chore: pin GitHub Actions to commit SHAs

[slawomirbabicz]

Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. actions/checkout@v4) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable. The # tag comment preserves human readability so reviewers can tell which version is pinned.

Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork).

Changes

• actions/checkout@v4 -> actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

  • Version: v4.3.1 | Latest: v6.0.2 | Release age: 88d
  • Commit: actions/checkout@34e1148

• docker/login-action@v3 -> docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0

  • Version: v3.7.0 | Latest: v4.1.0 | Release age: 35d
  • Commit: docker/login-action@c94ce9f
  • Warnings: Latest release v4.1.0 is only 5 day(s) old (< 7 days). Using previous safe release.

• bazelbuild/setup-bazelisk@v3 -> bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3

  • Version: v3 | Latest: v3.0.0 | Release age: 795d
  • Commit: bazelbuild/setup-bazelisk@b39c379

• dtolnay/rust-toolchain@master -> dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master

  • Version: master | Latest: v1 | Release age: 1362d
  • Commit: dtolnay/rust-toolchain@3c5f7ea

• actions/upload-artifact@v4 -> actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

  • Version: v4.6.2 | Latest: v3.2.2 | Release age: 22d
  • Commit: actions/upload-artifact@ea165f8

• actions/create-github-app-token@v2 -> actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2

  • Version: v2.2.2 | Latest: v3.0.0 | Release age: 25d
  • Commit: actions/create-github-app-token@fee1f7d

• actions/download-artifact@v4 -> actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

  • Version: v4.3.0 | Latest: v3.1.0-node20 | Release age: 22d
  • Commit: actions/download-artifact@d3f86a1
  • Warnings: 1 security advisory(ies) found, Action has 1 known advisory(ies)

• peter-evans/create-pull-request@v7 -> peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11

  • Version: v7.0.11 | Latest: v8.1.0 | Release age: 77d
  • Commit: peter-evans/create-pull-request@22a9089

• dawidd6/action-download-artifact@v11 -> dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11

  • Version: v11 | Latest: v20 | Release age: 21d
  • Commit: dawidd6/action-download-artifact@ac66b43
  • Warnings: Latest release v20 is only 5 day(s) old (< 7 days). Using previous safe release., 1 security advisory(ies) found, Action has 1 known advisory(ies)

• chinthakagodawita/autoupdate@v1.7.0 -> chinthakagodawita/autoupdate@0707656cd062a3b0cf8fa9b2cda1d1404d74437e # v1.7.0

  • Version: v1.7.0 | Latest: v1.7.0 | Release age: 1109d
  • Commit: chinthakagodawita/autoupdate@0707656

• lewagon/wait-on-check-action@v1.3.4 -> lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4

  • Version: v1.3.4 | Latest: v1.6.1 | Release age: 10d
  • Commit: lewagon/wait-on-check-action@ccfb013
  • Warnings: Latest release v1.6.1 is only 2 day(s) old (< 7 days). Using previous safe release.

Files modified

• .github/workflows/build-runner.yaml
• .github/workflows/clean-bazel-caches.yaml
• .github/workflows/dashboard.yaml
• .github/workflows/dre-release.yaml
• .github/workflows/main.yaml
• .github/workflows/msd-diff.yaml
• .github/workflows/pull-request-update.yaml
• .github/workflows/release-controller.yaml
• .github/workflows/release.yaml
• .github/workflows/required-checks.yaml
• .github/workflows/trusted-neurons-alerts.yaml
• .github/workflows/update-dependencies.yaml

Security warnings

• Latest release v4.1.0 is only 5 day(s) old (< 7 days). Using previous safe release.
• 1 security advisory(ies) found
• Action has 1 known advisory(ies)
• Latest release v20 is only 5 day(s) old (< 7 days). Using previous safe release.
• Latest release v1.6.1 is only 2 day(s) old (< 7 days). Using previous safe release.