ci: pin all GitHub Actions to full SHA digests

Pin every third-party GitHub Action to its current commit SHA with a version comment, eliminating supply chain risk from mutable version tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream maintainers; SHA digests are immutable. 18 unique actions pinned across 9 workflow files. Closes #357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:32:18 +01:00 · 2026-02-16 17:32:18 +01:00 · 9df5a07640
commit 9df5a07640
parent 639032c952
9 changed files with 43 additions and 43 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Mark stale issues and pull requests
-        uses: actions/stale@v9
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-issue-stale: 21