Pin GitHub Actions to specific commit SHAs for improved security and stability

[brenoepics]

This PR updates all GitHub Actions in the workflow files to use exact commit SHAs instead of floating tags like @v1 or @v2.

Why?

• Security: Tags like @v1 can be changed by the action maintainers or compromised if their repository is attacked. Pinning to a SHA ensures we're using the exact code we reviewed and trust.
• Reproducibility: This guarantees consistent CI behavior across runs, making debugging and audit trails more reliable.
• Best practice: GitHub officially recommends using commit SHAs for critical or trusted actions such as actions/checkout, setup-*, or deployment steps.

This change helps future-proof CI/CD pipeline and reduces the risk of unexpected behavior due to upstream changes in third-party actions.

Automatic Updates

The repository already use Dependabot, which will continue monitoring and automatically bump these SHAs when new versions are released, so we keep getting security updates and improvements without relying on floating tags.

ref:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
example incident:
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

[mitchellh]

GitHub officially recommends using commit SHAs for critical or trusted actions such as actions/checkout, setup-*, or deployment steps.

Can you show the source for this?

I understand why here. I'm not against it, GHA's are definitely scary.

Before merging though I need to really carefully review every SHA you put here points to the right place. This seems like an excellent opportunity to actually introduce a hack.

[tristan957]

Can you show the source for this?

The first ref link has some supporting documentation

[brenoepics]

Can you show the source for this?

https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action

You can also find the same in the first reference I sent and basically in all the examples they give in Java, Swift, Python...

Before merging though I need to really carefully review every SHA you put here points to the right place. This seems like an excellent opportunity to actually introduce a hack.

Sure thing! take your time, all care is important with this kind of thing, when you go to review, I have some other suggestions that I haven't implemented that might be interesting.

I also noticed that I don't see any permissions: declarations, so probably all actions are using the organization's base permissions, it's not really a problem depending on how org was configured but the ideal would be to leave only the necessary permissions for each job and avoid problems, specially in workflows that runs on Pull requests such as nix (if you require approval to run workflows from non-maintainers, that's fine)

I also suggest giving Zizmor a try, there are some other interesting suggestions there.

Thanks for the Ghostty project, it's really great and has become my way to go for a while.

(btw I replaced tags to hashes with pinact, it might be useful for you)