Pin actions to a full length commit SHA (#24647)

* build: Pin actions to a full length commit SHA

- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

* build: Fixed the incorrect SHA's

Signed-off-by: naveensrinivasan <[email protected]>
(cherry picked from commit 8ae8216)

Author: naveensrinivasan

.github/workflows/build-dev-app.yml

@@ -20,7 +20,7 @@ jobs:
       (github.event.action == 'labeled' && github.event.label.name == 'dev-app preview') ||
       (github.event.action == 'synchronize' && contains(github.event.pull_request.labels.*.name, 'dev-app preview'))
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # renovate: tag=v2.0.0
       - uses: ./.github/actions/yarn-install
 
       - run: ./scripts/bazel/setup-remote-execution.sh
@@ -42,7 +42,7 @@ jobs:
           echo ${{github.event.pull_request.head.sha}} > dist/devapp/pr_sha
 
       # Upload the generated dev-app archive.
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # renovate: tag=v2.0.0
         with:
           name: devapp
           path: dist/devapp

.github/workflows/deploy-dev-app.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # renovate: tag=v2.0.0
       - uses: ./.github/actions/yarn-install
 
       - name: 'Download artifact from build job'
@@ -36,7 +36,7 @@ jobs:
           echo "::set-output name=number::$(cat ./dist/dev-app-web-pkg/pr_number)"
           echo "::set-output name=sha::$(cat ./dist/dev-app-web-pkg/pr_sha)"
 
-      - uses: FirebaseExtended/action-hosting-deploy@v0
+      - uses: FirebaseExtended/action-hosting-deploy@276388dd6c2cde23455b30293105cc866c22282d # renovate: tag=v0.0.0
         id: deploy
         with:
           repoToken: '${{secrets.GITHUB_TOKEN}}'
@@ -45,7 +45,7 @@ jobs:
           projectId: ng-comp-dev
           channelId: pr-${{steps.pr_info.outputs.number}}-${{steps.pr_info.outputs.sha}}
 
-      - uses: marocchino/sticky-pull-request-comment@v2
+      - uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443 # renovate: tag=v2.0.0
         with:
           message: |
             Deployed dev-app to: ${{ steps.deploy.outputs.details_url }}

.github/workflows/dev-infra.yml

@@ -8,7 +8,7 @@ jobs:
   labels:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579  # renovate: tag=v2.0.0
       - uses: angular/dev-infra/github-actions/commit-message-based-labels@138ec743c342cd2a4a75443d19e0ccd47244ee07
         with:
           angular-robot-key: ${{ secrets.ANGULAR_ROBOT_PRIVATE_KEY }}