[CLIENT-2911] CI/CD: Lock Github Actions used in workflows using their commit hash

.github/actions/get-artifact-for-stage-tests/action.yml

@@ -49,7 +49,7 @@ runs:
     run: echo "GITHUB_ARTIFACT_NAME=${{ env.PYTHON_TAG }}-${{ inputs.wheel_os }}_${{ inputs.wheel_cpu_arch }}.build" >> $GITHUB_ENV
     shell: bash
 
-  - uses: actions/download-artifact@v4
+  - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
     if: ${{ inputs.get_from_jfrog == 'false' }}
     with:
       name: ${{ env.GITHUB_ARTIFACT_NAME }}
@@ -70,7 +70,7 @@ runs:
   # End codepath that downloads artifacts from Github
   # Begin codepath that downloads from JFrog
 
-  - uses: jfrog/setup-jfrog-cli@v4
+  - uses: jfrog/setup-jfrog-cli@88e9eba31c07e31beefa4cef5c0e93d1af9535d7 # v4
     if: ${{ inputs.get_from_jfrog == 'true' }}
     env:
       JF_URL: ${{ inputs.JFROG_PLATFORM_URL }}

.github/actions/run-ee-server/action.yml

@@ -40,7 +40,7 @@ runs:
 
   - name: Log into registry to get non-public server RCs
     # We can still pull public images while logged in, so just do this all the time to make things simple
-    uses: docker/login-action@v3
+    uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
     with:
       registry: ${{ inputs.registry-name }}
       username: ${{ inputs.registry-username }}
@@ -54,11 +54,11 @@ runs:
 
   # QE images are not multi-platform and only support a single platform.
   - name: Allow building images from different platforms other than the native one
-    uses: docker/setup-qemu-action@v3
+    uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
 
   # macOS Github runners and Windows self-hosted runners don't have buildx installed by default
   - if: ${{ runner.os == 'Windows' || runner.os == 'macOS' }}
-    uses: docker/setup-buildx-action@v3
+    uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
   - run: echo CA_CERT_FILE_NAME="ca.cer" >> $GITHUB_ENV
     shell: bash
@@ -69,7 +69,7 @@ runs:
   - name: Build Aerospike server Docker image for testing
     # We enable TLS standard authentication to verify that the OpenSSL library bundled with the wheel works
     # You can manually verify this by enabling debug logging in the client and checking that the server certificate was verified
-    uses: docker/build-push-action@v6
+    uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
     with:
       # Don't want to use default Git context or else it will clone the whole Python client repo again
       context: .github/workflows/docker-build-context

.github/workflows/build-and-run-stage-tests.yml

@@ -24,6 +24,11 @@ on:
         type: boolean
         default: true
         description: 'Test macOS x86 wheels (unstable)'
+      test-file:
+        required: false
+        type: string
+        default: ''
+        description: Allows you to choose specific test files to run.
 
 jobs:
   build-select-wheels:
@@ -59,3 +64,4 @@ jobs:
       image-name: ${{ inputs.image-name }}
       server-tag: ${{ inputs.server-tag }}
       test-macos-x86: ${{ inputs.test-macos-x86 }}
+      test-file: ${{ inputs.test-file }}

.github/workflows/build-sdist.yml

@@ -26,12 +26,12 @@ jobs:
       # The calling workflow can be triggered by push or pull request events, so there's that
       # https://github.com/actions/runner/issues/3146#issuecomment-2000017097
       if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
-      uses: myrotvorets/[email protected]
+      uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
       with:
         sha: ${{ env.COMMIT_SHA_TO_BUILD }}
         context: ${{ env.STATUS_CHECK_MESSAGE }}
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         submodules: recursive
         ref: ${{ env.COMMIT_SHA_TO_BUILD }}
@@ -44,13 +44,13 @@ jobs:
       run: python3 -m build --sdist
 
     - name: Upload source distribution to GitHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         path: ./dist/*.tar.gz
         name: sdist.build
 
     - name: Set final commit status
-      uses: myrotvorets/[email protected]
+      uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
       # Always run even if job failed or is cancelled
       # But we don't want to show anything if the calling workflow was triggered by these events
       if: ${{ always() && github.event_name != 'push' && github.event_name != 'pull_request' }}

.github/workflows/build-wheels.yml

@@ -185,13 +185,13 @@ jobs:
       shell: bash
 
     - name: Show job status for commit
-      uses: myrotvorets/[email protected]
+      uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
       if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
       with:
         sha: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
         context: ${{ env.STATUS_CHECK_MESSAGE }}
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         submodules: recursive
         ref: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
@@ -200,7 +200,7 @@ jobs:
 
