fix FXA-13208: implement guidelines for github actions

fkiriakos07 · fkiriakos07 · commit a7335b2673f3 · 2026-02-27T19:36:08.000+01:00
diff --git a/.github/workflows/cleanup-storybooks.yml b/.github/workflows/cleanup-storybooks.yml
@@ -18,11 +18,12 @@ jobs:
 
     steps:
       - name: Checkout gh-pages branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: gh-pages
           path: gh-pages
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Remove PR directory
         run: |
@@ -35,9 +36,10 @@ jobs:
           fi
 
       - name: Checkout main branch for scripts
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: main-repo
+          persist-credentials: false
 
       - name: Regenerate root index.html
         run: node main-repo/_scripts/generate-storybook-index.js
diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml
@@ -19,7 +19,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@v10
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # ignore issues
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -37,11 +37,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
diff --git a/.github/workflows/deploy-storybooks.yml b/.github/workflows/deploy-storybooks.yml
@@ -23,23 +23,24 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0
           filter: tree:0
+          persist-credentials: false
 
       - name: Set NX_BASE and NX_HEAD for affected detection
         if: github.event_name == 'pull_request'
         run: |
-          git fetch origin ${{ github.base_ref }}
-          MERGE_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})
+          git fetch origin ${GITHUB_BASE_REF}
+          MERGE_BASE=$(git merge-base HEAD origin/${GITHUB_BASE_REF})
           echo "NX_BASE=$MERGE_BASE" >> $GITHUB_ENV
           echo "NX_HEAD=HEAD" >> $GITHUB_ENV
           echo "Comparing against merge-base: $MERGE_BASE"
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: '22'
           cache: 'yarn'
@@ -80,7 +81,7 @@ jobs:
 
       - name: Upload storybooks artifact
         if: github.event_name == 'push' || steps.check-affected.outputs.has_storybooks == 'true'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: storybooks-${{ github.event_name == 'pull_request' && github.event.pull_request.number || 'main' }}
           path: deploy/
@@ -100,17 +101,19 @@ jobs:
 
     steps:
       - name: Checkout repository for scripts
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
           path: repo
+          persist-credentials: false
 
       - name: Checkout gh-pages branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: gh-pages
           path: gh-pages
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Set deployment directory
         id: deploy-dir
@@ -124,10 +127,12 @@ jobs:
           echo "DEPLOY_DIR=$DEPLOY_DIR" >> $GITHUB_ENV
 
       - name: Remove old storybook directory
-        run: rm -rf "gh-pages/${{ steps.deploy-dir.outputs.path }}"
+        run: rm -rf "gh-pages/${DEPLOY_DIR_PATH}"
+        env:
+          DEPLOY_DIR_PATH: ${{ steps.deploy-dir.outputs.path }}
 
       - name: Download storybooks artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: storybooks-${{ github.event_name == 'pull_request' && github.event.pull_request.number || 'main' }}
           path: gh-pages/${{ steps.deploy-dir.outputs.path }}
@@ -160,7 +165,7 @@ jobs:
           git push --force origin gh-pages-new:gh-pages
 
       - name: Upload GitHub Pages artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
         with:
           path: gh-pages/
 
@@ -173,11 +178,11 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
 
       - name: Create GitHub status check
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const deployDir = "${{ needs.prepare.outputs.deploy_dir }}";
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -74,9 +74,10 @@ jobs:
     needs:
       - tag
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ env.GIT_TAG }}
+          persist-credentials: false
 
       - name: Verify tag checkout and commit
         shell: bash
@@ -88,7 +89,7 @@ jobs:
           git describe --tags --exact-match | grep -Fx "$GIT_TAG"
           git show -s --format='%H %D' HEAD
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           cache: yarn
 
@@ -108,10 +109,10 @@ jobs:
           echo "apps/version.json:"
           cat ./apps/version.json
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: |
             ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY}}/${{ env.IMAGE}}
@@ -120,26 +121,26 @@ jobs:
             type=raw,${{ env.GIT_TAG }}
 
       - id: gcp-auth
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           token_format: 'access_token'
           service_account: artifact-writer@${{ env.GCP_PROJECT_ID}}.iam.gserviceaccount.com
           workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
 
       - id: dockerhub-auth
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
           username: oauth2accesstoken
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - id: build-and-push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
           file: _dev/docker/mono/Dockerfile
diff --git a/.github/workflows/l10n-gettext-extract.yml b/.github/workflows/l10n-gettext-extract.yml
@@ -12,22 +12,24 @@ jobs:
           sudo apt update
           sudo apt install gettext -y
       - name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 18
       - name: Install global npm packages
         run: |
           yarn global add grunt-cli
       - name: Clone l10n repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: mozilla/fxa-content-server-l10n
           path: 'fxa-l10n'
+          persist-credentials: false
       - name: Clone FxA code repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 2
           path: 'fxa-code'
+          persist-credentials: false
       - name: Install npm packages
         run: |
           cd fxa-l10n
diff --git a/.github/workflows/pull-legal-docs.yml b/.github/workflows/pull-legal-docs.yml
@@ -14,18 +14,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone FxA code repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: fxa
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Clone legal-docs repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: mozilla/legal-docs
           ref: prod
           path: legal-docs
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Pull pdfs from legal-docs and push changes to FxA
         run: |
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -17,7 +17,9 @@ jobs:
         shell: bash
 
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Fetch all git tags
         run: git fetch --tags origin
@@ -29,23 +31,23 @@ jobs:
       - name: Add git tag to output
         id: echo
         run: |
-          echo tag=v1.${{ env.versionNumber }}.0 >> $GITHUB_OUTPUT
+          echo tag=v1.${versionNumber}.0 >> $GITHUB_OUTPUT
 
       - name: Create release branch
-        run: git checkout -b train-${{ env.versionNumber }}
+        run: git checkout -b train-${versionNumber}
 
       - name: Initialize mandatory git config
         run: |
-          git config user.name "${{ github.triggering_actor }}"
+          git config user.name "${GITHUB_TRIGGERING_ACTOR}"
           git config user.email "noreply@github.com"
 
       - name: Commit update to branch
         if: env.versionNumber != ''
         run: |
-          git push origin train-${{ env.versionNumber }}
+          git push origin train-${versionNumber}
 
       - name: Make a new tag
         if: env.versionNumber != ''
         run: |
-          git tag -a "v1.${{ env.versionNumber }}.0" -m "Train release ${{ env.versionNumber }}"
-          git push origin v1.${{ env.versionNumber }}.0
+          git tag -a "v1.${versionNumber}.0" -m "Train release ${versionNumber}"
+          git push origin v1.${versionNumber}.0
diff --git a/.github/workflows/upload-assets-to-cdn.yml b/.github/workflows/upload-assets-to-cdn.yml
@@ -21,10 +21,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Configure Stage AWS credentials
-        uses: aws-actions/configure-aws-credentials@master
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
         with:
           aws-region: us-east-1
           role-to-assume: arn:aws:iam::142069644989:role/fxa-content-cdn-stage-asset-upload
@@ -37,7 +39,7 @@ jobs:
           aws s3 sync --cache-control 'public,max-age=86400' --exclude "*" --include "*.pdf" --content-disposition attachment  assets/legal s3://fxa-content-cdn-stage-distbucket-bpquvfnty86g/legal
 
       - name: Configure Production AWS credentials
-        uses: aws-actions/configure-aws-credentials@master
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
         with:
           aws-region: us-west-2
           role-to-assume: arn:aws:iam::361527076523:role/fxa-content-cdn-prod-asset-upload
@@ -50,7 +52,7 @@ jobs:
           aws s3 sync --cache-control 'public,max-age=86400' --exclude "*" --include "*.pdf" --content-disposition attachment   assets/legal s3://fxa-content-cdn-prod-distbucket-gqg70i8xqycy/legal
 
       - name: Configure Stage GCP credentials
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           service_account: gke-cdn-upload-stage@${{ secrets.GCP_NONPROD_PROJECT_ID }}.iam.gserviceaccount.com
           workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER }}
@@ -62,7 +64,7 @@ jobs:
           gcloud storage cp --cache-control='public,max-age=86400' --content-disposition=attachment -r assets/legal/* gs://fxa-content-cdn-stage-distbucket/legal/
 
       - name: Configure Prod GCP credentials
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           service_account: gke-cdn-upload-prod@${{ secrets.GCP_PROD_PROJECT_ID }}.iam.gserviceaccount.com
           workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER }}
@@ -74,7 +76,7 @@ jobs:
           gcloud storage cp --cache-control='public,max-age=86400' --content-disposition=attachment -r assets/legal/* gs://fxa-content-cdn-prod-distbucket/legal/
 
       - name: "Post to fxa-team Slack channel"
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           method: 'chat.postMessage'
           token: ${{ secrets.SLACK_BOT_TOKEN }}
