ci: pin github actions by hash and update via dependabot (#6626)

## Summary of changes

- **Add dependabot for github actions**
- **Pin actions by hash**

## Reason for change

Pinning 3rd-party GitHub Actions by commit SHA makes them less
vulnerable to compromise of the 3rd party. To avoid outdating and
non-verbosity, versions are commented after the SHA and updating via
dependabot is introduced that will automatically update the commented
version tag as well.

In case of a false commit SHA, this change could break the corresponding
workflow. Typically, this does not cause major interruptions, but it can
for example affect a release pipeline and require restart causing
delays.

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->

<!-- ⚠️ Note: where possible, please obtain 2 approvals prior to
merging. Unless CODEOWNERS specifies otherwise, for external teams it is
typically best to have one review from a team member, and one review
from apm-dotnet. Trivial changes do not require 2 reviews. -->

Author: xopham

.github/dependabot.yml

@@ -94,3 +94,12 @@ updates:
       - dependency-name: "System.Reflection.Emit"
       - dependency-name: "System.Reflection.Emit.Lightweight"
       ### End Datadog.Trace.csproj ignored dependencies
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      gh-actions-packages:
+        patterns:
+          - "*"

.github/workflows/auto_add_vnext_milestone_to_pr.yml

@@ -18,14 +18,14 @@ jobs:
       issues: write # need to potentially create a new milestone
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
       - name: "Assign to vNext Milestone"
         run: ./tracer/build.sh AssignPullRequestToMilestone
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          PullRequestNumber: "${{ github.event.pull_request.number }}"
+          PullRequestNumber: "${{ github.event.pull_request.number }}"

.github/workflows/auto_bump_test_package_versions.yml

@@ -23,11 +23,11 @@ jobs:
         run: git config --system core.longpaths true
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           ref: ${{ github.event.pull_request.base.sha }}
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
@@ -36,7 +36,7 @@ jobs:
 
       - name: Create Pull Request
         id: pr
-        uses: peter-evans/create-pull-request@v3.10.0
+        uses: peter-evans/create-pull-request@9825ae65b1cb54b543b938503728b432a0176d29 # v3.10.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: "bot/test-package-versions-bump"
@@ -51,7 +51,7 @@ jobs:
             
       - name: Send Slack notification about generating failure
         if: failure()
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
         with:
           # This data can be any valid JSON from a previous step in the GitHub Action
           payload: |

.github/workflows/auto_check_snapshots.yml

@@ -13,11 +13,11 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
@@ -26,4 +26,4 @@ jobs:
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           PullRequestNumber: "${{ github.event.pull_request.number }}"
-          TargetBranch: "${{ github.base_ref }}"
+          TargetBranch: "${{ github.base_ref }}"

.github/workflows/auto_code_freeze_block_pr.yml

@@ -18,7 +18,7 @@ jobs:
       statuses: write # add a commit status check
 
     steps:
-    - uses: octokit/request-action@v2.x
+    - uses: octokit/request-action@786351db496fa66730d8faa09ef279108da175a3 # v2.x
       name: 'Get Milestones'
       id: milestones
       with:
@@ -53,4 +53,4 @@ jobs:
             "https://api.github.com/repos/DataDog/dd-trace-dotnet/statuses/$sha" \
             -d '{"state":"'"$state"'","context":"code_freeze","description":"'"$description"'","target_url":"'"$targetUrl"'"}'
 
-      name: 'Check Code Freeze status'
+      name: 'Check Code Freeze status'

.github/workflows/auto_create_version_bump_pr.yml

@@ -36,7 +36,7 @@ jobs:
           }
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           ref: ${{ steps.select_branch.outputs.ref }}
 
@@ -45,7 +45,7 @@ jobs:
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor }}@users.noreply.github.com"
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
@@ -70,7 +70,7 @@ jobs:
 
       - name: Create Pull Request
         id: pr
-        uses: peter-evans/create-pull-request@v3.10.0
+        uses: peter-evans/create-pull-request@9825ae65b1cb54b543b938503728b432a0176d29 # v3.10.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: "version-bump-${{steps.versions.outputs.full_version}}"

.github/workflows/auto_deploy_aas_test_apps.yml

@@ -18,9 +18,9 @@ jobs:
 
     steps:
       - name: Clone dd-trace-dotnet repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      - uses: octokit/request-action@v2.x
+      - uses: octokit/request-action@786351db496fa66730d8faa09ef279108da175a3 # v2.x
         name: 'Open Code Freeze Milestone'
         id: milestones
         if: github.event_name != 'workflow_dispatch'
@@ -51,4 +51,4 @@ jobs:
         name: 'Trigger AAS deploy'
         if: env.stop != 'true'
         with:
-          aas_github_token: ${{ secrets.GH_EXTERNAL_TOKEN }}
+          aas_github_token: ${{ secrets.GH_EXTERNAL_TOKEN }}

.github/workflows/auto_label_prs.yml

@@ -14,14 +14,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
       - name: "Add labels"
         run: ./tracer/build.sh AssignLabelsToPullRequest
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          PullRequestNumber: "${{ github.event.pull_request.number }}" 
+          PullRequestNumber: "${{ github.event.pull_request.number }}" 