     - name: 'Windows: Add msbuild to PATH'
       if: ${{ inputs.platform-tag == 'win_amd64' }}
-      uses: microsoft/[email protected]
+      uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1
 
     - name: 'Windows: Install C client deps'
       if: ${{ inputs.platform-tag == 'win_amd64' }}
@@ -253,7 +253,7 @@ jobs:
     - if: ${{ startsWith(inputs.platform-tag, 'manylinux') }}
       run: echo CIBW_MANYLINUX_AARCH64_IMAGE=${{ format(env.CUSTOM_IMAGE_NAME, 'aarch64', 'ebd269b4ecc3e186eeb0d734d765dfe9c606017a1cd5a122e08018b86b126217') }} >> $GITHUB_ENV
 
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
       if: ${{ startsWith(inputs.platform-tag, 'manylinux') }}
       with:
         registry: ghcr.io
@@ -294,7 +294,7 @@ jobs:
       run: echo CIBW_ENVIRONMENT_MACOS="LDFLAGS='-headerpad_max_install_names'" >> $GITHUB_ENV
 
     - name: Build wheel
-      uses: pypa/[email protected]
+      uses: pypa/cibuildwheel@352e01339f0a173aa2a3eb57f01492e341e83865 # v3.1.3
       id: cibuildwheel
       env:
         # manylinux_2_28 x64 image doesn't search in this directory for shared libraries
@@ -341,15 +341,15 @@ jobs:
       shell: bash
 
     - name: Upload wheels to GitHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ !cancelled() }}
       with:
         path: ./wheelhouse/*.whl
         name: ${{ env.BUILD_IDENTIFIER }}.build
         if-no-files-found: error
 
     - name: Set final commit status
-      uses: myrotvorets/[email protected]
+      uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
       if: ${{ always() && github.event_name != 'push' && github.event_name != 'pull_request' }}
       with:
         sha: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
@@ -373,13 +373,13 @@ jobs:
         shell: bash
 
       - name: Show job status for commit
-        uses: myrotvorets/[email protected]
+        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
         if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
         with:
           sha: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
           context: ${{ env.STATUS_CHECK_MESSAGE }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           ref: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
 
@@ -398,7 +398,7 @@ jobs:
           where-is-client-connecting-from: ${{ inputs.platform-tag == 'win_amd64' && 'remote-connection' || 'docker-host' }}
 
       - name: Download wheel
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: ${{ env.BUILD_IDENTIFIER }}.build
 
@@ -411,7 +411,7 @@ jobs:
           echo PYTHON_VERSION="${PYTHON_VERSION/3/3.}" >> $GITHUB_ENV
         shell: bash
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
@@ -430,7 +430,7 @@ jobs:
 
       - name: Show job status for commit
         if: ${{ always() && github.event_name != 'push' && github.event_name != 'pull_request' }}
-        uses: myrotvorets/[email protected]
+        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
         with:
           sha: ${{ env.COMMIT_SHA_TO_BUILD_AND_TEST }}
           status: ${{ job.status }}

.github/workflows/bump-version.yml

@@ -48,12 +48,12 @@
       current_version: ${{ steps.get-current-version.outputs.current_version }}
     steps:
     # Checkout the branch where we want to bump the new version
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         token: ${{ secrets.CLIENT_BOT_PAT }}
         ref: ${{ inputs.ref }}
 
     - name: Get current version
       id: get-current-version
       run: echo current_version=$(cat VERSION) >> $GITHUB_OUTPUT
 
@@ -64,7 +64,7 @@
       new_version: ${{ steps.get-new-version.outputs.new_version }}
     steps:
     # Checkout branch where workflow is being called from
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
     - name: Install library that parses PEP 440 versions
       run: pip install parver -c requirements.txt

.github/workflows/delete-artifacts.yml

@@ -6,6 +6,6 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Remove artifacts with dev version
-        uses: geekyeggo/delete-artifact@v5
+        uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
           name: '*.build'

.github/workflows/dev-to-stage.yml

@@ -13,7 +13,7 @@ jobs:
       run_stage_tests: ${{ steps.run_stage_tests.outputs.run_stage_tests }}
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         # Get all tags
         fetch-depth: 0

.github/workflows/fast-forward-merge.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           # Fetch the whole history to prevent unrelated history errors
           fetch-depth: '0'

