Internal - Pin GitHub Actions to commit SHAs

[cleverchuk]

TLDR

Replace all mutable version tags (@v6, @v7, etc.) with immutable commit SHA references across CI/CD workflows to mitigate supply chain attacks via tag rewriting.

Motivation

GitHub Action version tags are mutable — a compromised upstream repository can rewrite a tag to point at a malicious commit. Pinning to full commit SHAs ensures the exact code that was audited is the code that runs in CI, regardless of future tag mutations.

What changed

All uses: references in workflow files now point to specific commit SHAs instead of semver tags. The pinned SHAs correspond to the same versions previously referenced (e.g., actions/checkout@v6 → its current HEAD SHA). No behavioral change is introduced.

Actions pinned: actions/checkout, actions/setup-java, actions/upload-artifact, gradle/gradle-build-action, gradle/actions/setup-gradle, aws-actions/configure-aws-credentials, docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, docker/metadata-action, docker/scout-action, github/codeql-action, azure/login, reversinglabs/gh-action-rl-scanner-cloud-only.

Trade-offs

• Pro: Eliminates mutable-tag supply chain attack vector.
• Con: Updates require finding the new SHA rather than bumping a version number. Dependabot/Renovate can automate this.

Test services data

1. e-1712644058766987264
2. e-1712643928659124224
3. e-1742334541200846848
4. e-1777406072376840192

[Copilot]

Pull request overview

This PR hardens CI/CD supply chain security by pinning third-party GitHub Actions to immutable commit SHAs instead of mutable version tags.

Changes:

• Updated uses: references across workflows to use full commit SHAs (e.g., actions/checkout@<sha>).
• Pinned build, artifact, AWS auth, Docker, CodeQL, Azure login, and scanning actions to specific commits.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/release.yml	Pins all third-party actions used in release, publishing, signing, Docker build/push, and scanning jobs to immutable SHAs.
.github/workflows/push.yml	Pins all third-party actions used in push/build/test/smoke-test, Docker build/publish, and cache-cleanup jobs to immutable SHAs.
.github/workflows/lambda-test.yml	Pins checkout and Java setup actions to immutable SHAs for lambda test workflow.
.github/workflows/lambda-stage.yml	Pins checkout, Java setup, AWS credentials, and artifact upload actions to immutable SHAs for stage publish workflow.
.github/workflows/codeql.yml	Pins checkout, CodeQL init/analyze, Java setup, and Gradle setup actions to immutable SHAs.
.github/workflows/benchmark.yml	Pins checkout and Gradle build action to immutable SHAs for benchmark workflow.

[jerrytfleung]

Suggested change

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

[jerrytfleung]

Dependabot will help to bump the GHA version with the commented version number.
See solarwinds/apm-php#115

[jerrytfleung]

Same for others.

[jerrytfleung]

LGTM