Fix potential github action smells

.github/workflows/angular.yml

@@ -1,3 +1,5 @@
+# Run build, lint and test specifically for angular.
+# This workflow is only run when angular files are changed in a pull-request.
 name: 'Angular'
 on:
   pull_request:
@@ -22,17 +24,21 @@ jobs:
   build-test-lint:
     if: ${{ !github.event.pull_request.draft }}
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
 
-      - uses: actions/cache@v2
+      - name: Setup cache for ng-pack node modules
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: 'npm/ng-packs/node_modules'
           key: ${{ runner.os }}-${{ hashFiles('npm/ng-packs/yarn.lock') }}
 
-      - uses: actions/cache@v2
+      - name: Setup cache for anguler node_modules
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: 'templates/app/angular/node_modules'
           key: ${{ runner.os }}-${{ hashFiles('templates/app/angular/yarn.lock') }}

.github/workflows/auto-pr.yml

@@ -12,25 +12,29 @@ jobs:
       contents: write  # for peter-evans/create-pull-request to create branch
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
+    timeout-minutes: 2
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           ref: dev
+      - name: Fetch promotion branch
+        run: git fetch origin prerel-8.2:prerel-8.2
       - name: Reset promotion branch
-        run: |
-          git fetch origin prerel-8.2:prerel-8.2
-          git reset --hard prerel-8.2
+        run: git reset --hard prerel-8.2
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
         with:
           branch: auto-merge/prerel-8-2/${{github.run_number}}
           title: Merge branch dev with prerel-8.2
           body: This PR generated automatically to merge dev with prerel-8.2. Please review the changed files before merging to prevent any errors that may occur.
           reviewers: maliming
           token: ${{ github.token }}
+      - name: Approve pull request
+        env:
+          GH_TOKEN: ${{ secrets.BOT_SECRET }}
+        run: gh pr review auto-merge/prerel-8-2/${{github.run_number}} --approve
       - name: Merge Pull Request
         env:
           GH_TOKEN: ${{ secrets.BOT_SECRET }}
-        run: |
-          gh pr review auto-merge/prerel-8-2/${{github.run_number}} --approve
-          gh pr merge auto-merge/prerel-8-2/${{github.run_number}} --merge --auto --delete-branch
+        run: gh pr merge auto-merge/prerel-8-2/${{github.run_number}} --merge --auto --delete-branch

.github/workflows/build-and-test.yml

@@ -1,3 +1,4 @@
+# Build and test whenever there is a change to a dotnet related file.
 name: "build and test"
 on:
   push:
@@ -47,25 +48,28 @@ jobs:
   build-test:
     runs-on: ubuntu-latest
     if: ${{ !github.event.pull_request.draft }}
+    timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-dotnet@master
-      with:
-        dotnet-version: 8.0.100
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
 
-    - name: chown
-      run: |
-        sudo chown -R $USER:$USER /home/runneradmin
+      - name: Setup dotnet 8.0.100
+        uses: actions/setup-dotnet@5d1464d
+        with:
+          dotnet-version: 8.0.100
 
-    - name: Build All
-      run: ./build-all.ps1
-      working-directory: ./build
-      shell: pwsh
+      - name: chown
+        run: sudo chown -R $USER:$USER /home/runneradmin
 
-    - name: Test All
-      run: ./test-all.ps1
-      working-directory: ./build
-      shell: pwsh
+      - name: Build All
+        run: ./build-all.ps1
+        working-directory: ./build
+        shell: pwsh
 
-    - name: Codecov
-      uses: codecov/codecov-action@v2
+      - name: Test All
+        run: ./test-all.ps1
+        working-directory: ./build
+        shell: pwsh
+
+      - name: Codecov
+        uses: codecov/codecov-action@f32b3a3

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,8 @@ jobs:
       security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
-
+    # To be updated when runs have been performed
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
@@ -53,20 +54,21 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
           fetch-depth: 2
 
       # If this run was triggered by a pull request event, then checkout
       # the head of the pull request instead of the merge commit.
-      - run: git checkout HEAD^2
+      - name: Checkout head of merge request if triggered by a merge request
+        run: git checkout HEAD^2
         if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 # v1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -77,7 +79,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 # v1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -86,9 +88,9 @@ jobs:
       #    and modify them (or add more) to build your code if your project
       #    uses a compiled language
 
-      #- run: |
+      # - run: |
       #   make bootstrap
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 # v1

.github/workflows/update-versions.yml

@@ -1,33 +1,34 @@
+# Create a PR after updating the version in latest-version.json
 name: Update Latest Versions
 
 on:
   release:
     types:
       - published
-      
+
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
   update-versions:
     runs-on: ubuntu-latest
+    timeout-minutes: 1
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c
         with:
           python-version: 3.x
 
+      - name: Get latest version of pip
+        run: python -m pip install --upgrade pip
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install PyGithub
+        run: pip install PyGithub==2.3.0
 
       - name: Update latest-versions.json and create PR
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: |
-          python .github/scripts/update_versions.py
+        run: python .github/scripts/update_versions.py