Pin GitHub Actions to full-length commit SHAs (#47)

* Initial plan

* Pin GitHub Actions to full-length commit SHAs and add workflow instructions

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-template/sessions/2b09ef7b-423b-462a-93f1-8107507d935f

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Remove unrelated codeql-pack.lock.yml files accidentally included

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-template/sessions/2b09ef7b-423b-462a-93f1-8107507d935f

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Upgrade codeql CLI to version 2.25.2

Upgrades the codeql CLI version from 2.23.5 to 2.25.2 in an attempt
to resolve unit testing failures for bundled CodeQL queries.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Nathan Randall <data-douser@github.com>

Author: Copilot

.github/actions/setup-codeql-environment/action.yml

@@ -101,7 +101,7 @@ runs:
     - name: Cache QLT and CodeQL packages
       id: cache-codeql
       if: inputs.install-codeql == 'true'
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           ~/.qlt/packages
@@ -112,7 +112,7 @@ runs:
 
     - name: Install QLT (CodeQL Development Toolkit)
       id: install-qlt
-      uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+      uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@da8bc39fd7dc759c8a528b7c2e7534675c06c62c # main
       with:
         qlt-version: "latest"
         add-to-path: true
@@ -425,7 +425,7 @@ runs:
     # Language-specific setup steps with enhanced caching (only if language runtimes installation is enabled)
     - name: Setup Node.js
       if: inputs.install-language-runtimes == 'true'
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
       with:
         cache: "npm"
         cache-dependency-path: "package-lock.json"
@@ -435,7 +435,7 @@ runs:
     - name: Cache language runtimes
       id: cache-runtimes
       if: inputs.install-language-runtimes == 'true'
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           ~/go/pkg/mod
@@ -449,42 +449,42 @@ runs:
 
     - name: Setup Python (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'true'
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ inputs.python-version }}
         cache: "pip"
 
     - name: Setup Python (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'false'
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ inputs.python-version }}
 
     - name: Setup Java (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'true'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: "temurin"
         java-version: ${{ inputs.java-version }}
         cache: "maven"
 
     - name: Setup Java (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'false'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: "temurin"
         java-version: ${{ inputs.java-version }}
 
     - name: Setup Go (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'true'
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
         go-version: ${{ inputs.go-version }}
         cache: true
 
     - name: Setup Go (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'false'
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
         go-version: ${{ inputs.go-version }}
         cache: false
@@ -493,7 +493,7 @@ runs:
     - name: Cache .NET packages
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp')
       id: cache-dotnet-packages
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           ~/.nuget/packages
@@ -505,20 +505,20 @@ runs:
 
     - name: Setup .NET (for C#)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp')
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
       with:
         dotnet-version: ${{ inputs.dotnet-version }}
 
     - name: Setup Ruby (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'true'
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: true
 
     - name: Setup Ruby (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'false'
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: false
@@ -527,7 +527,7 @@ runs:
     - name: Cache C++ build tools
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'cpp')
       id: cache-cpp-tools
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: |
           ~/.ccache

.github/instructions/github_workflows_yaml.instructions.md

@@ -0,0 +1,35 @@
+---
+applyTo: '.github/{actions,workflows}/**/*.{yml,yaml}'
+description: 'Instructions for editing GitHub Actions workflows for this repository.'
+---
+
+# Copilot Instructions for `.github/{actions,workflows}/**/*.{yml,yaml}` files
+
+## PURPOSE
+
+This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-development-template` repository.
+
+## REQUIREMENTS
+
+- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its underlying commit SHA (handling annotated tags correctly), run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG^{}`; for branch-based refs, use `refs/heads/BRANCH`.
+- ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows.
+- ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions.
+- ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability.
+- ALWAYS use descriptive names for workflows, jobs, and steps that clearly explain their purpose.
+- ALWAYS check formatting with `npm run lint && npm run format:check` from the repo root directory to ensure consistent formatting after making changes.
+- ALWAYS fix linting and formatting errors by running `npm run lint:fix && npm run format` from the repo root directory before committing changes.
+
+## PREFERENCES
+
+- PREFER explicit permissions declarations using the `permissions` key for security.
+- PREFER descriptive step names that include the workflow context (e.g., "Lint and Format - Checkout repository").
+- PREFER matrix strategies for testing multiple versions when applicable.
+- PREFER adding summary outputs using `$GITHUB_STEP_SUMMARY` for better workflow visibility.
+
+## CONSTRAINTS
+
+- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.**
+- NEVER use overly broad permissions.
+- NEVER leave any trailing whitespace on any line.
+- NEVER use deprecated GitHub Actions or workflow syntax.
+- NEVER commit workflow files without running the formatting checks first.

.github/workflows/codeql-qlt-unit-tests.yml

@@ -30,7 +30,7 @@ jobs:
       has_languages: ${{ steps.find-languages.outputs.has_languages }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup CodeQL environment for discovering unit tests
         uses: ./.github/actions/setup-codeql-environment
@@ -102,7 +102,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup CodeQL environment for executing `qlt` unit tests
         uses: ./.github/actions/setup-codeql-environment
@@ -153,7 +153,7 @@ jobs:
       - name: Upload test results
         # Upload results even if tests failed, but only if the language is valid
         if: ${{ always() && matrix.language && matrix.language != 'unknown' }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: qlt-test-results-${{ matrix.language }}-${{ runner.os }}
           path: |
@@ -167,7 +167,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup CodeQL environment for validating `qlt` unit tests
         uses: ./.github/actions/setup-codeql-environment
@@ -177,7 +177,7 @@ jobs:
           install-ql-packs: false
 
       - name: Download CodeQL unit test results
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: qlt-test-results-*
           path: test-results/

.github/workflows/copilot-setup-steps.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Copilot Setup - Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/lint-and-format.yml

@@ -35,10 +35,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           cache: "npm"
           node-version-file: "package.json"

languages/qlt.conf.json

@@ -1,5 +1,5 @@
 {
-  "CodeQLCLI": "2.23.5",
-  "CodeQLStandardLibrary": "codeql-cli/v2.23.5",
-  "CodeQLCLIBundle": "codeql-bundle-v2.23.5"
+  "CodeQLCLI": "2.25.2",
+  "CodeQLStandardLibrary": "codeql-cli/v2.25.2",
+  "CodeQLCLIBundle": "codeql-bundle-v2.25.2"
 }

qlt.conf.json

@@ -1,5 +1,5 @@
 {
-  "CodeQLCLI": "2.23.5",
-  "CodeQLStandardLibrary": "codeql-cli/v2.23.5",
-  "CodeQLCLIBundle": "codeql-bundle-v2.23.5"
+  "CodeQLCLI": "2.25.2",
+  "CodeQLStandardLibrary": "codeql-cli/v2.25.2",
+  "CodeQLCLIBundle": "codeql-bundle-v2.25.2"
 }