Pin dependencies (#5086)

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>

Author: elastic-renovate-prod[bot]

.github/workflows/add-guidelines.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Set environment variable for early exit control
         id: check_label
@@ -47,14 +47,14 @@ jobs:
 
       - name: Fail if no relevant labels are found
         if: env.GUIDELINES_FILE == ''
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             core.setFailed('No appropriate GitHub label found in the PR. Failing the job.')
 
       - name: Add Guidelines Comment
         if: env.CONTINUE_JOB == 'true' && (github.event.action == 'opened' || github.event.action == 'labeled')
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
         with:
           message-path: ${{ env.GUIDELINES_FILE }}
           repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/backport.yml

@@ -21,7 +21,7 @@ jobs:
       github.event.pull_request.state == 'open' && !github.event.pull_request.draft
     steps:
       - name: 'Apply default "backport: auto" label'
-        uses: actions/github-script@v4
+        uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4
         if: |
           !contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
           !contains(github.event.pull_request.labels.*.name, 'backport: skip')
@@ -34,7 +34,7 @@ jobs:
               labels: ['backport: auto']
             })
       - name: 'Remove "backport: auto" if "backport: skip" is set'
-        uses: actions/github-script@v4
+        uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4
         if: |
           contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
           contains(github.event.pull_request.labels.*.name, 'backport: skip')
@@ -65,7 +65,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }}
           ref: main
@@ -91,7 +91,7 @@ jobs:
           git reset --soft HEAD^
 
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -159,7 +159,7 @@ jobs:
           git push
 
       - name: "Notify slack on failure"
-        uses: craftech-io/slack-action@v1
+        uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1
         with:
           slack_webhook_url: ${{ secrets.EXTERNAL_SLACK_DETECTION_RULES_URL }}
           status: failure

.github/workflows/branch-status-checks.yml

@@ -18,14 +18,14 @@ jobs:
     steps:
     - name: Get Backport Status
       id: get_backport_status
-      uses: fjogeleit/http-request-action@v1
+      uses: fjogeleit/http-request-action@bf78da14118941f7e940279dd58f67e863cbeff6 # v1
       with:
         url: "https://api.github.com/repos/elastic/detection-rules/actions/workflows/pythonpackage.yml/runs?per_page=1&branch=${{matrix.target_branch}}"
         method: 'GET'
         bearerToken: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }}
 
     - name: Check Backport Status
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
       with:
         script: |
           const workflow_status = ${{ toJSON(fromJSON(steps.get_backport_status.outputs.response).workflow_runs[0].status) }}

.github/workflows/code-checks.yml

@@ -17,12 +17,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       with:
         fetch-depth: 1
 
     - name: Set up Python 3.13
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.13'
 

.github/workflows/community.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check if member of elastic org
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         id: membership
         with:
           github-token: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }}
@@ -40,7 +40,7 @@ jobs:
 
 
       - name: Add label for community members
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         if: ${{ steps.membership.outputs.result == 'notMember' }}
         with:
           script: |

.github/workflows/get-target-branches.yml

@@ -14,10 +14,10 @@ jobs:
     outputs:
       matrix: ${{ steps.get-branch-list.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 

.github/workflows/kibana-mitre-update.yml

@@ -14,7 +14,7 @@ jobs:
       KIBANA_ISSUE_NUMBER: 166152  # Define the Kibana issue number as a variable
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Get MITRE Attack changed files
         id: changed-attack-files

.github/workflows/lock-versions.yml

@@ -14,20 +14,20 @@ jobs:
 
     steps:
       - name: Validate the source branch
-        uses: actions/github-script@v3
+        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
         with:
           script: |
             if ('refs/heads/main' !== '${{github.event.ref}}') {
               core.setFailed('Forbidden branch, expected "main"')
             }
 
       - name: Checkout detection-rules
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -62,7 +62,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
         with:
           assignees: '${{github.actor}}'
           delete-branch: true
@@ -78,7 +78,7 @@ jobs:
           labels: "backport: auto"
 
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: release-files
           path: |

.github/workflows/manual-backport.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
 
       - name: Checkout detection-rules
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }}
           fetch-depth: 0
@@ -46,7 +46,7 @@ jobs:
           git reset --soft HEAD^
 
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -79,7 +79,7 @@ jobs:
           ./detection_rules/etc/commit-and-push.sh $TARGET_BRANCH $COMMIT_SHA
 
       - name: "Notify slack on failure"
-        uses: craftech-io/slack-action@v1
+        uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1
         with:
           slack_webhook_url: ${{ secrets.READ_DETECTION_RULES_SLACK_WEBHOOK_TOKEN }}
           status: failure

.github/workflows/pythonpackage.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       with:
         fetch-depth: 1
 
@@ -21,7 +21,7 @@ jobs:
         git fetch origin main:refs/remotes/origin/main
 
     - name: Set up Python 3.13
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.13'
 
@@ -48,7 +48,7 @@ jobs:
         python -m detection_rules dev build-release $GENERATE_NAVIGATOR_FILES
 
     - name: Archive production artifacts for branch builds
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       if: |
         github.event_name == 'push'
       with: