Enhancement: Update the GH Actions

.github/workflows/Windows-CI.yml

@@ -107,7 +107,7 @@ jobs:
 
         # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        uses: actions/checkout@v4.1.1
 
       - name: "Create directory '${{ env.VCPKG_DEFAULT_BINARY_CACHE }}'"
         run: mkdir -p $VCPKG_DEFAULT_BINARY_CACHE
@@ -155,7 +155,7 @@ jobs:
         run: .\script\test.ps1 -Generator ${{ matrix.cmake-generator }} -EnablePIE ${{ matrix.enable-pie }} -BuildType ${{ matrix.build-type }}
 
       - name: Upload test results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
+        uses: actions/[email protected].3
         if: failure()
         with:
           name: test_results_xml

.github/workflows/codeql.yml

@@ -25,16 +25,25 @@ jobs:
         with:
           fetch-depth: 2
 
+      - name: Download benchmark bundle
+        env:
+           GH_TOKEN: ${{ github.token }}
+        run: |
+           gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz'
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
+        uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
+          tools: codeql-bundle.tar.gz
 
       - name: Bootstrap and Build the Code
         run: |
           sudo script/bootstrap
           script/build
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
+        uses: github/codeql-action/analyze@v2
+        with:
+          tools: codeql-bundle.tar.gz

.github/workflows/fortify-on-demand-scan.yml

@@ -16,7 +16,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+      - uses: actions/checkout@v4.1.1
 
       - name: Fortify on Demand Scan
         # You may pin to the exact commit or the version.

.github/workflows/gh-actions-pr.yml

@@ -329,7 +329,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 2
           submodules: false
@@ -365,7 +365,7 @@ jobs:
       #   run: ctest -V
 
       - name: Upload test results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
+        uses: actions/[email protected].3
         if: failure()
         with:
           name: test_results_xml

.github/workflows/gh-actions-release.yml

@@ -160,7 +160,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 2
           submodules: false

.github/workflows/macos-ci.yml

@@ -66,7 +66,7 @@ jobs:
         run: brew install openal-soft
 
       - name: Check out repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
+        uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 2
           submodules: false
@@ -92,7 +92,7 @@ jobs:
         run: ctest -V
 
       - name: Upload test results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
+        uses: actions/[email protected].3
         if: failure()
         with:
           name: test_results_xml

.github/workflows/scorecards-analysis.yml

@@ -19,15 +19,22 @@ jobs:
       security-events: write
       actions: read
       contents: read
+      id-token: write
 
     steps:
       - name: "Check out code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
+        uses: actions/checkout@v4.1.1
         with:
           persist-credentials: false
 
+      - name: Download benchmark bundle
+        env:
+           GH_TOKEN: ${{ github.token }}
+        run: |
+           gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz'
+
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1
+        uses: ossf/scorecard-action@v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,14 +49,15 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
+        uses: actions/[email protected].3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: results.sarif
+          tools: codeql-bundle.tar.gz