Pin actions to full-length commit SHA refs

data-douser · data-douser · commit f210a75085f5 · 2026-03-26T20:53:21.000-06:00
diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md
@@ -0,0 +1,32 @@
+---
+applyTo: '.github/{actions,workflows}/*.{yml,yaml}'
+description: 'Instructions for editing GitHub Actions workflows for this repository.'
+---
+
+# Copilot Instructions for `.github/{actions,workflows}/*.{yml,yaml}` files
+
+## PURPOSE
+
+This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-sap-js` repository.
+
+## REQUIREMENTS
+
+- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its commit SHA, run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG` (or `refs/heads/BRANCH` for branch-based refs).
+- ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows.
+- ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions.
+- ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability.
+- ALWAYS use descriptive names for workflows, jobs, and steps that clearly explain their purpose.
+
+## PREFERENCES
+
+- PREFER explicit permissions declarations using the `permissions` key for security.
+- PREFER descriptive step names that include the workflow context (e.g., "Tag - Checkout repository").
+- PREFER matrix strategies for testing multiple versions when applicable.
+- PREFER adding summary outputs using `$GITHUB_STEP_SUMMARY` for better workflow visibility.
+
+## CONSTRAINTS
+
+- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.**
+- NEVER use overly broad permissions.
+- NEVER leave any trailing whitespace on any line.
+- NEVER use deprecated GitHub Actions or workflow syntax.
diff --git a/.github/workflows/cds-extractor-dist-bundle.yml b/.github/workflows/cds-extractor-dist-bundle.yml
@@ -22,10 +22,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
           cache: 'npm'
diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml
@@ -27,15 +27,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Extract CodeQL bundle version from qlt.conf.json
         run: |
           echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
 
       - name: Initialize CodeQL
         id: initialize-codeql
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@256d634097be96e792d6764f9edaefc4320557b1 # v4
         env:
           # Add our custom extractor to the CodeQL search path
           CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors:${{ github.workspace }}"]}}'
@@ -55,19 +55,19 @@ jobs:
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@256d634097be96e792d6764f9edaefc4320557b1 # v4
         env:
           LGTM_INDEX_XML_MODE: all
           LGTM_INDEX_FILETYPES: ".json:JSON"
           # Add our CodeQL workspace to the path to search for packs to then resolve the MaD locally
           CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"run-queries":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"],"interpret-results":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"]}}'
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip
@@ -84,7 +84,7 @@ jobs:
 
       - name: Upload sarif change
         if: steps.validate.outcome != 'success'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: sarif
           path: |
diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml
@@ -12,5 +12,5 @@ permissions:
 
 jobs:
   codeql:
-    uses: advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml@main
+    uses: advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml@a0e88ede84d03cd069b01d18540db7fc86c52cf8 # main
     secrets: inherit
diff --git a/.github/workflows/ql-unit-tests-linux.yml b/.github/workflows/ql-unit-tests-linux.yml
@@ -20,11 +20,11 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install QLT
         id: install-qlt
-        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -45,11 +45,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install QLT
         id: install-qlt
-        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -80,7 +80,7 @@ jobs:
           qlt query run install-packs
 
       - name: Setup Node.js for CDS compilation
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
           cache: 'npm'
@@ -123,7 +123,7 @@ jobs:
           --work-dir $RUNNER_TMP
 
       - name: Upload test results
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -137,18 +137,18 @@ jobs:
     steps:
 
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install QLT
         id: install-qlt
-        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main
         with:
           qlt-version: 'latest'
           add-to-path: true
 
 
       - name: Collect test results
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
 
       - name: Validate test results
         run: |
diff --git a/.github/workflows/ql-unit-tests-windows.yml b/.github/workflows/ql-unit-tests-windows.yml
@@ -69,7 +69,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup CodeQL CLI
         id: setup-codeql
@@ -155,7 +155,7 @@ jobs:
           Write-Host "QL pack installation complete"
 
       - name: Setup Node.js for CDS compilation
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
           cache: 'npm'
@@ -287,7 +287,7 @@ jobs:
 
       - name: Upload test results
         if: ${{ always() }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: windows-test-results-${{ matrix.test_suite }}
           path: |
@@ -296,7 +296,7 @@ jobs:
 
       - name: Upload CAP test artifacts
         if: ${{ always() && (matrix.test_suite == 'cap-models' || matrix.test_suite == 'cap-queries') }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: windows-cap-debug-${{ matrix.test_suite }}
           path: |
@@ -311,10 +311,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Download test results
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           pattern: windows-test-results-*
           path: test-results/
diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml
@@ -56,7 +56,7 @@ jobs:
           echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
 
       - name: CodeQL - Checkout tag
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: refs/tags/${{ steps.version.outputs.version }}
 
@@ -101,7 +101,7 @@ jobs:
         run: ./scripts/bundle-packs.sh --output-dir dist-packs
 
       - name: CodeQL - Upload pack artifacts
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: codeql-pack-bundles-${{ steps.version.outputs.version }}
           path: dist-packs/*.tar.gz
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -42,7 +42,7 @@ jobs:
 
     steps:
       - name: Tag - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           fetch-tags: true
@@ -149,7 +149,7 @@ jobs:
 
       - name: Tag - Setup Node.js for CDS compilation
         if: steps.needs-creation.outputs.needed == 'true'
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
           cache: 'npm'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -130,7 +130,7 @@ jobs:
 
     steps:
       - name: Release - Download CodeQL pack artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: codeql-pack-bundles-${{ needs.resolve-version.outputs.version }}
           path: dist-packs
diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Detect - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Detect - Check latest CodeQL CLI version
         id: check-version
@@ -102,7 +102,7 @@ jobs:
 
     steps:
       - name: Update - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Update - Update version in all files
         run: |
@@ -130,7 +130,7 @@ jobs:
         run: ./scripts/upgrade-packs.sh
 
       - name: Update - Setup Node.js for CDS compilation
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
           cache: 'npm'
@@ -153,7 +153,7 @@ jobs:
             -- javascript/
 
       - name: Update - Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
           body: |
