ci: hardening security of Github actions (#69)

## Proposed changes
This pull request enhances the security of our GitHub Actions workflows
by implementing several best practices:

- Pinning Actions to Commit SHAs: All external GitHub Actions are now
pinned to specific commit SHAs instead of floating versions (e.g., @v4).
This prevents unexpected or malicious code from being executed if a
version tag is updated.
- Updated Actions: All actions have been updated to their latest stable
versions to include the latest features and security fixes.
- Workflow Cleanup: Minor linter issues have been resolved.

## Types of changes

[//]: # 'What types of changes does your code introduce to WebdriverIO?'
[//]: # '_Put an `x` in the boxes that apply_'

- [ ] Polish (an improvement for an existing feature)
- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update (improvements to the project's docs)
- [X] Internal updates (everything related to internal scripts,
governance documentation and CI files)

## Checklist

[//]: # "_Put an `x` in the boxes that apply. You can also fill these
out after creating the PR. If you're unsure about any of them, don't
hesitate to ask. We're here to help! This is simply a reminder of what
we are going to look for before merging your code._"

- [X] I have read the
[CONTRIBUTING](https://github.com/webdriverio/vscode-webdriverio/blob/main/CONTRIBUTING.md)
doc
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] I have added the necessary documentation (if appropriate)
- [ ] I have added proper type definitions for new commands (if
appropriate)

## Further comments

[//]: # 'If this is a relatively large or complex change, kick off the
discussion by explaining why you chose the solution you did and what
alternatives you considered, etc...'

### Reviewers: @webdriverio/project-committers

Author: mato533

…orkflows/actions/cache-vscode/action.yml .github/actions/cache-vscode/action.yml.github/workflows/actions/cache-vscode/action.yml renamed to .github/actions/cache-vscode/action.yml .github/workflows/actions/cache-vscode/action.yml renamed to .github/actions/cache-vscode/action.yml

@@ -13,7 +13,7 @@ runs:
 
     - name: 🗃️ Use cached vscode
       if: ${{ steps.generate-key.outputs.vscode-cache-key != '' }}
-      uses: actions/[email protected]
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ${{ inputs.path }}
         key: ${{ steps.generate-key.outputs.vscode-cache-key }}

…lows/actions/download-archive/action.yml …thub/actions/download-archive/action.yml.github/workflows/actions/download-archive/action.yml renamed to .github/actions/download-archive/action.yml .github/workflows/actions/download-archive/action.yml renamed to .github/actions/download-archive/action.yml

@@ -11,7 +11,7 @@ runs:
   using: 'composite'
   steps:
     - name: ⬇️ Download Build Archive
-      uses: actions/[email protected]
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: ${{ inputs.name }}
         path: ${{ inputs.path }}

…actions/set-screen-resolution/action.yml …actions/set-screen-resolution/action.yml.github/workflows/actions/set-screen-resolution/action.yml renamed to .github/actions/set-screen-resolution/action.yml .github/workflows/actions/set-screen-resolution/action.yml renamed to .github/actions/set-screen-resolution/action.yml

@@ -37,5 +37,7 @@ runs:
       if: runner.os == 'macOS'
       shell: bash
       run: |
+        echo "::group::brew install displayplacer"
         brew install displayplacer
+        echo "::endgroup::"
         displayplacer list

…flows/actions/setup-workspace/action.yml …ithub/actions/setup-workspace/action.yml.github/workflows/actions/setup-workspace/action.yml renamed to .github/actions/setup-workspace/action.yml .github/workflows/actions/setup-workspace/action.yml renamed to .github/actions/setup-workspace/action.yml

@@ -9,12 +9,12 @@ runs:
   using: composite
   steps:
     - name: 🧰 Setup PNPM
-      uses: pnpm/[email protected]
+      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
       with:
         run_install: false
 
     - name: 🛠️ Setup Node.js ${{ inputs.node-version }}
-      uses: actions/[email protected]
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ inputs.node-version }}
         cache: 'pnpm'

…kflows/actions/upload-archive/action.yml .github/actions/upload-archive/action.yml.github/workflows/actions/upload-archive/action.yml renamed to .github/actions/upload-archive/action.yml .github/workflows/actions/upload-archive/action.yml renamed to .github/actions/upload-archive/action.yml

@@ -21,7 +21,7 @@ runs:
       if: ${{ runner.os == 'Windows' }}
 
     - name: ⬆️ Upload Archive
-      uses: actions/[email protected]
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ inputs.name }}
         path: ${{ inputs.output }}

.github/workflows/ci-build.yml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ${{ inputs.os }}
     steps:
       - name: 👷 Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: 🛠️ Setup workspace
-        uses: ./.github/workflows/actions/setup-workspace
+        uses: ./.github/actions/setup-workspace
         with:
           node-version: '20'
 
@@ -34,7 +34,7 @@ jobs:
 
