fix: security fixes according to Github CodeQL

.github/workflows/benchmark-clean.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3    # checkout sources
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
       - name: Install doctl
         uses: digitalocean/action-doctl@v2

.github/workflows/benchmark-hook.yml

@@ -8,7 +8,7 @@ on:
       - clean-webhook
 
 permissions:
-  contents: read   # Required for actions/checkout@v3 to clone the repository
+  contents: read   # Required for actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 to clone the repository
   id-token: write  # Required for authentication in certain actions (e.g., digitalocean/action-doctl@v2)
   secrets: read    # Required to access the DIGITALOCEAN_ACCESS_TOKEN secret
 
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install doctl
       uses: digitalocean/action-doctl@v2
@@ -49,7 +49,7 @@ jobs:
         kubectl -n evita logs job/${K8S_JOB_NAME} -c benchmark > /tmp/logs/${K8S_JOB_NAME}-log.txt || :
 
     - name: Archive logs from run
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
         name: logs
         path: /tmp/logs

.github/workflows/benchmark.yml

@@ -44,7 +44,7 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
 
     steps:
-      - uses: actions/checkout@v3    # checkout sources
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
       - name: Install doctl
         uses: digitalocean/action-doctl@v2

.github/workflows/ci-dev-documentation.yml

@@ -33,17 +33,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
          cache: 'maven'
 
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
       with:
         dotnet-version: '8.0.X'    # setup dotnet 8.0.X for building
 
@@ -52,7 +52,7 @@ jobs:
         mvn -T 1C -B package -P documentation -V --fail-at-end -Dmaven.test.skip=false --file pom.xml
 
     - name: Publish Test Report
-      uses: mikepenz/action-junit-report@v3
+      uses: mikepenz/action-junit-report@ee6b445351cd81e2f73a16a0e52d598aeac2197f # v5.3.0
       if: success() || failure() # always run even if the previous step fails
       with:
         report_paths: '**/TEST-*.xml'

.github/workflows/ci-dev.yml

@@ -37,10 +37,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
@@ -57,25 +57,25 @@ jobs:
         jacoco/jacoco-summary.sh jacoco/target/site/jacoco-aggregate/jacoco.csv
 
     - name: Upload test results    # upload XML with unit test results to artifact `test-results` for `test-report.yml`
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success() || failure()
       with:
         name: test-results
         path: 'evita*/**/target/surefire-reports/TEST-*.xml'
 
     - name: Upload evitaDB server artifact   # upload `evita-server.jar` for `docker-canary.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: evita-server.jar
         path: 'evita_server/target/evita-server.jar'
 
     - name: Upload coverage to Codecov    # upload code coverage from Jacoco to codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
 
     # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
     - name: Update dependency graph
-      uses: advanced-security/maven-dependency-submission-action@v3
+      uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4.1.1
 
     - name: Deploy with Maven       # deploy SNAPSHOTS to Maven repository
       run: |

.github/workflows/ci-master.yml

@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
       with:
         ref: ${{ github.head_ref }}
         fetch-depth: 0
@@ -50,7 +50,7 @@ jobs:
         minor-identifier: '/feat(?:\\([^)]+\\))?:/'
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.03  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
@@ -123,14 +123,14 @@ jobs:
         asset_content_type: application/gzip
 
     - name: Upload evitaDB server artifact   # upload `evita-server.jar` for `docker-latest.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: evita-server.jar
         path: 'evita_server/target/evita-server.jar'
 
     - name: Upload evitaDB version.txt      # upload `version.txt` for `docker-latest.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: version.txt

.github/workflows/ci-performance.yml

@@ -20,10 +20,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'

.github/workflows/docker-canary.yml

@@ -19,7 +19,7 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4        # checkout from Git
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2        # checkout from Git
         with:
           ref: dev  # Always checks out the dev branch
 

.github/workflows/docker-latest.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v3        # checkout from Git
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2        # checkout from Git
         with:
           ref: master  # Always checks out the master branch (due to config file)
 

.github/workflows/documentation-tests.yml

@@ -7,16 +7,16 @@ on:
     - cron: '0 0 * * 1' # runs on Monday morning
 
 permissions:
-  contents: read  # Required for actions/checkout@v3 to access the repository
-  actions: write  # Required for uploading artifacts using actions/upload-artifact@v4
+  contents: read  # Required for actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 to access the repository
+  actions: write  # Required for uploading artifacts using actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
 
 jobs:
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
 
@@ -27,7 +27,7 @@ jobs:
           echo "Commits found: $NEW_COMMIT_COUNT"
 
       - name: Setup Java JDK   # this should setup JDK 17 but only if something was committed this day
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         if: ${{ env.NEW_COMMIT_COUNT != '0' }}
         with:
            distribution: 'temurin'
@@ -39,7 +39,7 @@ jobs:
         run: mvn -T 1C -B package -P documentation -Dsurefire.reportNameSuffix=documentation -V --fail-at-end -Dmaven.test.skip=false --file pom.xml
 
       - name: Upload test results  # this upload test results but only if something was committed this day
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: ${{ env.NEW_COMMIT_COUNT != '0' && always() }}
         with:
           name: test-results

.github/workflows/long-running-tests.yml

@@ -18,7 +18,7 @@ jobs:
     timeout-minutes: 60
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
 
@@ -29,7 +29,7 @@ jobs:
           echo "Commits found: $NEW_COMMIT_COUNT"
 
       - name: Setup Java JDK   # this should setup JDK 17 but only if something was committed this day
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         if: ${{ env.NEW_COMMIT_COUNT != '0' }}
         with:
            distribution: 'temurin'
@@ -41,12 +41,12 @@ jobs:
         run: mvn -T 1C -B package -P longRunning -V --fail-at-end -Dmaven.test.skip=false --file pom.xml
 
       - name: Upload test results  # this upload test results but only if something was committed this day
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: ${{ env.NEW_COMMIT_COUNT != '0' && always() }}
         with:
           name: test-results
           path: 'evita*/**/target/surefire-reports/TEST-*.xml'
 
       - name: Upload coverage to Codecov  # this upload test coverage but only if something was committed this day
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
         if: ${{ env.NEW_COMMIT_COUNT != '0' }}

.github/workflows/test-report.yml

@@ -31,7 +31,7 @@ jobs:
           name: test-results          # artifact name
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@ee6b445351cd81e2f73a16a0e52d598aeac2197f # v5.3.0
         if: success() || failure() # always run even if the previous step fails
         with:
           report_paths: '**/TEST-*.xml'