.github/workflows/stage-tests.yml

@@ -39,6 +39,11 @@ on:
         type: boolean
         default: false
         description: 'Test macOS x86 wheels (unstable)'
+      test-file:
+        required: false
+        type: string
+        default: ''
+        description: 'Allows you to choose specific test files to run.'
 
 env:
   REGISTRY_USERNAME: ${{ inputs.registry-name == 'docker.io' && secrets.DOCKER_HUB_BOT_USERNAME || secrets.QE_DOCKER_REGISTRY_USERNAME }}
@@ -101,7 +106,7 @@ jobs:
     # TODO: the checkout code is also duplicated in the macOS stage tests
     # But it's only a few lines of code so I didn't bother to create a composite action for it.
     - name: Get tests and Github action scripts
-      uses: actions/checkout@v4
+      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         ref: ${{ inputs.use_jfrog_builds && inputs.jfrog-build-version-to-test || github.sha }}
         sparse-checkout: |
@@ -182,7 +187,7 @@ jobs:
       run: docker exec --workdir /aerospike-client-python/test ${{ env.LINUX_DISTRO_CONTAINER_NAME }} python${{ env.PYTHON_VERSION }} -m ${{ env.PIP_INSTALL_COMMAND }} pytest -c requirements.txt
 
     - name: Run tests
-      run: docker exec --workdir /aerospike-client-python/test ${{ env.LINUX_DISTRO_CONTAINER_NAME }} python${{ env.PYTHON_VERSION }} -m pytest new_tests/
+      run: docker exec --workdir /aerospike-client-python/test ${{ env.LINUX_DISTRO_CONTAINER_NAME }} python${{ env.PYTHON_VERSION }} -m pytest new_tests/${{ inputs.test-file }}
 
   macOS:
     if: ${{ inputs.test-macos-x86 }}
@@ -204,7 +209,7 @@ jobs:
     runs-on: ${{ matrix.runner-os }}
     steps:
     - name: Get tests and Github action scripts
-      uses: actions/checkout@v4
+      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         ref: ${{ inputs.use_jfrog_builds && inputs.jfrog-build-version-to-test || github.sha }}
         sparse-checkout: |
@@ -224,7 +229,7 @@ jobs:
         JFROG_ACCESS_TOKEN: ${{ secrets.JFROG_ACCESS_TOKEN }}
         JFROG_REPO_NAME: ${{ vars.JFROG_REPO_NAME }}
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v2
       with:
         python-version: ${{ matrix.python-version }}
 

.github/workflows/stage-to-master.yml

@@ -41,14 +41,14 @@ jobs:
     needs: build-artifacts
     steps:
     - name: Download and store all artifacts to single folder
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         path: artifacts
         merge-multiple: true
 
     # TODO: fix
     - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
       with:
         packages-dir: artifacts/
         password: ${{ secrets.PYPI_API_TOKEN }}

.github/workflows/test-server-rc.yml

@@ -29,7 +29,7 @@ jobs:
         ]
     runs-on: ${{ matrix.platform[1] }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
     - run: docker run -d --name manylinux quay.io/pypa/manylinux2014_${{ matrix.platform[0] }} tail -f /dev/null
 
@@ -41,7 +41,7 @@ jobs:
         docker-hub-password: ${{ secrets.DOCKER_HUB_BOT_PW }}
         where-is-client-connecting-from: 'docker-container'
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: ${{ matrix.python[1] }}-manylinux_${{ matrix.platform[0] }}.build
         path: ./
@@ -73,7 +73,7 @@ jobs:
         ]
     runs-on: macos-12-large
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
     - uses: ./.github/actions/setup-docker-on-macos
 
@@ -84,12 +84,12 @@ jobs:
         docker-hub-username: ${{ secrets.DOCKER_HUB_BOT_USERNAME }}
         docker-hub-password: ${{ secrets.DOCKER_HUB_BOT_PW }}
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: ${{ matrix.python[1] }}-macosx_x86_64.build
         path: ./
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v2
       with:
         python-version: ${{ matrix.python[0] }}
 
@@ -119,9 +119,9 @@ jobs:
         ]
       fail-fast: false
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: ${{ matrix.python-version[1] }}-macosx_arm64.build
         path: ./
@@ -137,7 +137,7 @@ jobs:
     # Need to be able to save Docker Hub credentials to keychain
     - run: security unlock-keychain -p ${{ secrets.MAC_M1_SELF_HOSTED_RUNNER_PW }}
 
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
       with:
         username: ${{ secrets.DOCKER_HUB_BOT_USERNAME }}
         password: ${{ secrets.DOCKER_HUB_BOT_PW }}