PR #13016 from step-security-bot: [StepSecurity] ci: Harden GitHub Ac…

…tions

.github/workflows/build-ROS2-package-CI.yaml

@@ -38,12 +38,12 @@ jobs:
     steps:
 
       - name: setup ROS environment
-        uses: ros-tooling/[email protected]
+        uses: ros-tooling/setup-ros@44e00e21351330f8dbc9f298bc179cd0c7910477 # v0.7
         with:
           required-ros-distributions: ${{ matrix.ros_distribution }}
 
       - name: build librealsense ROS 2
-        uses: ros-tooling/[email protected]
+        uses: ros-tooling/action-ros-ci@0c87ffc035492b66c9afb9159ca9664fb0b513e1 # v0.3
         with:
           target-ros2-distro: ${{ matrix.ros_distribution }}
           skip-tests: true

.github/workflows/buildsCI.yaml

@@ -27,7 +27,7 @@ jobs:
     runs-on: windows-2019
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Enable Long Paths
       shell: powershell
@@ -69,7 +69,7 @@ jobs:
     runs-on: windows-2019
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Enable Long Paths
       shell: powershell
@@ -111,8 +111,8 @@ jobs:
     runs-on: windows-2019
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
       with:
        python-version: '3.8.1'
 
@@ -171,8 +171,8 @@ jobs:
     runs-on: windows-2019
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
       with:
        python-version: '3.8.1'
 
@@ -222,8 +222,8 @@ jobs:
     timeout-minutes: 60
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
       with:
        python-version: '3.8.1'
 
@@ -264,7 +264,7 @@ jobs:
     runs-on: ubuntu-22.04    
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Prebuild
       shell: bash
@@ -297,7 +297,7 @@ jobs:
         ./live-test -d yes -i [software-device]        
 
     - name: Upload RS log artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with: 
         name: Log file - U22_ST_Py_EX_CfU_LiveTest
         path: build/*.log
@@ -318,7 +318,7 @@ jobs:
     runs-on: ubuntu-20.04
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Prebuild
       shell: bash
@@ -361,7 +361,7 @@ jobs:
     runs-on: ubuntu-20.04
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Prebuild
       shell: bash
@@ -419,7 +419,7 @@ jobs:
     env: 
       LRS_BUILD_NODEJS: true
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Check_API
       shell: bash
@@ -459,7 +459,7 @@ jobs:
         ./live-test -d yes -i [software-device]
 
     - name: Upload RS log artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: Log file - U22_SH_RSUSB_LiveTest
         path: build/*.log
@@ -481,7 +481,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Check_API
       shell: bash
@@ -515,7 +515,7 @@ jobs:
     runs-on: ubuntu-20.04   
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Check_API
       shell: bash

.github/workflows/static_analysis.yaml

@@ -14,7 +14,7 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Install 
         shell: bash
@@ -64,7 +64,7 @@ jobs:
             &&  echo "No diffs found in cppcheck_run.parsed.log"
 
       - name: Upload logs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with: 
           name: cppcheck_log
           path: |
@@ -105,7 +105,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: "Install Dependencies"
         run: |