fix(ci): hardening security of GH actions

[christian-bromann]

Proposed changes

This pull request enhances the security of our GitHub Actions workflows by implementing several best practices:

• Pinning Actions to Commit SHAs: All external GitHub Actions are now pinned to specific commit SHAs instead of floating versions (e.g., @v4). This prevents unexpected or malicious code from being executed if a version tag is updated.
• Least-Privilege Permissions: Each workflow job now has a permissions block that specifies the minimum required access for the GITHUB_TOKEN. This limits the potential impact of a compromised token.
• Updated Actions: All actions have been updated to their latest stable versions to include the latest features and security fixes.
• Workflow Cleanup: Minor linter issues have been resolved and step names have been made more consistent across various workflows.

These changes collectively harden our CI/CD pipeline against potential supply chain attacks and follow the security guidelines recommended by GitHub.

Types of changes

• Polish (an improvement for an existing feature)
• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update (improvements to the project's docs)
• Specification changes (updates to WebDriver command specifications)
• Internal updates (everything related to internal scripts, governance documentation and CI files)

Checklist

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have added the necessary documentation (if appropriate)
• I have added proper type definitions for new commands (if appropriate)

Backport Request

• This change is solely for v9 and doesn't need to be back-ported
• Back-ported PR at #XXXXX

Further comments

This is a foundational security improvement that helps protect the integrity of the project and its dependencies.

Reviewers: @webdriverio/project-committers

[pkg-pr-new]

Open in StackBlitz

eslint-plugin-wdio

npm i https://pkg.pr.new/webdriverio/webdriverio/eslint-plugin-wdio@14569

@wdio/allure-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/allure-reporter@14569

@wdio/appium-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/appium-service@14569

@wdio/browser-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browser-runner@14569

@wdio/browserstack-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browserstack-service@14569

@wdio/cli

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cli@14569

@wdio/concise-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/concise-reporter@14569

@wdio/config

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/config@14569

@wdio/cucumber-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cucumber-framework@14569

@wdio/dot-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/dot-reporter@14569

@wdio/firefox-profile-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/firefox-profile-service@14569

@wdio/globals

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/globals@14569

@wdio/jasmine-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/jasmine-framework@14569

@wdio/json-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/json-reporter@14569

@wdio/junit-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/junit-reporter@14569

@wdio/lighthouse-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/lighthouse-service@14569

@wdio/local-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/local-runner@14569

@wdio/logger

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/logger@14569

@wdio/mocha-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/mocha-framework@14569

@wdio/protocols

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/protocols@14569

@wdio/repl

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/repl@14569

@wdio/reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/reporter@14569

@wdio/runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/runner@14569

@wdio/sauce-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sauce-service@14569

@wdio/shared-store-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/shared-store-service@14569

@wdio/smoke-test-cjs-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-cjs-service@14569

@wdio/smoke-test-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-reporter@14569

@wdio/smoke-test-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-service@14569

@wdio/spec-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/spec-reporter@14569

@wdio/static-server-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/static-server-service@14569

@wdio/sumologic-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sumologic-reporter@14569

@wdio/testingbot-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/testingbot-service@14569

@wdio/types

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/types@14569

@wdio/utils

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/utils@14569

@wdio/webdriver-mock-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/webdriver-mock-service@14569

webdriver

npm i https://pkg.pr.new/webdriverio/webdriverio/webdriver@14569

webdriverio

npm i https://pkg.pr.new/webdriverio/webdriverio@14569

commit: 47ef2e5