fix: pin GitHub Actions to SHA for supply chain security

[28Pollux28]

Summary

Pin all GitHub Actions to full commit SHAs for supply chain security.

Actions referenced by tag or branch have been resolved to their commit SHA, with the original ref preserved as an inline comment. Where a sub-action had unpinned transitive dependencies, the action was upgraded to the closest newer version where all sub-actions are fully pinned.

[lonvia]

Looks purely AI generated, so closing.

I am aware of this new recommendation regarding sha-hash and will consider if it adds security to the repository or not. This is not a change to be made by random drive-by contributors. I would have to check every single commit hash anyway and that is faster done from scratch.

[xatophi]

Looks purely AI generated, so closing.

I am aware of this new recommendation regarding sha-hash and will consider if it adds security to the repository or not. This is not a change to be made by random drive-by contributors. I would have to check every single commit hash anyway and that is faster done from scratch.

Hi @lonvia, this is part of an effort to apply SHA pinning for CI actions to all the BendingSpoons orgs!

[simonpoole]

@xatophi maybe overriding the concerns of the person who is actually doing the work is not a very good tactic ....

[28Pollux28]

This is part of a broad effort across BendingSpoons from the security team. When we enforce the rule, your actions would not have been able to run anymore. Yes it is AI backed, because I'm not opening 400+ PRs manually across all our orgs.
The shas are tagged to use the exact version, OR upgrade to the closest version if there are subactions not pinned in the referenced version.
If not happy revert the merge, but be warned you'll need to do it anyway soon

[lonvia]

I have reverted the commit for now. As the maintainer of this repo, I have a responsibility for its integrity and this is only possible if I can trust that people with access to this repo do not merge unreviewed changes.

The issue here is not so much that you have used AI. The issue here is, that this is a security-relevant change. And as such I need to cross-check that the sha hashs provided actually correspond to the versions you claim to. This is more true so, when the changes come from a contributor I have never heard about before and when a change was made by Copilot or the likes. You wouldn't believe the hallucinations I'm seeing every day in pull requests by contributors using AI, who claim to have reviewed and tested everything.

I will look into doing the required changes in the next days. Next time, please simply open an issue and we'll find a quick solution. Or as a minimum, if you do open a PR, then you should properly identify yourself and explain the motivation for this change.

@xatophi the same holds for you. It's perfectly alright to reopen such a change and let me know when I've missed something. But I have to trust that BendingSpoons doesn't start committing code on their own without consultation.

[28Pollux28]

Hi @lonvia
I appreciate your concern and the attention you dedicate in contributing to the repository. I wrote you an email that I hope will help clarify the situation. Photon is the last repository on which we need to convert the actions before we can enable the rule and we will be waiting for your feedback before doing so.
Best,
--
Valentin Lemaire
Security and Privacy Engineer at Bending Spoons

[xatophi]

Hi @lonvia, sorry for merging it directly 🙏
We were doing a bulk update on our side and I didn't realize this was a special case!