security: pin all actions to commit SHAs (SECCMP-1797)

SameeraPriyathamTadikonda · Copilot · SameeraPriyathamTadikonda · commit 500c96b7bbfd · 2026-04-08T16:18:03.000-07:00
Pin actions/checkout@v4, actions/setup-python@v4, and actions/github-script@v7
to immutable commit SHAs to prevent supply chain attacks.

- actions/checkout -&gt; 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-python -&gt; 7f4fc3e22c37d6ff65e88745f38bd3157c663f7c
- actions/github-script -&gt; f28e40c7f34bde8b3046d885e986cb6290c5673b

Note: reverts accidental regression introduced in prior SHA-pin attempt that
inadvertently reverted pull_request_target trigger, refs/pull/N/head checkout
ref, pull-requests: read permission, and --files-from-stdin argument safety.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/copyright-check.yml b/.github/workflows/copyright-check.yml
@@ -28,14 +28,14 @@ jobs:
 
     steps:
     - name: Checkout PR head
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         ref: refs/pull/${{ github.event.pull_request.number }}/head
         path: target-repo
         persist-credentials: false
 
     - name: Checkout pr-workflows repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         repository: ${{ github.repository_owner }}/pr-workflows
         ref: main
@@ -61,7 +61,7 @@ jobs:
         echo "config-file=$cfg" >> $GITHUB_OUTPUT
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
       with:
         python-version: '3.11'
 
@@ -112,7 +112,7 @@ jobs:
       # pull_request_target (org ruleset): token is read-only for the triggering repo —
       # createComment/updateComment will 403. Skip and rely on Job Summary instead.
       if: always() && steps.changed-files.outputs.skip-validation != 'true' && github.event_name == 'workflow_call'
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       env:
         VALIDATION_STATUS: ${{ steps.validate.outputs.status }}
       with:
