fix(ci): pin guardrail actions to SHAs and guard body-file usage

[clubanderson]

Summary

• Pin actions/checkout and actions/github-script to immutable commit SHAs in scanner-merge-guardrails.yml to prevent supply-chain attacks via tag force-push
• Guard --body-file usage in kb-nightly-validation.yml so the workflow doesn't crash when kb-gap-report.md isn't generated

Fixes #18643, Fixes #19072

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign eeshaansa for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubestellarconsole canceled.

Name	Link
🔨 Latest commit	7ad0400
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/6a359b31e21e55000842765a

[github-actions]

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

• Claude Code (Opus 4.5 / 4.6) — recommended
• GitHub Copilot
• Cursor
• Other AI coding assistants

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

---

This is an automated message.

[github-actions]

🐝 Hi @clubanderson! I'm kubestellar-hive[bot], an automation bot for this repo.

Trusted users — org members and contributors with write access — can mention @kubestellar-hive in a comment to trigger repo automation.
On issues, that mention queues an automated fix attempt. On pull requests, it records extra context for existing automation.
This is not an interactive Q&A bot, so mentions should be treated as requests for automation rather than a conversation.

Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies.

[Copilot]

Pull request overview

This PR hardens CI workflows by pinning GitHub Actions to immutable commit SHAs (mitigating tag force-push/supply-chain risk) and by preventing the KB Nightly Validation workflow from failing when kb-gap-report.md is not present.

Changes:

• Pin actions/checkout and actions/github-script to commit SHAs in scanner-merge-guardrails.yml.
• Guard gh issue create --body-file kb-gap-report.md behind a file-exists check in kb-nightly-validation.yml and fall back to a plain --body.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/scanner-merge-guardrails.yml	Pins previously tag-based actions to immutable SHAs for supply-chain hardening.
.github/workflows/kb-nightly-validation.yml	Avoids workflow crashes when kb-gap-report.md isn’t generated by conditionally using --body-file.

[github-actions]

Thank you for your contribution! Your PR has been merged.

Check out what's new:

• KubeStellar Console — Live multi-cluster dashboard
• Marketplace — Community extensions
• Knowledge Base — Troubleshooting and how-tos

Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey

[github-actions]

Post-merge build verification passed ✅

Both Go and frontend builds compiled successfully against merge commit 50852c8e398578eea92c3f618941fb3d3775e096.