COPP-8737: Pin third-party actions

[Lachlan Kidson (lachlankidson)]

COPP-8737

This PR uses pinact to pin all third-party actions to a specific hash as part of our Zizmor rollout. This is a necessary security precaution for preventing supply-chain attacks. See zizmor/unpinned-uses for more details.

What do I need to do?

These PRs should "just work" - an action pinned by a commit ID is functionally equivalent to one pinned by a tag as long as the tag hasn't been fiddled with after the initial release.

How can I be sure of these changes?

You can check that the tags match the commit ID via the releases page of any given action.

In the future when we enable Zizmor on all repositories you will get warning annotations on PRs if the hash does not match the version comment, see zizmor/ref-version-mistmatch for more details.

If you'd like to opt-in to this behaviour early please see Getting started with zizmor on your repos.

How do I maintain these pins going forwards?

Automatically:

• Dependabot supports commit-based pinning and will update both the commit ID and version tag comment for you.

Manually:

• Pinact can be used to programmatically convert tags to commit pins.
• Tag and commit IDs can be found via the GitHub release pages of any actions.

How this change was made

A list of repositories was created by performing a code search against the current actions allowlist, pinact was then applied:

GITHUB_TOKEN=$(gh auth token) turbolift foreach -- pinact run -fix -diff -e "^[Ss]kyscanner/.*" -e "^actions/.*"

_{This PR was generated using turbolift.}

[Copilot]

Pull request overview

This PR pins all third-party GitHub Actions to specific commit hashes as a security measure to prevent supply-chain attacks. Each action reference is updated to use a commit SHA followed by a version tag comment for traceability.

Changes:

• Replaced version tags with commit hashes for all third-party actions across GitHub workflows
• Added version tag comments (e.g., # v2.10.0) after each commit hash for reference

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/test-build.yml	Pinned Docker setup, metadata, login, and build-push actions to commit hashes
.github/workflows/release.yml	Pinned Docker-related actions to commit hashes for release workflow
.github/workflows/release-drafter.yml	Pinned release-drafter action to commit hash
.github/workflows/helm.yml	Pinned Helm setup, chart-testing, and kind-action to commit hashes
.github/workflows/e2e.yaml	Pinned kind-action to commit hash for E2E testing
.github/workflows/code-quality.yml	Pinned CodeQL and golangci-lint actions to commit hashes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.