pin version tags in database cleanup and issues response wf (#2889)

* pin version tags in database cleanup and issues response wf * update all workflow for actions version pin * edit build strategy and a few version pin typo
2024-11-21 12:05:42 +01:00 · 2023-05-03 15:20:12 +01:00 · 2023-05-03 15:20:12 +01:00 · 6d860acab4
commit 6d860acab4
parent 2d4d96733d
11 changed files with 78 additions and 78 deletions
--- a/.github/workflows/automatic-issue-responses.yml
+++ b/.github/workflows/automatic-issue-responses.yml
@ -25,7 +25,7 @@ jobs:
      # Intended behavior
      - if: github.event.label.name == 'intended-behavior'
        name: Intended behaviour
-        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515  # v2.0.0
+        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515 # v2.0.0
        with:
          comment: |
            Your issue appears to be describing the intended behavior of the software. If you want this to be changed, it would be a feature request.
@ -38,7 +38,7 @@ jobs:
      # Customer support request
      - if: github.event.label.name == 'customer-support'
        name: Customer Support request
-        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515  # v2.0.0
+        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515 # v2.0.0
        with:
          comment: |
            We use GitHub issues as a place to track bugs and other development related issues. Your issue appears to be a support request, or would otherwise be better handled by our dedicated Customer Success team.
@ -49,14 +49,14 @@ jobs:
      # Resolved
      - if: github.event.label.name == 'resolved'
        name: Resolved
-        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515  # v2.0.0
+        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515 # v2.0.0
        with:
          comment: |
            We’ve closed this issue, as it appears the original problem has been resolved. If this happens again or continues to be an problem, please respond to this issue with any additional detail to assist with reproduction and root cause analysis.
      # Stale
      - if: github.event.label.name == 'stale'
        name: Stale
-        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515  # v2.0.0
+        uses: peter-evans/close-issue@849549ba7c3a595a064c4b2c56f206ee78f93515 # v2.0.0
        with:
          comment: |
            As we haven’t heard from you about this problem in some time, this issue will now be closed.
--- a/.github/workflows/build-self-host.yml
+++ b/.github/workflows/build-self-host.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Check Branch to Publish
        env:
@ -39,14 +39,14 @@ jobs:

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
+        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

      ########## Login to Docker registries ##########
      - name: Login to Azure - QA Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

@ -54,7 +54,7 @@ jobs:
        run: az acr login -n bitwardenqa

      - name: Login to Azure - Prod Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

@ -62,13 +62,13 @@ jobs:
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@ -76,7 +76,7 @@ jobs:
      - name: Retrieve secrets
        if: ${{ env.is_publish_branch == 'true' }}
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "docker-password,
@ -128,7 +128,7 @@ jobs:
          fi

      - name: Build Docker image
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
        with:
          context: .
          file: docker-unified/Dockerfile
@ -166,21 +166,21 @@ jobs:
          fi

      - name: Login to Azure - CI subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
-        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
+        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Install cloc
        run: |
@ -31,7 +31,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Verify Format
        run: dotnet format --verify-no-changes
@ -43,7 +43,7 @@ jobs:
      NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
    steps:
      - name: Set up dotnet
-        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829
+        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829 # v2.0.0
        with:
          dotnet-version: "6.0.x"

@ -55,7 +55,7 @@ jobs:
          echo "GitHub event: $GITHUB_EVENT"

      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Restore
        run: dotnet restore --locked-mode
@ -81,7 +81,7 @@ jobs:
        shell: pwsh

      - name: Report test results
-        uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226
+        uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
        if: always()
        with:
          name: Test Results
@ -128,10 +128,10 @@ jobs:
            dotnet: true
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Set up Node
-        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0
        with:
          cache: "npm"
          cache-dependency-path: "**/package-lock.json"
@ -175,7 +175,7 @@ jobs:
          ls -atlh ../../../

      - name: Upload project artifact
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: ${{ matrix.project_name }}.zip
          path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
@ -248,7 +248,7 @@ jobs:
            dotnet: true
    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Check Branch to Publish
        env:
@ -265,7 +265,7 @@ jobs:

      ########## ACRs ##########
      - name: Login to Azure - QA Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

@ -273,7 +273,7 @@ jobs:
        run: az acr login -n bitwardenqa

      - name: Login to Azure - PROD Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

@ -281,13 +281,13 @@ jobs:
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@ -295,7 +295,7 @@ jobs:
      - name: Retrieve secrets
        if: ${{ env.is_publish_branch == 'true' }}
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "docker-password,
@ -349,7 +349,7 @@ jobs:

