Update GitHub Actions to use pinned hash references

.github/workflows/clear-old-test-rules.yml

@@ -16,14 +16,14 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: "test-rules"
           path: destination
 
       - name: Get Open PRs
         id: open_prs
-        uses: actions/github-script@v4
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
           script: |
             github.paginate(

.github/workflows/rule-validate.yml

@@ -29,11 +29,11 @@ jobs:
 
     steps:
       - name: Set up yq
-        uses: mikefarah/yq@v4.27.3
+        uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd  # v4.45.1
 
       - name: Get PR branch
         if: github.event_name == 'issue_comment'
-        uses: alessbell/pull-request-comment-branch@v1.1 # Fork of xt0rted/pull-request-comment-branch, see https://github.com/xt0rted/pull-request-comment-branch/issues/322
+        uses: alessbell/pull-request-comment-branch@ef3408c9757d05f89cb525036383033a313758a0  # v2.1.0
         id: comment_branch
 
       - name: Get Refs
@@ -56,7 +56,7 @@ jobs:
           echo "##[set-output name=repo;]$repo"
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: ${{ steps.get_head_ref.outputs.repo }}
           ref: ${{ steps.get_head_ref.outputs.head_ref }}
@@ -85,7 +85,7 @@ jobs:
           echo "##[set-output name=run_all;]$run_all"
           echo "##[set-output name=base_ref;]$base_ref"
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
         with:
           python-version: '3.10'
 
@@ -173,7 +173,7 @@ jobs:
       # Various alternatives were explored, but all run into issues when dealing with forks. This sets a "Check" for
       # the latest commit, and we can depend on that as a required check.
       - name: "Create a check run"
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         if: (github.event_name == 'pull_request_target' || github.event_name == 'merge_group' ) && always()
         env:
           run_url: "${{ format('https://github.com/{0}/actions/runs/{1}', steps.get_head_ref.outputs.repo, github.run_id) }}"
@@ -206,13 +206,13 @@ jobs:
 
       - name: Get changed detection-rules
         id: changed-files
-        uses: tj-actions/changed-files@v39
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32  # v46.0.1
         with:
           files: "detection-rules/**"
           recover_deleted_files: true
 
       - name: Checkout base
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         if: ${{ steps.get_base_ref.outputs.run_all != 'true' }}
         with:
           ref: ${{ steps.get_base_ref.outputs.base_ref }}
@@ -279,7 +279,7 @@ jobs:
 
 
       - name: "Find mql-mimic-exempt Comments"
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         id: find_emls_to_skip
         if: steps.find_pr_number.outputs.result != ''
         with:
@@ -329,7 +329,7 @@ jobs:
             return allEMLsToSkip.join(" ")
 
       - name: "Find Existing MQL Mimic Test Results"
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         id: find_mql_mimic_results
         if: ${{ github.event_name != 'merge_group' }}
         env:
@@ -378,7 +378,7 @@ jobs:
           ignoreIDs: ${{ steps.find_mql_mimic_results.outputs.result }}
 
       - name: "Create MQL Mimic Check"
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         if: ${{ github.event_name == 'merge_group' }}
         id: create_check
         env:

.github/workflows/update-test-rules.yml

@@ -23,7 +23,7 @@ jobs:
       # TheModdingInquisition/actions-team-membership@v1.0 could be used for a team check, but we'd need to create a PAT for it.
       - name: Check if commentor is organization member
         id: is_organization_member
-        uses: jamessingleton/is-organization-member@1.0.0
+        uses: jamessingleton/is-organization-member@fb5924a6287762ee5fc71bf9e95a60842af5528d  # 1.0.1
         with:
           organization: sublime-security
           username: ${{ github.event.comment.user.login }}
@@ -44,11 +44,11 @@ jobs:
         run: exit 1
 
       - name: Get PR branch
-        uses: alessbell/pull-request-comment-branch@v1.1 # Fork of xt0rted/pull-request-comment-branch, see https://github.com/xt0rted/pull-request-comment-branch/issues/322
+        uses: alessbell/pull-request-comment-branch@ef3408c9757d05f89cb525036383033a313758a0  # v2.1.0
         id: comment_branch
 
       - name: Wait for Rule Validation Succeed
-        uses: lewagon/wait-on-check-action@v1.3.1
+        uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc  # v1.3.4
         with:
           ref: ${{ steps.comment_branch.outputs.head_sha }}
           check-name: 'Rule Tests and ID Updated'
@@ -69,22 +69,22 @@ jobs:
 
     steps:
       - name: Get PR branch
-        uses: alessbell/pull-request-comment-branch@v1.1 # Fork of xt0rted/pull-request-comment-branch, see https://github.com/xt0rted/pull-request-comment-branch/issues/322
+        uses: alessbell/pull-request-comment-branch@ef3408c9757d05f89cb525036383033a313758a0  # v2.1.0
         id: comment_branch
 
       - name: Checkout PR branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: ${{ steps.comment_branch.outputs.head_owner }}/${{ steps.comment_branch.outputs.head_repo }}
           ref: ${{ steps.comment_branch.outputs.head_ref }}
           fetch-depth: 0
           path: source
 
       - name: Install yq
-        uses: mikefarah/yq@v4.33.3
+        uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd  # v4.45.1
 
       - name: Checkout test-rules
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: test-rules
           path: destination