Pin all GitHub Actions to immutable SHA commits for supply chain security

[Copilot]

Pinned all GitHub Actions across 12 workflow files to SHA commits to prevent supply chain attacks via tag manipulation or repository compromise.

Changes

Workflow Files (54 actions pinned)

• Replaced mutable version tags (@v5, @v6) with immutable SHA commits
• Added version comments for maintenance: @<sha> # v5
• Files: ci.yml, codeql.yml, close-old-bot-discussions.yml, copilot-setup-steps.yml, copilot.yml, docs.yml, format-and-commit.yml, install.yml, integration-agentics.yml, security-scan.yml, smoke-isolated-srt.yml, test-copilot-github-integration.yml

Example

# Before
- uses: actions/checkout@v5
- uses: actions/setup-go@v6

# After  
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6

Documentation (specs/github-actions-security-best-practices.md)

• Added 4 methods to retrieve SHA commits (git ls-remote, GitHub API, Web UI, automated script)
• New "Maintaining Pinned Actions" section covering update procedures and automated tools (Dependabot, Renovate)
• Commands to verify pinning status across workflows
• Updated security checklist with documentation and testing requirements

SHA Retrieval

# Get SHA for any action version
git ls-remote https://github.com/actions/checkout refs/tags/v5
# Returns: 93cb6efe18208431cddfb8368fd83d5badbf9bfd refs/tags/v5

All non-.lock.yml workflow files now have 100% SHA-pinned actions.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Pin the 2 remaining unpinned GitHub Actions to SHA commits</issue_title>
<issue_description>## Objective

Identify and pin the 2 remaining unpinned GitHub Actions to immutable SHA commits, achieving 100% action pinning across all workflow files.

Context

Currently 3,777 of 3,779 GitHub Actions are properly pinned (99.9%). The 2 remaining unpinned actions expose workflows to supply chain attacks via tag manipulation or repository compromise.

Approach

1. Find unpinned actions:

   grep -r "uses:" .github/workflows/*.yml .github/workflows/*.yaml | grep -v "@[0-9a-f]\{40\}"

2. For each unpinned action:

   • Identify the current version tag (e.g., v4.1.1)
   • Get the SHA commit: git ls-remote https://github.com/(owner)/(repo) (tag)
   • Replace: uses: actions/checkout@v4 → uses: actions/checkout@abc123... # v4.1.1

3. Test all affected workflows to ensure they still function correctly

4. Update documentation: Add a section to specs/github-actions-security-best-practices.md explaining:

   • Why SHA pinning is critical for supply chain security
   • How to find SHA commits for version tags
   • How to update pinned actions during maintenance

Files to Modify

• .github/workflows/*.yml (workflow files with unpinned actions)
• specs/github-actions-security-best-practices.md (add SHA pinning documentation)

Acceptance Criteria

• All 2 unpinned actions identified and documented
• All actions replaced with SHA-pinned versions with version comments
• All affected workflows tested and verified functional
• Documentation added to specs/github-actions-security-best-practices.md
• 100% GitHub Actions pinning rate achieved (3,779/3,779)

Priority

High - This closes a critical supply chain security gap
Related to #5537

AI generated by Plan Command for discussion #5535

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Pin the 2 remaining unpinned GitHub Actions to SHA commits #5538

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.