      - name: Get build artifact
        if: ${{ matrix.dotnet }}
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
        with:
          name: ${{ matrix.project_name }}.zip

@ -361,7 +361,7 @@ jobs:
            -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish

      - name: Build Docker image
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
        with:
          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
          file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
@ -391,12 +391,12 @@ jobs:
    needs: build-docker
    steps:
      - name: Set up dotnet
-        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829
+        uses: actions/setup-dotnet@9211491ffb35dd6a6657ca4f45d43dfe6e97c829 # v3.0.3
        with:
          dotnet-version: "6.0.x"

      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Restore
        run: dotnet tool restore
@ -429,7 +429,7 @@ jobs:

      - name: Upload Docker stub artifact
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: docker-stub.zip
          path: docker-stub.zip
@ -437,7 +437,7 @@ jobs:

      - name: Upload Docker stub checksum artifact
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: docker-stub-sha256.txt
          path: docker-stub-sha256.txt
@ -463,7 +463,7 @@ jobs:
          GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder"

      - name: Upload Swagger artifact
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: swagger.json
          path: swagger.json
@ -488,7 +488,7 @@ jobs:

    steps:
      - name: Checkout repo
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Print environment
        run: |
@ -507,7 +507,7 @@ jobs:

      - name: Upload project artifact Windows
        if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@ -515,7 +515,7 @@ jobs:

      - name: Upload project artifact
        if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
@ -565,21 +565,21 @@ jobs:
          fi

      - name: Login to Azure - CI subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
-        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
+        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
--- a/.github/workflows/cleanup-after-pr.yml
+++ b/.github/workflows/cleanup-after-pr.yml
@ -11,11 +11,11 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      ########## ACR ##########
      - name: Login to Azure - QA Subscription
-        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
+        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a # v1.3.0
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

@ -23,7 +23,7 @@ jobs:
        run: az acr login -n bitwardenqa

      - name: Login to Azure - PROD Subscription
-        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
+        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a # v1.3.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

--- a/.github/workflows/container-registry-purge.yml
+++ b/.github/workflows/container-registry-purge.yml
@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Login to Azure
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

@ -85,21 +85,21 @@ jobs:
          fi

      - name: Login to Azure - CI subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
-        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
+        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@ -11,6 +11,6 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Enforce Label
-        uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024
+        uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # v2.2.2
        with:
          BANNED_LABELS: "hold,DB-migrations-changed,needs-qa"
--- a/.github/workflows/protect-files.yml
+++ b/.github/workflows/protect-files.yml
@ -30,7 +30,7 @@ jobs:
            label: "DB-migrations-changed"
    steps:
      - name: Checkout repo
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
        with:
          fetch-depth: 2

@ -50,6 +50,6 @@ jobs:

      - name: Add label to pull request
        if: contains(steps.check-changes.outputs.changes_detected, true)
-        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90 # v1.0.4
        with:
          add-labels: ${{ matrix.label }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -34,11 +34,11 @@ jobs:
          fi

      - name: Checkout repo
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0

      - name: Check Release Version
        id: version
-        uses: bitwarden/gh-actions/release-version-check@4cf17a5ff15a995a2daf2b60ba371e5c9907c068
+        uses: bitwarden/gh-actions/release-version-check@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          release-type: ${{ github.event.inputs.release_type }}
          project-type: dotnet
@ -76,7 +76,7 @@ jobs:

      - name: Create GitHub deployment for ${{ matrix.name }}
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: chrnorm/deployment-action@1b599fe41a0ef1f95191e7f2eec4743f2d7dfc48
+        uses: chrnorm/deployment-action@d42cde7132fcec920de534fffc3be83794335c00 # v2.0.5
        id: deployment
        with:
          token: "${{ secrets.GITHUB_TOKEN }}"
@ -87,7 +87,7 @@ jobs:

      - name: Download latest Release ${{ matrix.name }} asset
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@850faad0cf6c02a8c0dc46eddde2363fbd6c373a
+        uses: bitwarden/gh-actions/download-artifacts@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          workflow: build.yml
          workflow_conclusion: success
@ -96,7 +96,7 @@ jobs:

      - name: Download latest Release ${{ matrix.name }} asset
        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@850faad0cf6c02a8c0dc46eddde2363fbd6c373a
+        uses: bitwarden/gh-actions/download-artifacts@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          workflow: build.yml
          workflow_conclusion: success
@ -104,7 +104,7 @@ jobs:
          artifacts: ${{ matrix.name }}.zip