.github/workflows/auto_update_benchmark_branches.yml

@@ -15,11 +15,11 @@ jobs:
       contents: write # Creates and deletes branches
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 

.github/workflows/code_freeze_end.yml

@@ -21,9 +21,9 @@ jobs:
 
     steps:
     - name: Clone dd-trace-dotnet repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-    - uses: octokit/request-action@v2.x
+    - uses: octokit/request-action@786351db496fa66730d8faa09ef279108da175a3 # v2.x
       name: 'Close Code Freeze Milestone'
       id: milestones
       if: github.event_name == 'workflow_dispatch'
@@ -68,4 +68,4 @@ jobs:
       with:
         page_number: 4
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        end_freeze: "true"
+        end_freeze: "true"

.github/workflows/code_freeze_start.yml

@@ -22,9 +22,9 @@ jobs:
 
     steps:
       - name: Clone dd-trace-dotnet repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      - uses: octokit/request-action@v2.x
+      - uses: octokit/request-action@786351db496fa66730d8faa09ef279108da175a3 # v2.x
         name: 'Open Code Freeze Milestone'
         id: milestones
         if: github.event_name == 'workflow_dispatch'
@@ -69,4 +69,4 @@ jobs:
       - uses: ./.github/actions/deploy-aas-dev-apps
         name: 'Trigger AAS deploy'
         with:
-          aas_github_token: ${{ secrets.GH_EXTERNAL_TOKEN }}
+          aas_github_token: ${{ secrets.GH_EXTERNAL_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -21,9 +21,9 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
-    - uses: actions/setup-dotnet@v1
+    - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
       with:
         dotnet-version: '9.0.102'
 
@@ -33,7 +33,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         languages: csharp, cpp
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,10 +54,10 @@ jobs:
         ./tracer/build.sh BuildProfilerHome BuildNativeLoader
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
 
     - name: filter-sarif cpp
-      uses: advanced-security/filter-sarif@v1
+      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
       with:
         patterns: |
           -**/src/Demos/**
@@ -69,7 +69,7 @@ jobs:
         output: ../results/cpp.sarif
 
     - name: filter-sarif csharp
-      uses: advanced-security/filter-sarif@v1
+      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
       with:
         patterns: |
           -**/src/Demos/**
@@ -97,9 +97,9 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
-    - uses: actions/setup-dotnet@v1
+    - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
       with:
         dotnet-version: '9.0.102'
 
@@ -109,7 +109,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         languages: csharp, cpp
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -130,10 +130,10 @@ jobs:
         ./tracer/build.sh BuildTracerHome
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
 
     - name: filter-sarif cpp
-      uses: advanced-security/filter-sarif@v1
+      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
       with:
         patterns: |
           -**/src/Demos/**
@@ -145,7 +145,7 @@ jobs:
         output: ../results/cpp.sarif
 
     - name: filter-sarif csharp
-      uses: advanced-security/filter-sarif@v1
+      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
       with:
         patterns: |
           -**/src/Demos/**

.github/workflows/create-system-test-docker-base-images.yml

@@ -27,11 +27,11 @@ jobs:
       AZURE_DEVOPS_TOKEN: "${{ secrets.AZURE_DEVOPS_TOKEN }}"
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         fetch-depth: 0
 
-    - uses: actions/setup-dotnet@v1
+    - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
       with:
         dotnet-version: '9.0.102'
 
@@ -52,4 +52,4 @@ jobs:
         package_version: "${{steps.versions.outputs.version}}"
         lib_waf_version: "${{steps.versions.outputs.lib_waf_version}}"
         waf_rules_version: "${{steps.versions.outputs.waf_rules_version}}"
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/create_draft_release.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           fetch-depth: 0
 
@@ -38,7 +38,7 @@ jobs:
           echo "Using sha $commitsha"
           echo "sha=${commitsha}" >> $GITHUB_OUTPUT
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 
@@ -84,7 +84,7 @@ jobs:
           git push origin "v${{steps.versions.outputs.full_version}}"
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1.0.0
         with:
           draft: true
           name: "${{steps.versions.outputs.full_version}}"

.github/workflows/create_hotfix_branch.yml

@@ -27,14 +27,14 @@ jobs:
         run: git config --system core.longpaths true
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: "Configure Git Credentials"
         run: |
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor }}@users.noreply.github.com"
 
-      - uses: actions/setup-dotnet@v1
+      - uses: actions/setup-dotnet@71a4fd9b27383962fc5df13a9c871636b43199b4 # v1.10.0
         with:
           dotnet-version: '9.0.102'
 

.github/workflows/datadog-static-analysis.yml

@@ -11,7 +11,7 @@ jobs:
       statuses: write # add status checks (?) 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Check code meets quality standards
         id: datadog-static-analysis
         uses: DataDog/datadog-static-analyzer-github-action@v1
@@ -22,4 +22,4 @@ jobs:
           dd_site: datadoghq.com
           dd_env: ci
           cpu_count: 2
-          
+