Down-Merge for SHA fix in actions (#1634)

* ci(workflows): pin actions to full sha (#1598)

* ci(workflows): pin actions to full sha

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* ci(dependabot): add configuration for GitHub Actions updates

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* ci(workflows): ensure deployment skips when secrets are missing

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* fix(workflows): correct syntax for Azure DevOps token retrieval step

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

---------

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* fix: broken links (#1607)

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

* ci(workflows): enhance permissions for jobs (#1627)

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

---------

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>
Co-authored-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

Author: ytimocin

.github/dependabot.yml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns:
+          - "*"

.github/workflows/close-stale-prs.yml

@@ -2,26 +2,29 @@
 #
 # For more information, see:
 # https://github.com/actions/stale
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Close stale pull requests
 
 on:
   schedule:
-  - cron: '0 18 * * *' # Run the workflow every day at 6PM UTC (10AM PST).
+    - cron: "0 18 * * *" # Run the workflow every day at 6PM UTC (10AM PST).
+
+permissions: {}
 
 jobs:
   stale:
-
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     permissions:
       pull-requests: write
-
     steps:
-    - uses: actions/stale@v9
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-pr-message: 'This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days.'
-        stale-pr-label: 'stale'
-        days-before-pr-stale: 90 # 3 months
-        days-before-pr-close: 7
-        days-before-issue-stale: -1
-        days-before-issue-close: -1
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+        with:
+          repo-token: ${{ github.token }}
+          stale-pr-message: This pull request has been automatically marked as stale because it has been inactive for 90 days. Remove stale label or comment or this PR will be closed in 7 days.
+          stale-pr-label: stale
+          days-before-pr-stale: 90 # 3 months
+          days-before-pr-close: 7
+          days-before-issue-stale: -1
+          days-before-issue-close: -1

.github/workflows/issues.yml .github/workflows/devops-boards.yaml.github/workflows/issues.yml renamed to .github/workflows/devops-boards.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Sync issue to Azure DevOps work item
 
 on:
@@ -9,41 +11,46 @@ concurrency:
   group: issue-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-# Extra permissions needed to login with Entra ID service principal via federated identity
-permissions:
-  id-token: write
-  issues: write
+permissions: {}
 
 jobs:
   ado:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      id-token: write
+      issues: write
     environment:
       name: issues
     steps:
       # Auth using Azure Service Principals was added as a part of v2.3
       # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_TENANT_ID }}
           allow-no-subscriptions: true
+
       - name: Get Azure DevOps token
         id: get_ado_token
-        run:
+        run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken --output tsv)
+          echo "::add-mask::${ADO_TOKEN}"
+          echo "ADO_TOKEN=${ADO_TOKEN}" >> "${GITHUB_ENV}"
+
       - name: Sync issue to Azure DevOps
-        uses: danhellem/github-actions-issue-to-work-item@v2.3
+        uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'
-          ado_organization: 'azure-octo'
-          ado_project: 'Incubations'
-          ado_area_path: "Incubations\\Radius"
-          ado_iteration_path: "Incubations\\Radius"
-          ado_new_state: 'New'
-          ado_active_state: 'Active'
-          ado_close_state: 'Closed'
-          ado_wit: 'GitHub Issue'
+          github_token: ${{ github.token }}
+          ado_organization: azure-octo
+          ado_project: Incubations
+          ado_area_path: Incubations\\Radius
+          ado_iteration_path: Incubations\\Radius
+          ado_new_state: New
+          ado_active_state: Active
+          ado_close_state: Closed
+          ado_wit: GitHub Issue

.github/workflows/pr-checks.yaml

@@ -1,17 +1,25 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: PR Checks
 
 on:
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
 
+permissions: {}
+
 jobs:
   check-do-not-merge-tag:
     name: Check for do-not-merge tag
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      issues: read
+      pull-requests: read
     steps:
       - name: Check for do-not-merge label
-        uses: mheap/github-action-required-labels@v5
+        uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1
         with:
-            labels: "do-not-merge"
-            mode: exactly
-            count: 0
+          labels: do-not-merge
+          mode: exactly
+          count: 0

.github/workflows/redirect.yml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Radius Redirect
 
 on:
@@ -6,43 +8,56 @@ on:
     branches:
       - edge
       - v*.*
-    paths: 
-      - 'redirect/**'
-      - '.github/workflows/redirect.yml'
+    paths:
+      - "redirect/**"
+      - ".github/workflows/redirect.yml"
   pull_request:
     branches:
       - edge
       - v*.*
-    paths: 
-      - 'redirect/**'
-      - '.github/workflows/redirect.yml'
+    paths:
+      - "redirect/**"
+      - ".github/workflows/redirect.yml"
+
+permissions: {}
 
 jobs:
   deploy-website:
     name: Deploy Redirect Website
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           submodules: false
+          persist-credentials: false
+
       - name: Deploy staging site
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_REDIRECT_TOKEN }}
-          action: "upload"
-          app_location: "redirect/src"
+          action: upload
+          app_location: redirect/src
           skip_api_build: true
           skip_app_build: true
+          skip_deploy_on_missing_secrets: true
 
   close_pr_site:
     name: Close PR Staging Site
     if: github.event_name == 'pull_request' && github.event.action == 'closed'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Close Pull Request
         id: closepullrequest
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_REDIRECT_TOKEN }}
-          action: "close"
+          action: close
+          app_location: redirect/src
+          skip_deploy_on_missing_secrets: true

.github/workflows/release.yaml

@@ -1,44 +1,57 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Release docs
 
 on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Radius version number to use (e.g. 0.22.0, 0.23.0-rc1)'
+        description: "Radius version number to use (e.g. 0.22.0, 0.23.0-rc1)"
         required: true
-        default: ''
+        default: ""
         type: string
 
+permissions: {}
+
 env:
   GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }}
-  GITHUB_EMAIL: 'radiuscoreteam@service.microsoft.com'
-  GITHUB_USER: 'Radius CI Bot'
+  GITHUB_EMAIL: radiuscoreteam@service.microsoft.com
+  GITHUB_USER: Radius CI Bot
 
 jobs:
   release-docs:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
           ref: edge
           path: docs
+          persist-credentials: false
+
       - name: Configure git
         run: |
           git config --global user.email "${{ env.GITHUB_EMAIL }}"
           git config --global user.name "${{ env.GITHUB_USER }}"
+
       - name: Ensure inputs.version is valid semver
         run: |
           python ./docs/.github/scripts/validate_semver.py ${{ inputs.version }}
+
       - name: Parse release channel
         id: parse_release_channel
         run: |
           # CHANNEL is the major and minor version of the VERSION_NUMBER (e.g. 0.1)
           CHANNEL="$(echo ${{ inputs.version }} | cut -d '.' -f 1,2)"
-          echo "channel=$CHANNEL" >> $GITHUB_OUTPUT
+          echo "channel=$CHANNEL" >> "${GITHUB_OUTPUT}"
+
       - name: Release docs
         run: |
           ./docs/.github/scripts/release-docs.sh ${{ inputs.version }}
+
       - name: Change the default branch
         run: |
           gh api \