ci: pin all actions version (#9776)

PR pins hash versions for all actions

cc paritytech/devops#4319

Author: alvicsam

.github/actions/build-push-image/action.yml

@@ -23,7 +23,7 @@ runs:
     # gcloud
     # https://github.com/paritytech/ci_cd/wiki/GitHub:-Push-Docker-image-to-GCP-Registry
     - name: "Set up Cloud SDK"
-      uses: "google-github-actions/setup-gcloud@v2"
+      uses: "google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f" # v2.2.1
     - name: "gcloud info"
       shell: bash
       run: "gcloud info"
@@ -53,7 +53,7 @@ runs:
       id: login
       # fork check
       if: ${{ inputs.username != '' && inputs.password != '' && github.event_name != 'merge_group' }}
-      uses: docker/login-action@v3
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
       with:
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}

.github/actions/download-artifact-extract/action.yml

@@ -29,7 +29,7 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/[email protected]
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: ${{ inputs.artifact-name }}
         github-token: ${{ inputs.gh-token }}

.github/actions/workflow-stopper/action.yml

@@ -11,7 +11,7 @@ runs:
   using: "composite"
   steps:
     - name: Worfklow stopper - Generate token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       id: app-token
       with:
         app-id: ${{ inputs.app-id }}

.github/actions/zombienet-sdk/action.yml

@@ -108,7 +108,7 @@ runs:
 
 
     - name: upload_logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ ! cancelled() }}
       with:
         name: zombienet-logs-${{ inputs.job-name }}-${{ github.sha }}

.github/actions/zombienet/action.yml

@@ -103,7 +103,7 @@ runs:
         fi
 
     - name: upload_logs
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ ! cancelled() }}
       with:
         name: zombienet-logs-${{ inputs.job-name }}-${{ github.sha }}

.github/workflows/bench-all-runtimes.yml

@@ -32,7 +32,7 @@ jobs:
       image: ${{ needs.preflight.outputs.IMAGE }}
     name: Extract runtimes from matrix
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           ref: master
 
@@ -79,7 +79,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
           ref: ${{ needs.runtime-matrix.outputs.branch }} # checkout always from the initially created branch to avoid conflicts
@@ -112,7 +112,7 @@ jobs:
           git reset
       
       - name: Upload diff
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: diff-${{ matrix.runtime.name }}
           path: diff-${{ matrix.runtime.name }}.patch
@@ -122,18 +122,18 @@ jobs:
     needs: [runtime-matrix, run-frame-omni-bencher]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
           ref: ${{ needs.runtime-matrix.outputs.branch }}
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: patches      
 
       # needs to be able to trigger CI
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: generate_token
         with:
           app-id: ${{ secrets.CMD_BOT_APP_ID }}

.github/workflows/benchmarks-networking.yml

@@ -32,7 +32,7 @@ jobs:
           ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Run Benchmarks
         id: run-benchmarks
@@ -42,7 +42,7 @@ jobs:
           ls -lsa ./charts
 
       - name: Upload artifacts
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ matrix.features.bench }}-${{ github.sha }}
           path: ./charts
@@ -55,21 +55,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           ref: gh-pages
           fetch-depth: 0
 
       - run: git checkout master --
 
       - name: Download artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: notifications_protocol-${{ github.sha }}
           path: ./charts
 
       - name: Download artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: request_response_protocol-${{ github.sha }}
           path: ./charts
@@ -80,7 +80,7 @@ jobs:
           git config --global --add safe.directory '*'
           ls -lsR ./charts
 
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: app-token
         with:
           app-id: ${{ secrets.POLKADOTSDK_GHPAGES_APP_ID }}
@@ -89,7 +89,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: notifications_protocol
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "cargo"
           name: ${{ env.BENCH }}
@@ -101,7 +101,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: request_response_protocol
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "cargo"
           name: ${{ env.BENCH }}

.github/workflows/benchmarks-subsystem.yml

@@ -55,7 +55,7 @@ jobs:
           ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Check Rust
         run: |
@@ -69,7 +69,7 @@ jobs:
           ls -lsa ./charts
 
       - name: Upload artifacts
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{matrix.features.bench}}
           path: ./charts
@@ -82,15 +82,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           ref: gh-pages
           fetch-depth: 0
 
       - run: git checkout master --
 
       - name: Download artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           path: ./charts
 
@@ -100,7 +100,7 @@ jobs:
           git config --global --add safe.directory '*'
           ls -lsR ./charts
 
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: app-token
         with:
           app-id: ${{ secrets.POLKADOTSDK_GHPAGES_APP_ID }}
@@ -109,7 +109,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: availability-recovery-regression-bench
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "customSmallerIsBetter"
           name: ${{ env.BENCH }}
@@ -122,7 +122,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: availability-distribution-regression-bench
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "customSmallerIsBetter"
           name: ${{ env.BENCH }}
@@ -135,7 +135,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: approval-voting-regression-bench
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "customSmallerIsBetter"
           name: ${{ env.BENCH }}
@@ -148,7 +148,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: statement-distribution-regression-bench
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "customSmallerIsBetter"
           name: ${{ env.BENCH }}
@@ -161,7 +161,7 @@ jobs:
       - name: Generate ${{ env.BENCH }}
         env:
           BENCH: dispute-coordinator-regression-bench
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
         with:
           tool: "customSmallerIsBetter"
           name: ${{ env.BENCH }}

.github/workflows/build-misc.yml

@@ -30,7 +30,7 @@ jobs:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Check Rust
         run: |
@@ -60,7 +60,7 @@ jobs:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Check Rust
         run: |
@@ -85,7 +85,7 @@ jobs:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Check Rust
         run: |

.github/workflows/build-publish-eth-rpc.yml

@@ -44,10 +44,10 @@ jobs:
       VERSION: ${{ needs.set-variables.outputs.VERSION }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Build eth-rpc Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./substrate/frame/revive/rpc/dockerfiles/eth-rpc/Dockerfile
@@ -64,16 +64,16 @@ jobs:
       VERSION: ${{ needs.set-variables.outputs.VERSION }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           username: ${{ secrets.PARITYPR_DOCKERHUB_USERNAME }}
           password: ${{ secrets.PARITYPR_DOCKERHUB_PASSWORD }}
 
       - name: Build eth-rpc Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./substrate/frame/revive/rpc/dockerfiles/eth-rpc/Dockerfile