[CI] [GHA] Set actions references to specific commit hash; provide explicit top level token permissions for jobs

.github/workflows/assign_issue.yml

@@ -6,6 +6,8 @@ on:
       - created
       - edited
 
+permissions: read-all
+
 jobs:
   take-issue:
     name: Take issue
@@ -15,7 +17,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: take an issue
-        uses: bdougie/take-action@v1.6.1
+        uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1
         with:
           message: Thank you for looking into this issue! Please let us know if you have any questions or require any help.
           issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue.

.github/workflows/code_style.yml

@@ -8,14 +8,16 @@ on:
       - '.github/workflows/code_style.yml'
       - 'modules/java_api/**'
 
+permissions: read-all
+
 jobs:
   Java:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Fix code java style
-        uses: axel-op/googlejavaformat-action@v3
+        uses: axel-op/googlejavaformat-action@dbff853fb823671ec5781365233bf86543b13215 # v3
         with:
           args: "--set-exit-if-changed -a -i"
           commit-message: "[github actions] Apply google-java-format code style fixes"

.github/workflows/history_cuda.yml

@@ -7,12 +7,15 @@ on:
     paths:
       - 'modules/nvidia_plugin/**'
       - '.github/workflows/history_cuda.yml'
+
+permissions: read-all
+
 jobs:
   history:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout master branch
-      uses: actions/checkout@v3
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: master
         fetch-depth: 0

.github/workflows/labeler.yml

@@ -2,14 +2,16 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions: read-all
+
 jobs:
   triage:
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v4
+    - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         configuration-path: '.github/labeler.yml'

.github/workflows/linux.yml

@@ -15,6 +15,8 @@ concurrency:
 env:
   PYTHON_VERSION: '3.11'
 
+permissions: read-all
+
 jobs:
   Build_and_test:
     name: Build and Test
@@ -51,21 +53,21 @@ jobs:
           apt-get install --assume-yes --no-install-recommends git git-lfs ca-certificates
 
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'openvinotoolkit/openvino'
           path: ${{ env.OPENVINO_REPO }}
           submodules: 'true'
           ref: 'master'
 
       - name: Clone OpenVINO Contrib
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: ${{ env.OPENVINO_CONTRIB_REPO }}
           submodules: 'true'
-      
+
       - name: Clone Testdata
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'openvinotoolkit/testdata'
           path: ${{ env.TEST_DATA }}
@@ -81,22 +83,22 @@ jobs:
           bash ${OPENVINO_REPO}/install_build_dependencies.sh
           # default-jdk - Java API; unzip for gradle installation
           apt install --assume-yes --no-install-recommends default-jdk libopencv-dev unzip
-      
+
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           gradle-version: ${{ env.GRADLE_VER }}
-    
+
       - name: Setup Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install python dependencies
         run: python3 -m pip install -r ${OPENVINO_REPO}/src/bindings/python/wheel/requirements-dev.txt
-          
+
       - name: Setup ccache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           # Should save cache only if run in the master branch of the base repo
           # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push
@@ -179,7 +181,7 @@ jobs:
           popd
 
       - name: Upload Test Results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ !cancelled() }}
         with:
           name: test-results-java
@@ -188,15 +190,15 @@ jobs:
 
       - name: Upload openvino package
         if: ${{ always() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: openvino_package
           path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz
           if-no-files-found: 'error'
 
       - name: Upload openvino developer package
         if: ${{ always() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: openvino_developer_package
           path: ${{ env.BUILD_DIR }}/openvino_developer_package.tar.gz
@@ -232,7 +234,7 @@ jobs:
         run: echo 'Acquire::Retries "10";' > /etc/apt/apt.conf.d/80-retries
 
       - name: Fetch install_build_dependencies.sh
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           sparse-checkout: |
             install_build_dependencies.sh
@@ -245,13 +247,13 @@ jobs:
         run: apt update && apt install -y git ca-certificates
 
       - name: Download OpenVINO package
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: openvino_package
           path: ${{ env.INSTALL_DIR }}
 
       - name: Download OpenVINO Developer package
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: openvino_developer_package
           path: ${{ env.INSTALL_DIR }}
@@ -267,7 +269,7 @@ jobs:
           popd
 
       - name: Clone OpenVINO Contrib
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: ${{ env.OPENVINO_CONTRIB_REPO }}
 
@@ -281,7 +283,7 @@ jobs:
           apt -y --no-install-recommends install software-properties-common curl
 
       - name: Setup ccache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           # Should save cache only if run in the master branch of the base repo
           # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push

.github/workflows/llama_cpp_plugin_build_and_test.yml

@@ -5,23 +5,25 @@ on:
     paths:
       - 'modules/llama_cpp_plugin/**'
 
+permissions: read-all
+
 jobs:
   build_ubuntu20:
     runs-on: ubuntu-20.04-8-cores
     steps:
       - name: Setup cmake
-        uses: jwlawson/actions-setup-cmake@v1.14
+        uses: jwlawson/actions-setup-cmake@d06b37b47cfd043ec794ffa3e40e0b6b5858a7ec # v1.14.2
         with:
           cmake-version: '3.24.x'
 
       - name: Checkout openvino_contrib
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: recursive
           path: openvino_contrib
 
       - name: Checkout openvino
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: recursive
           repository: openvinotoolkit/openvino
@@ -35,7 +37,7 @@ jobs:
 
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: build_artifacts
           path: ${{ github.workspace }}/openvino/bin/intel64/Release/
@@ -45,13 +47,13 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Download build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: build_artifacts
           path: ${{ github.workspace }}/binaries
 
       - name: Prepare test data - checkout llama.cpp repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: ggerganov/llama.cpp
           path: llama.cpp

.github/workflows/mac.yml

@@ -15,6 +15,8 @@ concurrency:
 env:
   PYTHON_VERSION: '3.11'
 
+permissions: read-all
+
 jobs:
   Build_and_test:
     name: Build and Test
@@ -41,20 +43,20 @@ jobs:
       GRADLE_VER: '7.1.1'
     steps:
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'openvinotoolkit/openvino'
           path: 'openvino'
           submodules: 'true'
           ref: 'master'
 
       - name: Clone OpenVINO Contrib
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: 'openvino_contrib'
 
       - name: Clone Testdata
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'openvinotoolkit/testdata'
           path: 'testdata'
@@ -69,7 +71,7 @@ jobs:
         run: brew install coreutils ninja scons automake gradle ccache
 
       - name: Setup Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -81,7 +83,7 @@ jobs:
       #
 
       - name: Setup ccache
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           # Should save cache only if run in the master branch of the base repo
           # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push
@@ -141,7 +143,7 @@ jobs:
           popd
 
       - name: Upload Test Results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ !cancelled() }}
         with:
           name: test-results-java
@@ -160,4 +162,4 @@ jobs:
             contains(needs.*.result, 'failure') ||
             contains(needs.*.result, 'cancelled')
           }}
-        run: exit 1
+        run: exit 1

.github/workflows/openvino_code.yml

@@ -15,15 +15,17 @@ defaults:
   run:
     working-directory: ./modules/openvino_code
 
+permissions: read-all
+
 jobs:
   check_extension:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Use Node.js 16.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: '16.x'
           cache: 'npm'
@@ -34,15 +36,15 @@ jobs:
 
       - name: Run Lint
         run: npm run lint:all
-  
+
   check_server:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-    
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
       - name: Set up Python 3.8
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: '3.8'
           cache: 'pip'

.github/workflows/sanitizer_cuda.yml

@@ -7,6 +7,8 @@ on:
       - 'modules/nvidia_plugin/**'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   cuda-compute-sanitizer:
     runs-on: lohika-ci

.github/workflows/test_cuda.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     paths:
       - 'modules/nvidia_plugin/**'
+
+permissions: read-all
+
 jobs:
   build:
     runs-on: lohika-ci