Pin gh actions to a known commit (#3580)

* pin shas for all github actions

Author: mooreds

.github/workflows/apicheck.yml

@@ -18,8 +18,8 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: ruby/setup-ruby@922ebc4c5262cd14e07bb0e1db020984b6c064fe # v1
         with:
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
       - name: Check APIs for completeness against client libs

.github/workflows/closedissues.yml

@@ -23,7 +23,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Check for closed issues referenced in documentation
         run: |
           # check docs for references to closed issues
@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ failure() }}
     steps:
-      - uses: dawidd6/action-send-mail@v3
+      - uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3
         with:
           server_address: ${{secrets.MAIL_HOST}}
           server_port: ${{secrets.MAIL_PORT}}

.github/workflows/contentcheck.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Check for blog posts that have incorrect categories
         run: |
           exit `src/scripts/check-for-incorrect-categories.sh`

.github/workflows/contentlist.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Find paths and titles of all content
         run: |
           find astro/src/content -type f|grep -v '/_' |xargs grep '^title:'|sed 's/:title: /,"/'|sed 's/$/"/'| sed 's!astro/src/content!!' |sed 's!/quickstarts!/docs/quickstarts!'|sed 's!/!https://fusionauth.io/!'

.github/workflows/dev-astro.yml

@@ -38,11 +38,11 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: ${{ inputs.branch }}
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
         with:
           role-to-assume: ${{ env.PUBLISHER_ROLE_ARN }}
           role-session-name: site_publisher_session

.github/workflows/devlinkcheck.yml

@@ -13,8 +13,8 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # linkcheck
-      - uses: actions/checkout@v4
-      - uses: filiph/linkcheck@3.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: filiph/linkcheck@f2c15a0be0d9c83def5df3edcc0f2d6582845f2d # 3.0.0
         with:
           arguments: https://fusionauth.dev/docs/ --skip-file config/linkcheck/linkcheck-skip.txt --connection-failures-as-warnings
         name: linkcheck

.github/workflows/exampleappscheck.yml

@@ -15,7 +15,7 @@ jobs:
     env:
       GH_TOKEN: ${{ github.token }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Check for example app completeness
         run: src/scripts/count-repos.sh

.github/workflows/invalidate.yml

@@ -22,9 +22,9 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Setup the system with the repository code
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-      # Set the env vars. These default to dev and if the branch is `main` then this changes to use the production keys
+      # v4
       - name: Set prod env vars based on branch
         if: startsWith(github.ref, 'refs/heads/main')
         run: |

.github/workflows/jsoncheck.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Check for broken json files
         run: |
           busted_files=""        

.github/workflows/linkcheck.yml

@@ -13,8 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # linkcheck
-      - uses: actions/checkout@v4
-      - uses: filiph/linkcheck@3.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: filiph/linkcheck@f2c15a0be0d9c83def5df3edcc0f2d6582845f2d # 3.0.0
         with:
           arguments: https://fusionauth.io/ --skip-file config/linkcheck/linkcheck-skip.txt --connection-failures-as-warnings
         name: linkcheck
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ failure() }}
     steps:
-      - uses: dawidd6/action-send-mail@v3
+      - uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3
         with:
           server_address: ${{secrets.MAIL_HOST}}
           server_port: ${{secrets.MAIL_PORT}}