       - name: ⬆️ Upload Build Artifacts
         if: ${{ runner.os == 'Linux' }}
-        uses: ./.github/workflows/actions/upload-archive
+        uses: ./.github/actions/upload-archive
         with:
           name: vscode-webdriverio
           output: vscode-webdriverio-build.zip

.github/workflows/ci-e2e.yml

@@ -26,46 +26,46 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: 👷 Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: 🛠️ Setup workspace
-        uses: ./.github/workflows/actions/setup-workspace
+        uses: ./.github/actions/setup-workspace
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: ⬇️ Download Build Archive
-        uses: ./.github/workflows/actions/download-archive
+        uses: ./.github/actions/download-archive
         with:
           name: vscode-webdriverio
           path: .
           filename: vscode-webdriverio-build.zip
 
       - name: 🗃️ Use cached vscode
-        uses: ./.github/workflows/actions/cache-vscode
+        uses: ./.github/actions/cache-vscode
         with:
           path: e2e/.wdio-vscode-service
 
       - name: 🖥️ Set screen resolution
-        uses: ./.github/workflows/actions/set-screen-resolution
+        uses: ./.github/actions/set-screen-resolution
 
       - name: 🧪 Run the e2e test
         env:
           E2E_SCENARIO: ${{ matrix.scenario }}
-        run: pnpm --filter @vscode-wdio/e2e run test:e2e:${E2E_SCENARIO}
+        run: pnpm --filter @vscode-wdio/e2e run "test:e2e:${E2E_SCENARIO}"
         shell: bash
 
       - name: 📦 Upload Test Logs on Failure
-        uses: ./.github/workflows/actions/upload-archive
+        uses: ./.github/actions/upload-archive
         if: failure()
         with:
           name: ${{ inputs.compatibility-mode == 'yes' && 'compatibility' || 'e2e' }}-${{ matrix.scenario }}-logs-${{ matrix.os }}
           output: ${{ inputs.compatibility-mode == 'yes' && 'compatibility' || 'e2e' }}-${{ matrix.scenario }}-logs-${{ matrix.os }}.zip
           paths: e2e/logs
 
       - name: 🐛 Debug Build
-        uses: stateful/[email protected]
+        uses: stateful/vscode-server-action@ec99599aefe0bf96d14491e1d5f7e80d30e22247 # v1.1.0
         if: failure()
         with:
           timeout: '180000'

.github/workflows/ci-lint.yml

@@ -14,12 +14,12 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 👷 Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: 🛠️ Setup workspace
-        uses: ./.github/workflows/actions/setup-workspace
+        uses: ./.github/actions/setup-workspace
         with:
           node-version: '20'
 

.github/workflows/ci-smoke.yml

@@ -23,46 +23,46 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: 👷 Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: 🛠️ Setup workspace
-        uses: ./.github/workflows/actions/setup-workspace
+        uses: ./.github/actions/setup-workspace
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: ⬇️ Download Build Archive
-        uses: ./.github/workflows/actions/download-archive
+        uses: ./.github/actions/download-archive
         with:
           name: vscode-webdriverio
           path: .
           filename: vscode-webdriverio-build.zip
 
       - name: 🗃️ Use cached vscode
-        uses: ./.github/workflows/actions/cache-vscode
+        uses: ./.github/actions/cache-vscode
         with:
           path: e2e/.wdio-vscode-service
 
       - name: 🖥️ Set screen resolution
-        uses: ./.github/workflows/actions/set-screen-resolution
+        uses: ./.github/actions/set-screen-resolution
 
       - name: 🚂 Run the smoke test
         env:
           E2E_SCENARIO: ${{ inputs.scenario }}
-        run: pnpm --filter @vscode-wdio/e2e run test:smoke:${E2E_SCENARIO}
+        run: pnpm --filter @vscode-wdio/e2e run "test:smoke:${E2E_SCENARIO}"
         shell: bash
 
       - name: 📦 Upload Test Logs on Failure
-        uses: ./.github/workflows/actions/upload-archive
+        uses: ./.github/actions/upload-archive
         if: failure()
         with:
           name: smoke-${{ inputs.scenario }}--logs-${{ matrix.os }}
           output: smoke-${{ inputs.scenario }}-logs-${{ matrix.os }}.zip
           paths: e2e/logs
 
       - name: 🐛 Debug Build
-        uses: stateful/[email protected]
+        uses: stateful/vscode-server-action@ec99599aefe0bf96d14491e1d5f7e80d30e22247 # v1.1.0
         if: failure()
         with:
           timeout: '180000'

.github/workflows/ci-typecheck.yml

@@ -19,17 +19,17 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: 👷 Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: 🛠️ Setup workspace
-        uses: ./.github/workflows/actions/setup-workspace
+        uses: ./.github/actions/setup-workspace
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: ⬇️ Download Build Archive
-        uses: ./.github/workflows/actions/download-archive
+        uses: ./.github/actions/download-archive
         with:
           name: vscode-webdriverio
           path: .