Pin all github actions to specific Hash

[sylwiaszunejko]

Fixes: https://scylladb.atlassian.net/browse/DRIVER-585

Pre-review checklist

• I have split my patch into logically separate commits.
• All commit messages clearly explain what they change and why.
• PR description sums up the changes and reasons why they should be introduced.
• I have implemented Rust unit tests for the features/changes introduced.
• I have enabled appropriate tests in Makefile in {SCYLLA,CASSANDRA}_(NO_VALGRIND_)TEST_FILTER.
• I added appropriate Fixes: annotations to PR description.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR pins all third-party GitHub Actions across three CI workflows to specific commit SHAs for improved supply-chain security. The build-cpack-packages.yml workflow now pins actions/checkout, actions-rust-lang/setup-rust-toolchain, and actions/upload-artifact in its packaging jobs. The build-lint-and-test.yml workflow pins actions/checkout, actions/setup-python, actions/setup-java, cache operations, and upload operations across test jobs. The release-upload-packages.yml workflow pins actions/checkout and actions/download-artifact in its artifact publishing step. Job logic, conditionals, and test execution steps remain unchanged.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning GitHub actions to commit hashes across all three workflow files.
Description check	✅ Passed	The PR description follows the template structure, includes a Fixes annotation, and provides a checklist with appropriate items marked. The description adequately documents the change purpose and scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/build-cpack-packages.yml (1)

45-45: ⚡ Quick win

Consider adding persist-credentials: false to checkout actions.

To prevent potential credential leakage through artifacts, consider explicitly setting persist-credentials: false on all actions/checkout steps.

🔒 Suggested security hardening

Apply this pattern to all checkout steps (lines 45, 80, 102, 127):

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

Also applies to: 80-80, 102-102, 127-127

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-cpack-packages.yml at line 45, The checkout steps
currently use actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 without
disabling credential persistence; update each actions/checkout step (the entries
shown at lines with the checkout usage) to include persist-credentials: false as
a step input so the runner does not persist GITHUB_TOKEN credentials to the
workspace or artifacts.

.github/workflows/release-upload-packages.yml (1)

32-32: ⚡ Quick win

Consider adding persist-credentials: false to checkout action.

To prevent potential credential leakage through artifacts, consider explicitly setting persist-credentials: false on the actions/checkout step.

🔒 Suggested security hardening

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-upload-packages.yml at line 32, The checkout step
using actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should
explicitly disable credential persistence to avoid leaking repo credentials in
artifacts; update the actions/checkout step (the checkout action invocation) to
include persist-credentials: false in its step inputs so credentials are not
saved to the workspace after checkout.

.github/workflows/build-lint-and-test.yml (1)

29-29: ⚡ Quick win

Consider adding persist-credentials: false to checkout actions.

To prevent potential credential leakage through artifacts, consider explicitly setting persist-credentials: false on all actions/checkout steps.

🔒 Suggested security hardening

Apply this pattern to all checkout steps (lines 29, 70, 169):

-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

Also applies to: 70-70, 169-169

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-lint-and-test.yml at line 29, The checkout steps
using "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" (and the
other actions/checkout occurrences) should explicitly disable credential
persistence to avoid leaking creds; update each checkout step to include the
input "persist-credentials: false" under that step (i.e., add a key-value pair
persist-credentials: false in the same step block for the checkout actions).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build-cpack-packages.yml:
- Line 45: The checkout steps currently use
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 without disabling
credential persistence; update each actions/checkout step (the entries shown at
lines with the checkout usage) to include persist-credentials: false as a step
input so the runner does not persist GITHUB_TOKEN credentials to the workspace
or artifacts.

In @.github/workflows/build-lint-and-test.yml:
- Line 29: The checkout steps using "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" (and the other
actions/checkout occurrences) should explicitly disable credential persistence
to avoid leaking creds; update each checkout step to include the input
"persist-credentials: false" under that step (i.e., add a key-value pair
persist-credentials: false in the same step block for the checkout actions).

In @.github/workflows/release-upload-packages.yml:
- Line 32: The checkout step using
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should explicitly
disable credential persistence to avoid leaking repo credentials in artifacts;
update the actions/checkout step (the checkout action invocation) to include
persist-credentials: false in its step inputs so credentials are not saved to
the workspace after checkout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 96c1cfd5-67f4-4994-94ae-7a259f5cf662

📥 Commits

Reviewing files that changed from the base of the PR and between 068bc47 and 95be2ba.

📒 Files selected for processing (3)

• .github/workflows/build-cpack-packages.yml
• .github/workflows/build-lint-and-test.yml
• .github/workflows/release-upload-packages.yml