Pin GitHub Actions to immutable commit SHAs

[Copilot]

Description
Mutable action tags (@v4, @V3) allow code changes without review. If an action author is compromised, the pipeline is compromised.

All GitHub Actions now pinned to commit SHAs with version comments for reference:

• actions/checkout@v4 → 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
• actions/setup-node@v4 → 39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
• actions/cache@v4 → 1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
• actions/stale@v9 → 28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
• actions-ecosystem/action-add-labels@v1 → 18f1af5e3544586314bbe15c0273249c770b2daf # v1
• github/codeql-action/*@v3 → aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
• Adyen/[email protected] → f5e0d6e68f1b203beb443efcabc680e087c2d334 # v1.3.1

Updated 9 workflow files, 23 action references total. All cache actions use v4.2.0 to avoid deprecated versions.

Tested scenarios

• Verified no unpinned actions remain across all workflows
• Verified all actions/cache references use v4.2.0 (deprecated v3 removed)
• CodeQL security scan passed with no vulnerabilities
• Code review completed with no issues
• Workflows run successfully without deprecation errors

Fixed issue:

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug]: Workflow actions</issue_title>
<issue_description>### Description

We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).

Steps to reproduce

Using tags like @v1, @master, or @latest allows the action code to change without your review. If the action author is compromised, your pipeline is compromised.
Pin to the immutable Commit SHA.

❌ Bad

uses: actions/checkout@v4

✅ Good

uses: actions/checkout@b4ffde6 # v4.1.1

All existing workflows shall be updated to pin the version of the actions to a specific commit SHA.

Actual behavior

No response

Expected behavior

Action versions must be pinned

Code snippet or screenshots (if applicable)

No response

Adyen Node API Library version

Lastest

Node.js version

22

NPM version

No response

Operating System

Windows

Additional context

No response</issue_description>

<agent_instructions>Similar issue has been addressed here Adyen/adyen-java-api-library#1614</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug]: Workflow actions #1584

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[gcatanese]

@copilot When running the actions I get

Error: This request has been automatically failed because it uses a deprecated version of actions/cache: e12d46a63a90f2fae62d114769bbf2a179198b5c. Please update your workflow to use v3/v4 of actions/cache to avoid interruptions. Learn more: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down

[Copilot]

@copilot When running the actions I get

Error: This request has been automatically failed because it uses a deprecated version of actions/cache: e12d46a63a90f2fae62d114769bbf2a179198b5c. Please upd...

Updated actions/cache from deprecated v3.3.3 to v4.2.0 in node-ci.yml. All cache references now use the same v4 SHA as sonarcloud.yml. Commit: 4bf063d

[gcatanese]

Looks all good

[gcatanese]

@copilot I have approved the MR but I cannot merge it, I didnt commit anything, why does it need a review from another code owner?

[Copilot]

@copilot I have approved the MR but I cannot merge it, I didnt commit anything, why does it need a review from another code owner?

The CODEOWNERS file requires approval from both @Adyen/developer-relations and @Adyen/api-library-maintainers teams. Your approval covers one team, but the PR needs approval from a member of the other team as well before it can be merged.

[gcatanese]

@copilot I am in both teams

[Copilot]

@copilot I am in both teams

The merge requirement is likely due to branch protection rules requiring multiple approvals (e.g., minimum 2 approvals) rather than team-based requirements. This is a repository-level setting that would need to be checked in the branch protection rules for this branch.