Merge pull request #1145 from alvr/feature/pin_github_actions_versions

chore: pin GitHub actions version

.github/actions/common-steps/action.yml

@@ -11,12 +11,12 @@ runs:
   using: composite
   steps:
     - name: Setup Java
-      uses: actions/setup-java@v4.6.0
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # pin@v4.6.0
       with:
         distribution: zulu
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4.2.2
+      uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # pin@v4.2.2
       with:
         add-job-summary-as-pr-comment: on-failure
         artifact-retention-days: 7

.github/workflows/clear_cache.yml

@@ -11,4 +11,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clear cache
-        uses: easimon/wipe-cache@main
+        uses: easimon/wipe-cache@5f305e3ee1b681c44328cdf11eaedf943b60edff # pin@main

.github/workflows/katana.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cancel Stale Jobs
-        uses: styfle/cancel-workflow-action@0.12.1
+        uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # pin@0.12.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -34,19 +34,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@v4.2.2
+        uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # pin@v4.2.2
 
   assemble:
     name: Assembling
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Common Steps
@@ -56,14 +56,14 @@ jobs:
       - name: Assemble Katana
         run: ./gradlew assembleDebug --no-daemon --stacktrace
       - name: Upload debug artifacts
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # pin@v4.5.0
         with:
           name: Katana v${{ github.run_number }}
           path: |
             ${{ vars.ANDROID_DEBUG_APK }}
           retention-days: 7
       - name: Upload compose reports artifact
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # pin@v4.5.0
         if: always()
         with:
           name: compose-reports
@@ -80,7 +80,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Common Steps
@@ -90,15 +90,15 @@ jobs:
       - name: Run detekt
         run: ./gradlew detektAll lintDebug --no-daemon --stacktrace
       - name: Upload static reports artifact
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # pin@v4.5.0
         with:
           name: static-report
           path: |
             build/reports/detekt/detekt.xml
             **/build/reports/lint-results-debug.xml
           retention-days: 1
       - name: Analyze detekt report
-        uses: github/codeql-action/upload-sarif@v3.28.0
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # pin@v3.28.0
         with:
           sarif_file: build/reports/detekt/detekt.sarif
           checkout_path: ${{ github.workspace }}
@@ -108,7 +108,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Common Steps
@@ -118,15 +118,15 @@ jobs:
       - name: Run unit tests
         run: ./gradlew :koverXmlReport :koverVerify --no-daemon --stacktrace
       - name: Upload tests reports artifact
-        uses: actions/upload-artifact@v4.5.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # pin@v4.5.0
         with:
           name: tests-reports
           path: |
             **/build/reports/tests/jvmTest
             **/build/reports/tests/testDebugUnitTest
           retention-days: 7
       - name: Upload report to Codecov
-        uses: codecov/codecov-action@v5.1.2
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # pin@v5.1.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: build/reports/kover/report.xml
@@ -140,21 +140,21 @@ jobs:
     needs: [ static-analysis, unit-tests ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Common Steps
         uses: ./.github/actions/common-steps
         with:
           gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
       - name: Decode keystore
-        uses: timheuer/base64-to-file@v1.2.4
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # pin@v1.2.4
         with:
           fileDir: .
           fileName: ${{ secrets.SIGNING_FILE }}
           encodedString: ${{ secrets.SIGNING_FILE_BASE64 }}
       - name: Bump versionCode
-        uses: chkfung/android-version-actions@v1.2.3
+        uses: chkfung/android-version-actions@fcf89abef1c7afba2083146dcca0c6da4705ba4b # pin@v1.2.3
         with:
           gradlePath: build-logic/katana-convention/src/main/kotlin/dev/alvr/katana/buildlogic/extensions.kt
           versionCode: ${{ github.run_number }}
@@ -169,7 +169,7 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
         run: ./gradlew assembleBeta -Pkatana.flavor=beta --no-daemon --stacktrace
       - name: Publish beta APK to TestApp.io
-        uses: testappio/github-action@v5
+        uses: testappio/github-action@57d81be5051e10ea7c07da5730b2eaae1b9b1fa1 # pin@v5
         with:
           api_token: ${{ secrets.TESTAPPIO_API_TOKEN }}
           app_id: ${{ secrets.TESTAPPIO_APP_ID }}
@@ -178,7 +178,7 @@ jobs:
           include_git_commit_id: true
           notify: true
       - name: Publish beta APK to AppCenter
-        uses: wzieba/AppCenter-Github-Action@v1.3.4
+        uses: wzieba/AppCenter-Github-Action@70e33d4842b97b381833ad5c9c93a562b39d5d9f # pin@v1.3.4
         with:
           appName: KatanaApp/Katana-Android
           token: ${{ secrets.APPCENTER_TOKEN }}
@@ -188,7 +188,7 @@ jobs:
           gitReleaseNotes: true
           debug: false
       - name: Create Sentry release
-        uses: getsentry/action-release@v1.7.0
+        uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # pin@v1.7.0
         env:
           SENTRY_PROJECT: ${{ vars.SENTRY_ANDROID_BETA_PROJECT }}
           SENTRY_ORG: ${{ vars.SENTRY_ORG }}
@@ -204,15 +204,15 @@ jobs:
     needs: [ static-analysis, unit-tests ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
         with:
           fetch-depth: 0
       - name: Common Steps
         uses: ./.github/actions/common-steps
         with:
           gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
       - name: Decode keystore
-        uses: timheuer/base64-to-file@v1.2.4
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # pin@v1.2.4
         with:
           fileDir: .
           fileName: ${{ secrets.SIGNING_FILE }}
@@ -228,7 +228,7 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
         run: ./gradlew assembleRelease bundleRelease -Pkatana.flavor=release --no-daemon --stacktrace
       - name: Publish production AAB to Google Play
-        uses: r0adkll/upload-google-play@v1.1.3
+        uses: r0adkll/upload-google-play@935ef9c68bb393a8e6116b1575626a7f5be3a7fb # pin@v1.1.3
         with:
           serviceAccountJsonPlainText: ${{ secrets.GOOGLE_PLAY_SERVICE_ACCOUNT }}
           packageName: dev.alvr.katana
@@ -237,7 +237,7 @@ jobs:
           status: completed
           mappingFile: app/build/outputs/mapping/release/mapping.txt
       - name: Create Sentry release
-        uses: getsentry/action-release@v1.7.0
+        uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # pin@v1.7.0
         env:
           SENTRY_PROJECT: ${{ vars.SENTRY_ANDROID_RELEASE_PROJECT }}
           SENTRY_ORG: ${{ vars.SENTRY_ORG }}
@@ -246,7 +246,7 @@ jobs:
           environment: production
           version: ${{ github.ref }}
       - name: Create Release
-        uses: softprops/action-gh-release@v2.2.0
+        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # pin@v2.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: