chore: pin GitHub Actions to commit SHAs (#137)

## Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. `actions/checkout@v4`) use a
mutable pointer — the tag owner can move it to a different commit at any
time, including a malicious one. This is the attack vector used in the
tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable.
The `# tag` comment preserves human readability so reviewers can tell
which version is pinned.

Important: a SHA can also originate from a forked repository. A
malicious actor can fork an action, push a compromised commit to the
fork, and the SHA will resolve — but it won't exist in the upstream
canonical repo. Each SHA in this PR was verified against the action's
canonical repository (not a fork).

### Changes

- `actions/checkout@v6` ->
`actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
  - Version: v6.0.2 | Latest: v6.0.2 | Release age: 90d
- Commit:
actions/checkout@de0fac2

- `dfinity/ci-tools/actions/setup-pnpm@main` ->
`dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/.github/workflows/check-pr-title.yaml@main` ->
`dfinity/ci-tools/.github/workflows/check-pr-title.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/.github/workflows/check-commit-messages.yaml@main`
->
`dfinity/ci-tools/.github/workflows/check-commit-messages.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `actions/create-github-app-token@v3` ->
`actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
# v3`
  - Version: v3 | Latest: v3.0.0 | Release age: 27d
- Commit:
actions/create-github-app-token@f8d387b

- `dfinity/ci-tools/actions/setup-python@main` ->
`dfinity/ci-tools/actions/setup-python@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/setup-commitizen@main` ->
`dfinity/ci-tools/actions/setup-commitizen@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/bump-version@main` ->
`dfinity/ci-tools/actions/bump-version@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/create-pr@main` ->
`dfinity/ci-tools/actions/create-pr@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/.github/workflows/generate-changelog.yaml@main` ->
`dfinity/ci-tools/.github/workflows/generate-changelog.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/extract-version@main` ->
`dfinity/ci-tools/actions/extract-version@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/assemble-docs@main` ->
`dfinity/ci-tools/actions/assemble-docs@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/submit-docs@main` ->
`dfinity/ci-tools/actions/submit-docs@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/is-beta-tag@main` ->
`dfinity/ci-tools/actions/is-beta-tag@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f

- `dfinity/ci-tools/actions/generate-release-notes@main` ->
`dfinity/ci-tools/actions/generate-release-notes@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad
# main`
  - Version: main | Latest: ? | Release age: ?
- Commit:
dfinity/ci-tools@afeee4f


### Files modified

- `.github/workflows/audit.yml`
- `.github/workflows/codestyle.yml`
- `.github/workflows/commitizen.yml`
- `.github/workflows/create-release-pr.yml`
- `.github/workflows/generate-changelog.yml`
- `.github/workflows/publish-docs.yml`
- `.github/workflows/release.yml`
- `.github/workflows/test.yml`

Author: slawomirbabicz

.github/workflows/audit.yml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Audit
         run: pnpm audit

.github/workflows/codestyle.yml

@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Run sccache-cache
         uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9

.github/workflows/commitizen.yml

@@ -8,12 +8,12 @@ jobs:
   check_pr_title:
     name: check_pr_title
     if: github.event_name == 'pull_request'
-    uses: dfinity/ci-tools/.github/workflows/check-pr-title.yaml@main
+    uses: dfinity/ci-tools/.github/workflows/check-pr-title.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
   check_commit_messages:
     name: check_commit_messages
     if: github.event_name == 'merge_group'
-    uses: dfinity/ci-tools/.github/workflows/check-commit-messages.yaml@main
+    uses: dfinity/ci-tools/.github/workflows/check-commit-messages.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
   commitizen:
     name: commitizen:required

.github/workflows/create-release-pr.yml

@@ -22,25 +22,25 @@ jobs:
       contents: write
     steps:
       - name: Create GitHub App Token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         id: generate_token
         with:
           app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
           private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
 
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Setup Python
-        uses: dfinity/ci-tools/actions/setup-python@main
+        uses: dfinity/ci-tools/actions/setup-python@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup Commitizen
-        uses: dfinity/ci-tools/actions/setup-commitizen@main
+        uses: dfinity/ci-tools/actions/setup-commitizen@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Run sccache-cache
         uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
@@ -50,7 +50,7 @@ jobs:
 
