Pin GitHub Actions to commit SHAs for supply chain security

## Description

Currently, most workflows in this repository use floating major-version tags for GitHub Actions (e.g., `actions/checkout@v4`, `actions/setup-node@v3`). While convenient, this approach poses a supply chain security risk: a tag can be force-pushed by the action author (or a compromised account), potentially introducing malicious code into our CI/CD pipelines.

## Proposed Solution

Pin all GitHub Action references to their full commit SHAs with inline comments indicating the version:

```yaml
# Instead of:
uses: actions/checkout@v4

# Use:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.2.2
```

## Benefits

- **Immutability**: Commit SHAs cannot be altered, ensuring the exact code is executed
- **Transparency**: Version comments maintain readability
- **Security**: Eliminates risk of tag-based supply chain attacks

## Scope

This affects multiple workflow files in `.github/workflows/`:
- `template-sync.yml`
- And other workflow files across the repository

## References

- Related discussion: https://github.com/AOSSIE-Org/Template-Repo/pull/74#discussion_r2835914445
- Requested by: @kpj2006

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Pin GitHub Actions to commit SHAs for supply chain security #75

Description

Proposed Solution

Benefits

Scope

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Pin GitHub Actions to commit SHAs for supply chain security #75

Description

Description

Proposed Solution

Benefits

Scope

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions