Build: Reference GitHub Actions by commit SHAs

The SHAs are verified to come from the original repositories and not forks.

For reference:

https://github.com/actions/checkout/releases/tag/v3.5.2
https://github.com/actions/checkout/commit/8e5e7e5ab8b370d6c329ec480221332ada57f0ab

https://github.com/actions/cache/releases/tag/v3.3.1
https://github.com/actions/cache/commit/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8

https://github.com/actions/setup-node/releases/tag/v3.6.0
https://github.com/actions/setup-node/commit/64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c

Fixes gh-5266
Closes gh-5269

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
(cherry picked from commit 784b9ba6e403997161113aa56d1747baed4e0767)

diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
index 38a81d2afdacb1838431c2f965dbf1f76929e27e..40f1a74b4148bac0c717ee5e669d2c9b7a5ddbb2 100644 (file)
--- a/.github/workflows/node.js.yml
+++ b/.github/workflows/node.js.yml
@@ -42,10 +42,10 @@ jobs:
             BROWSERS: "FirefoxHeadless"
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
     - name: Cache
-      uses: actions/cache@v3
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
       with:
         path: ~/.npm
         key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock-${{ hashFiles('**/package-lock.json') }}
@@ -53,7 +53,7 @@ jobs:
           ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-npm-lock-
 
     - name: Use Node.js ${{ matrix.NODE_VERSION }}
-      uses: actions/setup-node@v3.6.0
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: ${{ matrix.NODE_VERSION }}