[Security] Workflows should pin actions to commit SHA instead of version tags

[dekachiri]

Description

The workflows in this repository use version tags to reference GitHub Actions, which creates a security vulnerability. Tags are mutable and can be force-pushed by attackers.

Affected Files

Several workflow files in this repository use tag-based action references:

• .github/workflows/publish.yml (Line 18, 26, etc.)
• .github/workflows/ci.yml
• .github/workflows/validate.yml
• Other workflow files

Security Risk

As explained in this article, using tags instead of commit SHAs creates a supply chain security risk:

1. Tags can be force-pushed to point to malicious code
2. An attacker who compromises an action repository could inject malicious code into existing tags
3. Workflows automatically use the compromised version on the next run
4. This could lead to secret exfiltration, malicious builds, or supply chain attacks

Proposed Solution

Pin all actions to commit SHAs with version comments:

Before:

- name: Checkout
  uses: actions/checkout@v4

- name: Docker meta
  uses: docker/metadata-action@v5

After:

- name: Checkout
  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Docker meta
  uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1