ci(workflows): pin actions to full sha

.github/dependabot.yml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns:
+          - "*"

.github/workflows/close-stale-prs.yml

@@ -2,26 +2,27 @@
 #
 # For more information, see:
 # https://github.com/actions/stale
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Close stale pull requests
 
 on:
   schedule:
-  - cron: '0 18 * * *' # Run the workflow every day at 6PM UTC (10AM PST).
+    - cron: "0 18 * * *" # Run the workflow every day at 6PM UTC (10AM PST).
 
 jobs:
   stale:
-
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@v9
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-pr-message: 'This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days.'
-        stale-pr-label: 'stale'
-        days-before-pr-stale: 90 # 3 months
-        days-before-pr-close: 7
-        days-before-issue-stale: -1
-        days-before-issue-close: -1
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+        with:
+          repo-token: ${{ github.token }}
+          stale-pr-message: This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days.
+          stale-pr-label: stale
+          days-before-pr-stale: 90 # 3 months
+          days-before-pr-close: 7
+          days-before-issue-stale: -1
+          days-before-issue-close: -1

.github/workflows/issues.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Sync issue to Azure DevOps work item
 
 on:
@@ -23,27 +25,31 @@ jobs:
       # Auth using Azure Service Principals was added as a part of v2.3
       # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_TENANT_ID }}
           allow-no-subscriptions: true
+
       - name: Get Azure DevOps token
         id: get_ado_token
-        run:
+        run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
+          echo "::add-mask::$ADO_TOKEN"
+          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+
       - name: Sync issue to Azure DevOps
-        uses: danhellem/github-actions-issue-to-work-item@v2.3
+        uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'
-          ado_organization: 'azure-octo'
-          ado_project: 'Incubations'
+          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          ado_organization: azure-octo
+          ado_project: Incubations
           ado_area_path: "Incubations\\Radius"
           ado_iteration_path: "Incubations\\Radius"
-          ado_new_state: 'New'
-          ado_active_state: 'Active'
-          ado_close_state: 'Closed'
-          ado_wit: 'GitHub Issue'
+          ado_new_state: New
+          ado_active_state: Active
+          ado_close_state: Closed
+          ado_wit: GitHub Issue

.github/workflows/pr-checks.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: PR Checks
 
 on:
@@ -10,8 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check for do-not-merge label
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
         with:
-            labels: "do-not-merge"
-            mode: exactly
-            count: 0
+          labels: do-not-merge
+          mode: exactly
+          count: 0

.github/workflows/redirect.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Radius Redirect
 
 on:
@@ -6,34 +8,36 @@ on:
     branches:
       - edge
       - v*.*
-    paths: 
-      - 'redirect/**'
-      - '.github/workflows/redirect.yml'
+    paths:
+      - "redirect/**"
+      - ".github/workflows/redirect.yml"
   pull_request:
     branches:
       - edge
       - v*.*
-    paths: 
-      - 'redirect/**'
-      - '.github/workflows/redirect.yml'
+    paths:
+      - "redirect/**"
+      - ".github/workflows/redirect.yml"
 
 jobs:
   deploy-website:
     name: Deploy Redirect Website
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           submodules: false
+
       - name: Deploy staging site
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_REDIRECT_TOKEN }}
-          action: "upload"
-          app_location: "redirect/src"
+          action: upload
+          app_location: redirect/src
           skip_api_build: true
           skip_app_build: true
+          skip_deploy_on_missing_secrets: true
 
   close_pr_site:
     name: Close PR Staging Site
@@ -42,7 +46,9 @@ jobs:
     steps:
       - name: Close Pull Request
         id: closepullrequest
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_REDIRECT_TOKEN }}
-          action: "close"
+          action: close
+          app_location: redirect/src
+          skip_deploy_on_missing_secrets: true

.github/workflows/release.yaml

@@ -1,44 +1,51 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Release docs
 
 on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Radius version number to use (e.g. 0.22.0, 0.23.0-rc1)'
+        description: "Radius version number to use (e.g. 0.22.0, 0.23.0-rc1)"
         required: true
-        default: ''
+        default: ""
         type: string
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }}
-  GITHUB_EMAIL: 'radiuscoreteam@service.microsoft.com'
-  GITHUB_USER: 'Radius CI Bot'
+  GITHUB_EMAIL: radiuscoreteam@service.microsoft.com
+  GITHUB_USER: Radius CI Bot
 
 jobs:
   release-docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
           ref: edge
           path: docs
+
       - name: Configure git
         run: |
           git config --global user.email "${{ env.GITHUB_EMAIL }}"
           git config --global user.name "${{ env.GITHUB_USER }}"
+
       - name: Ensure inputs.version is valid semver
         run: |
           python ./docs/.github/scripts/validate_semver.py ${{ inputs.version }}
+
       - name: Parse release channel
         id: parse_release_channel
         run: |
           # CHANNEL is the major and minor version of the VERSION_NUMBER (e.g. 0.1)
           CHANNEL="$(echo ${{ inputs.version }} | cut -d '.' -f 1,2)"
           echo "channel=$CHANNEL" >> $GITHUB_OUTPUT
+
       - name: Release docs
         run: |
           ./docs/.github/scripts/release-docs.sh ${{ inputs.version }}
+
       - name: Change the default branch
         run: |
           gh api \

.github/workflows/spellcheck.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Spellcheck
 
 on:
@@ -13,7 +15,7 @@ on:
       - edge
 
 env:
-  ACTION_LINK: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+  ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
 concurrency:
   group: spellcheck-${{ github.ref }}-${{ github.event.pull_request.number || github.sha }}
@@ -23,37 +25,42 @@ jobs:
     name: Spellcheck
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout docs
-      uses: actions/checkout@v4
-    - name: Spellcheck
-      uses: rojopolis/spellcheck-github-actions@0.36.0
-      with:
-        config_path: .github/config/.pyspelling.yml
-    - name: Post GitHub workkflow output on failure
-      if: failure()
-      run: |
-        echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
-        echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
-        echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
-        echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
-    - name: Post GitHub workflow output on success
-      run: |
-        echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
-        echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
-    - name: Post GitHub comment on failure
-      if: failure()
-      uses: marocchino/sticky-pull-request-comment@v2
-      with:
-        header: spellcheck
-        recreate: true
-        message: |
-          ## :x: Spellcheck Failed
-          There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing.
-          ### Adding new words
-          If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)
-    - name: Clear GitHub comment on success
-      uses: marocchino/sticky-pull-request-comment@v2
-      continue-on-error: true
-      with:
-        header: spellcheck
-        delete: true
+      - name: Checkout docs
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Spellcheck
+        uses: rojopolis/spellcheck-github-actions@6f2326b663e2dbab920da0fc4144b9f3202434ba # 0.54.0
+        with:
+          config_path: .github/config/.pyspelling.yml
+
+      - name: Post GitHub workkflow output on failure
+        if: failure()
+        run: |
+          echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
+          echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
+          echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
+          echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
+
+      - name: Post GitHub workflow output on success
+        run: |
+          echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
+          echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
+
+      - name: Post GitHub comment on failure
+        if: failure()
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        with:
+          header: spellcheck
+          recreate: true
+          message: |
+            ## :x: Spellcheck Failed
+            There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing.
+            ### Adding new words
+            If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)
+
+      - name: Clear GitHub comment on success
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        continue-on-error: true
+        with:
+          header: spellcheck
+          delete: true