From f28cc9bd481ce493da11f98c18526d324211599a Mon Sep 17 00:00:00 2001
From: Gabriela Gutierrez <gabigutierrez@google.com>
Date: Tue, 26 Sep 2023 14:35:08 +0000
Subject: [PATCH] CI: Bump and ref actions by commit SHA in ci.yml

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.

It's important to make sure the SHA's are from the original repositories and not forks.

For reference:

https://github.com/actions/checkout/releases/tag/v4.1.0
https://github.com/actions/checkout/commit/8ade135a41bc03ea155e62e844d188df1ea18608

https://github.com/actions/upload-artifact/releases/tag/v3.1.3
https://github.com/actions/upload-artifact/commit/a8a3f3ad30e3422c9c7b888a15615d19a852ae32

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 79ceb141..b5582a74 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
         build_system: [autotools, cmake]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
 
       ########################
       # Install Dependencies #
@@ -135,7 +135,7 @@ jobs:
         run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -d small -p test -n small
 
       # Attempt to upload the test logs as artifacts if any step has failed
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3
         if: ${{ failure() }}
         with:
           name: ${{ matrix.os }} ${{ matrix.build_system }} Test Logs