      - name: Login to Azure - CI subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

@ -129,12 +129,12 @@ jobs:
          echo "publish-profile=$publish_profile" >> $GITHUB_OUTPUT

      - name: Login to Azure
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Deploy App
-        uses: azure/webapps-deploy@0b651ed7546ecfc75024011f76944cb9b381ef1e
+        uses: azure/webapps-deploy@016bdd3f9b7cec60310bcf9da98f671628795644 # v2.2.4
        with:
          app-name: ${{ steps.retrieve-secrets.outputs.webapp-name }}
          publish-profile: ${{ steps.retrieve-secrets.outputs.publish-profile }}
@ -156,7 +156,7 @@ jobs:

      - name: Update ${{ matrix.name }} deployment status to Success
        if: ${{ github.event.inputs.release_type != 'Dry Run' && success() }}
-        uses: chrnorm/deployment-status@07b3930847f65e71c9c6802ff5a402f6dfb46b86
+        uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
        with:
          token: "${{ secrets.GITHUB_TOKEN }}"
          state: "success"
@ -164,7 +164,7 @@ jobs:

      - name: Update ${{ matrix.name }} deployment status to Failure
        if: ${{ github.event.inputs.release_type != 'Dry Run' && failure() }}
-        uses: chrnorm/deployment-status@07b3930847f65e71c9c6802ff5a402f6dfb46b86
+        uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
        with:
          token: "${{ secrets.GITHUB_TOKEN }}"
          state: "failure"
@ -227,7 +227,7 @@ jobs:
          echo "Github Release Option: $RELEASE_OPTION"

      - name: Checkout repo
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0

      - name: Setup project name
        id: setup
@ -241,7 +241,7 @@ jobs:
      - name: Setup DCT
        id: setup-dct
        if: matrix.origin_docker_repo == 'bitwarden'
-        uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff
+        uses: bitwarden/gh-actions/setup-docker-trust@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-ci"
@ -284,7 +284,7 @@ jobs:

      ########## ACR PROD ##########
      - name: Login to Azure - PROD Subscription
-        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

@ -338,7 +338,7 @@ jobs:
    steps:
      - name: Download latest Release docker-stub
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@850faad0cf6c02a8c0dc46eddde2363fbd6c373a
+        uses: bitwarden/gh-actions/download-artifacts@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          workflow: build.yml
          workflow_conclusion: success
@ -349,7 +349,7 @@ jobs:

      - name: Download latest Release docker-stub
        if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@850faad0cf6c02a8c0dc46eddde2363fbd6c373a
+        uses: bitwarden/gh-actions/download-artifacts@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          workflow: build.yml
          workflow_conclusion: success
@ -360,7 +360,7 @@ jobs:

      - name: Create release
        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: ncipollo/release-action@40bb172bd05f266cf9ba4ff965cb61e9ee5f6d01
+        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
        with:
          artifacts: "docker-stub.zip,
            docker-stub-sha256.txt,
--- a/.github/workflows/stop-staging-slots.yml
+++ b/.github/workflows/stop-staging-slots.yml
@ -29,7 +29,7 @@ jobs:
          echo "name_lower=$NAME_LOWER" >> $GITHUB_OUTPUT

      - name: Login to Azure - CI Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

@ -47,7 +47,7 @@ jobs:
          echo "webapp-name=$webapp_name" >> $GITHUB_OUTPUT

      - name: Login to Azure
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@ -14,22 +14,22 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout Branch
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0

      - name: Login to Azure - CI Subscription
-        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
        with:
-         creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          keyvault: "bitwarden-ci"
          secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"

      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1
+        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0
        with:
          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
@ -40,7 +40,7 @@ jobs:
        run: git switch -c version_bump_${{ github.event.inputs.version_number }}

      - name: Bump Version - Props
-        uses: bitwarden/gh-actions/version-bump@6a42772f8849107fd457cf47cd9c7e224be44e55
+        uses: bitwarden/gh-actions/version-bump@34ecb67b2a357795dc893549df0795e7383ff50f
        with:
          version: ${{ github.event.inputs.version_number }}
          file_path: "Directory.Build.props"
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@ -8,4 +8,4 @@ on:

 jobs:
  call-workflow:
-    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@master
+    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@34ecb67b2a357795dc893549df0795e7383ff50f