       - name: Bump version
         id: bump_version
-        uses: dfinity/ci-tools/actions/bump-version@main
+        uses: dfinity/ci-tools/actions/bump-version@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         with:
           prerelease: ${{ inputs.beta_release == true && 'beta' || '' }}
           major_version_zero: true
@@ -59,7 +59,7 @@ jobs:
         run: echo "Bumping to version ${{ steps.bump_version.outputs.version }}"
 
       - name: Create Pull Request
-        uses: dfinity/ci-tools/actions/create-pr@main
+        uses: dfinity/ci-tools/actions/create-pr@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch_name: 'release/${{ steps.bump_version.outputs.version }}'

.github/workflows/generate-changelog.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   generate_changelog:
-    uses: dfinity/ci-tools/.github/workflows/generate-changelog.yaml@main
+    uses: dfinity/ci-tools/.github/workflows/generate-changelog.yaml@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
     with:
       token_app_id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
       environment: release

.github/workflows/publish-docs.yml

@@ -24,7 +24,7 @@ jobs:
     environment: release
     steps:
       - name: Create GitHub App Token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
         id: generate_token
         with:
           app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
@@ -33,23 +33,23 @@ jobs:
           repositories: icp-js-sdk-docs
 
       - name: Checkout source at ref
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.ref }}
 
       - name: Setup Python
-        uses: dfinity/ci-tools/actions/setup-python@main
+        uses: dfinity/ci-tools/actions/setup-python@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup Commitizen
-        uses: dfinity/ci-tools/actions/setup-commitizen@main
+        uses: dfinity/ci-tools/actions/setup-commitizen@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Run sccache-cache
         uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
-      - uses: dfinity/ci-tools/actions/extract-version@main
+      - uses: dfinity/ci-tools/actions/extract-version@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         id: extract-version
 
       - name: Prepare version
@@ -74,13 +74,13 @@ jobs:
         run: pnpm build
 
       - name: Checkout icp-pages branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: icp-pages
           path: icp-pages
 
       - name: Assemble docs for version ${{ steps.ver.outputs.major_minor_version }}
-        uses: dfinity/ci-tools/actions/assemble-docs@main
+        uses: dfinity/ci-tools/actions/assemble-docs@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         with:
           assets_dir: 'docs/dist/${{ steps.ver.outputs.major_minor_version }}'
           version: ${{ steps.ver.outputs.major_minor_version }}
@@ -89,15 +89,15 @@ jobs:
           version_in_title: ${{ steps.ver.outputs.major_minor_patch_version }}
 
       - name: Assemble docs for version latest
-        uses: dfinity/ci-tools/actions/assemble-docs@main
+        uses: dfinity/ci-tools/actions/assemble-docs@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         with:
           assets_dir: 'docs/dist/latest'
           version: 'latest'
           target_dir: 'icp-pages'
           version_label: 'Latest (${{ steps.ver.outputs.major_minor_patch_version }})'
 
       - name: Submit Documentation
-        uses: dfinity/ci-tools/actions/submit-docs@main
+        uses: dfinity/ci-tools/actions/submit-docs@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
         with:
           destination_repo: 'dfinity/icp-js-sdk-docs'
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/release.yml

@@ -24,32 +24,32 @@ jobs:
       id-token: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           fetch-tags: true
 
       - name: Setup Python
-        uses: dfinity/ci-tools/actions/setup-python@main
+        uses: dfinity/ci-tools/actions/setup-python@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup Commitizen
-        uses: dfinity/ci-tools/actions/setup-commitizen@main
+        uses: dfinity/ci-tools/actions/setup-commitizen@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Run sccache-cache
         uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
       - name: Determine if Beta Release
         id: is_beta
-        uses: dfinity/ci-tools/actions/is-beta-tag@main
+        uses: dfinity/ci-tools/actions/is-beta-tag@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Build NPM package
         run: pnpm build
 
       - name: Generate release notes
-        uses: dfinity/ci-tools/actions/generate-release-notes@main
+        uses: dfinity/ci-tools/actions/generate-release-notes@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Publish to npm
         env:

.github/workflows/test.yml

@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup PNPM
-        uses: dfinity/ci-tools/actions/setup-pnpm@main
+        uses: dfinity/ci-tools/actions/setup-pnpm@afeee4fbdc0683a88ec5a74ed7f59a2ce0e833ad # main
 
       - name: Run sccache-cache
         uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9