[release/v7.5.6] [StepSecurity] ci: Harden GitHub Actions tags

[daxian-dbw]

Backport of #27201 to release/v7.5.6

Triggered by @daxian-dbw on behalf of @step-security-bot

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

• Required tooling change
• Optional tooling change (include reasoning)

Pins GitHub Actions and setup action references to immutable commit SHAs in shared CI and workflow definitions on the release branch. This is a required tooling and supply-chain hardening update.

Customer Impact

• Customer reported
• Found internally

Regression

REQUIRED: Check exactly one box.

• Yes
• No

This is not a regression.

Testing

Cherry-pick completed on release/v7.5.6 after resolving workflow conflicts by preserving the release branch workflow structure and accepting the SHA-pinned action references from the original PR. Validation included checking that all conflict markers were removed and that the affected workflows now reference the pinned checkout, setup-dotnet, and github-script SHAs where applicable. Release branch CI will provide end-to-end verification.

Risk

REQUIRED: Check exactly one box.

• High
• Medium
• Low

Medium risk because the change affects multiple shared CI workflow files and could expose latent workflow assumptions, but the modification is limited to pinning action references and keeps the existing release branch workflow behavior intact.

Merge Conflicts

Conflicts occurred in .github/workflows/copilot-setup-steps.yml, .github/workflows/labels.yml, .github/workflows/linux-ci.yml, .github/workflows/macos-ci.yml, .github/workflows/verify-markdown-links.yml, .github/workflows/windows-ci.yml, .github/workflows/windows-packaging-reusable.yml, and .github/workflows/xunit-tests.yml. Resolution: preserved the release/v7.5.6 workflow structure and accepted the SHA-pinned action references from PR #27201 for the conflicted uses entries.

[Copilot]

Pull request overview

Backports StepSecurity supply-chain hardening to release/v7.5.6 by replacing mutable GitHub Actions tags with immutable commit SHAs across key CI workflows and composite actions.

Changes:

• Pin actions/checkout, actions/setup-dotnet, actions/upload-artifact, actions/download-artifact, and actions/github-script to specific commit SHAs in multiple workflows.
• Update reusable CI workflows (Linux/macOS/Windows, packaging, xUnit) to use pinned action references.
• Update internal composite actions used by workflows to use pinned action references.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
.github/workflows/xunit-tests.yml	Pins checkout/setup-dotnet/upload-artifact for reusable xUnit workflow.
.github/workflows/windows-packaging-reusable.yml	Pins checkout/setup-dotnet/upload-artifact for reusable Windows packaging workflow.
.github/workflows/windows-ci.yml	Pins checkout in Windows CI jobs.
.github/workflows/verify-markdown-links.yml	Pins checkout for markdown-link verification workflow.
.github/workflows/macos-ci.yml	Pins checkout (and setup-dotnet in packaging job) for macOS CI workflow.
.github/workflows/linux-ci.yml	Pins checkout across Linux CI and packaging jobs.
.github/workflows/labels.yml	Pins checkout and github-script used to validate PR labels.
.github/workflows/copilot-setup-steps.yml	Pins checkout for Copilot setup steps workflow.
.github/workflows/analyze-reusable.yml	Pins setup-dotnet for reusable CodeQL workflow.
.github/actions/test/windows/action.yml	Pins download-artifact and setup-dotnet used by Windows test composite action.
.github/actions/test/process-pester-results/action.yml	Pins upload-artifact used for publishing Pester results.
.github/actions/test/nix/action.yml	Pins download-artifact, setup-dotnet, and github-script used by nix test composite action.
.github/actions/test/linux-packaging/action.yml	Pins setup-dotnet and upload-artifact used by Linux packaging composite action.
.github/actions/infrastructure/path-filters/action.yml	Pins github-script used by path filter composite action.
.github/actions/infrastructure/get-changed-files/action.yml	Pins github-script used by changed-files composite action.
.github/actions/build/ci/action.yml	Pins setup-dotnet and upload-artifact used by CI build composite action.

[Copilot]

This change is not just pinning actions/checkout; it also upgrades from @v4 to the SHA for v6.0.2 (per the inline comment). For a release-branch hardening PR, consider pinning the commit that corresponds to the previously used major tag (v4) to minimize behavior changes, or update the PR description/risk/testing to explicitly cover the major-version upgrade.

[Copilot]

This workflow now pins actions/checkout to a commit labeled v6.0.2, which is a major-version upgrade from the previous @v5. If the intent is supply-chain hardening only, pin the commit for the existing major version instead; otherwise, the PR description should call out the upgrade and include validation for any behavior changes.

[Copilot]

This file replaces actions/checkout@v4.1.0 with a SHA annotated as v6.0.2, which is a major-version upgrade (not just tag hardening). On a release branch, it would be safer to pin the commit for the previously used version, or explicitly document/justify the upgrade and ensure CI coverage for the changed checkout behavior.

[Copilot]

This change upgrades actions/checkout to a commit annotated as v6.0.2 across the workflow (some jobs previously used v4/v5/v4.1.0). If the goal is only to pin existing tags, pin the commits matching the original versions to avoid introducing breaking changes into the release branch.

[Copilot]

This workflow pins actions/checkout to a SHA annotated as v6.0.2, which upgrades from the prior @v5. For a release branch backport focused on hardening, consider pinning the commit for the existing major version instead (or explicitly treat this as an action upgrade and adjust risk/testing accordingly).

[Copilot]

This workflow changes actions/checkout from @v5 to a SHA annotated as v6.0.2. If this PR is intended to only pin tags, it should pin the commit that corresponds to v5 instead; otherwise, please document that this is a major-version action upgrade and validate any behavior changes (especially since this runs for Copilot environment setup).

[Copilot]

This workflow upgrades third-party actions while pinning them: actions/checkout goes from @v2 to a SHA annotated as v6.0.2, and actions/github-script goes from @v6 to a SHA annotated as v8.0.0. If the intent is supply-chain hardening only, pin the commits corresponding to the previously used majors; otherwise, call out these major upgrades explicitly and verify compatibility on the release branch.

[Copilot]

This step upgrades actions/setup-dotnet from @v4 to a SHA annotated as v5.2.0. If the goal is strictly to harden mutable tags, consider pinning the commit for the existing major version (v4) to avoid introducing a potentially breaking change on the release branch.

[Copilot]

This upgrades actions/setup-dotnet from @v4 to a SHA annotated as v5.2.0. For a release-branch hardening PR, it would be safer to pin the commit for the previously used major (v4) unless the action upgrade is intentional and validated.

[Copilot]

This step changes actions/setup-dotnet from @v4 to a SHA annotated as v5.2.0 (major-version upgrade). If the intent is tag hardening only, pin the v4 commit instead; otherwise, the PR description/risk/testing should explicitly cover the action upgrade on the release branch.