workflows/cicd-1-pull-request.yaml

@@ -33,8 +33,7 @@ jobs:
       deploy_proxy: ${{ steps.deploy_proxy.outputs.deploy_proxy }}
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v5
-      - name: "Set CI/CD variables"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5      - name: "Set CI/CD variables"
         id: variables
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')