Pin GitHub action references (#1865)

## Summary

- Pin all GitHub action references to their commit SHAs
- Each SHA maps to the current tag for the action at the time of pinning

Author: pietern

.github/workflows/create-build-artifacts.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Use Node.js 22
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
           cache: "yarn"

.github/workflows/integration-tests.yml

@@ -45,7 +45,7 @@ jobs:
 
     - name: Generate GitHub App Token for Check Updates
       id: generate-check-token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       with:
         app-id: ${{ secrets.DECO_TEST_APPROVAL_APP_ID }}
         private-key: ${{ secrets.DECO_TEST_APPROVAL_PRIVATE_KEY }}
@@ -69,7 +69,7 @@ jobs:
 
     - name: Generate GitHub App Token for Workflow Trigger
       id: generate-token
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       with:
         app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
         private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
@@ -101,7 +101,7 @@ jobs:
 
     steps:
       - name: Auto-approve Check for Merge Queue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             await github.rest.checks.create({

.github/workflows/nightly-release.yml

@@ -25,7 +25,7 @@ jobs:
       - run: ls -lR packages/databricks-vscode
 
       - name: Update nightly release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           name: Nightly - ${{ github.ref_name }}
           prerelease: true

.github/workflows/publish-to-openvsx.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
 

.github/workflows/publish-to-vscode.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
 

.github/workflows/push.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
           cache: "yarn"
@@ -37,7 +37,7 @@ jobs:
         working-directory: packages/databricks-vscode
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: VSIX artifacts
           path: packages/databricks-vscode/artifacts

.github/workflows/release-pr.yml

@@ -39,7 +39,7 @@ jobs:
           git config --global user.email "noreply@github.com"
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: "yarn"

.github/workflows/unit-tests.yml

@@ -32,13 +32,13 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: "yarn"
 
       - name: Cache VSCode unit test runner
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: /tmp/vscode-test-databricks
           key: ${{ matrix.arch.cli_arch }}-${{ matrix.vscode-version }}-vscode-test
@@ -59,13 +59,13 @@ jobs:
         run: yarn run build
 
       - name: Unit Tests with Coverage
-        uses: coactions/setup-xvfb@v1
+        uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1.0.1
         with:
           run: yarn run test:cov
           working-directory: packages/databricks-vscode
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.12" # 3.13+ is not yet supported by the latest DBR
 

.github/workflows/update-cli-version.yml

@@ -29,7 +29,7 @@ jobs:
         run: jq '.cli.version = "${{ github.event.inputs.version }}"' packages/databricks-vscode/package.json --indent 4 > tmp.json && mv tmp.json packages/databricks-vscode/package.json
 
       - name: Create a pull request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5.0.3
         with:
           token: ${{ secrets.DECO_GITHUB_TOKEN }}
           commit-message: Update Databricks CLI to v${{ github.event.inputs.version }}