fix: Pin GitHub Actions to full SHA hashes

[itinance]

Summary

This PR replaces mutable version tags with immutable commit SHA references for all GitHub Actions used in the CI workflow.

Problem

The current workflow uses mutable version tags for GitHub Actions:

- uses: actions/checkout@v4
- uses: actions/setup-python@v5

Version tags like v4 and v5 are Git tags that can be moved at any time — by the repository owner, a maintainer with write access, or an attacker who gains access to the upstream repository. This is a well-documented supply chain attack vector:

• An attacker who compromises the actions/checkout repository could move the v4 tag to point to a malicious commit.
• Every downstream repository using @v4 would silently execute the attacker's code on the next CI run.
• This attack has precedent: the codecov/codecov-action supply chain attack demonstrated how compromised CI actions can exfiltrate secrets.

This is especially relevant for a supply chain security scanner — the tool designed to detect supply chain attacks should itself be hardened against them.

Fix

Pin all GitHub Actions to their full commit SHAs:

- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5

Commit SHAs are cryptographic hashes (SHA-1) of the exact commit content. They cannot be moved or tampered with without changing the hash, making them immutable references.

The version tag is preserved in a trailing comment (# v4) for human readability and to simplify future version upgrades.

OWASP Reference

• A08:2021 – Software and Data Integrity Failures: Using unverified CI/CD components without integrity checks.

How to Update

When upgrading to a new action version in the future, look up the commit SHA for the new tag:

gh api repos/actions/checkout/git/ref/tags/v5 --jq '.object.sha'

[Desperado]

Great first contribution — a supply chain scanner should practice what it preaches. Thanks Hagen!