Add ensure-sha-pinned-actions action to CI pipeline

.github/workflows/harden-ci-security.yml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Harden CI security
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  ensure-sha-pinned-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: Ensure all actions are pinned to a specific commit
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3

.github/workflows/on-push-master.yml

@@ -7,6 +7,11 @@ on:
     branches: [master]
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.ref }}
+
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:

.github/workflows/on-push-other-branch.yml

@@ -7,6 +7,11 @@ on:
     branches-ignore: [master]
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.ref }}
+
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:

.github/workflows/on-push-pr.yml

@@ -6,6 +6,11 @@ on:
   pull_request:
 
 jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
   run-tests-for-pr:
     uses: ./.github/workflows/run-tests.yml
     with: