[StepSecurity] ci: Harden GitHub Actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @Nikhil-Ladha. Please merge the Pull Request to incorporate the requested changes. Please tag @Nikhil-Ladha on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[Nikhil-Ladha]

Ref: https://scorecard.dev/viewer/?uri=github.com%2Fceph%2Fceph-csi
cc @Madhu-1 @nixpanic

[nixpanic]

@Nikhil-Ladha can you update the commit to include a little more details, and remove the [StepSecurity] prefix?

[nixpanic]

I wonder how this works together with dependabot updates...

[Madhu-1]

Even I have the same doubt.

[Nikhil-Ladha]

Seems like dependabot is configured to work in accordance with this: ossf/scorecard#4348 it is from the ossf/scorecard repo itself.

[Nikhil-Ladha]

Also, I can't update the commit id/PR title for this PR so I will have to open a new PR for this change.
This is the commit title,description I am planning for the new PR:

ci: Harden GitHub Actions

Update GitHub actions to use full length commit ids for third-party actions to reduce security risk in case of vulnerabilities.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

[Madhu-1]

As lint job is failing, lets open a new PR with same content and fix all the problems

[Nikhil-Ladha]

Created a separate PR #4850.

[Nikhil-Ladha]

Seems like I don't have permissions to close this PR, can someone please do that on my behalf?
Thanks in advance :)