Pin full length commit SHA for 3rd party actions.

[desrosj]

Proposed changes

This implements the recommendation to pin full length commit SHAs instead of versions or branches when using 3rd-party GitHub Actions to protect from supply chain attacks.

This has been happening more often recently, with a number of popular actions having all of their tags updated with a buried vulnerability.

While the new notation is more verbose, a bit ugly, and requires every update to be applied manually, we can rely on Dependabot to handle that for us to make it more manageable.

Recent examples

Examples of actions being exploited in the wild:

• changed-files
• reviewdog's action library

Production

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Dependency update
• Refactoring / housekeeping (changes to files not directly related to functionality)

Development

• Tests
• Dependency update
• Environment update / refactoring
• Documentation Update
• Build/Test Tooling update

Checklist

• I have read the CONTRIBUTING doc
• I have viewed my change in a web-browser
• Linting and tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

GitHub is looking into providing immutable releases for actions (which would allow versions to be used again), and this is currently in the Q3 2025 roadmap. But we should use full SHA values until then.

See also newfold-labs/workflows#22.