fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks

[simonkurtz-MSFT]

Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.

---

Description

Mutable tag references (@v4, @main, @latest) in GitHub Actions are a supply chain attack vector — a tag can be silently moved to a malicious commit by anyone with write access to the action's repo. Replaces all such references with full commit SHAs plus human-readable version comments across workflow files and documentation.

Fixes #909

Before:

uses: actions/checkout@v4
uses: github/gh-aw/actions/setup-cli@main

After:

uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
uses: github/gh-aw/actions/setup-cli@f7437f4f94c2bc86e7e6eca0f374e303e98bd66c # v0.61.1

Workflow files (.github/workflows/)

• Pinned all action references in 10 workflow files to full 40-character commit SHAs
• Actions updated: actions/checkout, actions/setup-node, actions/github-script, actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages, marocchino/sticky-pull-request-comment, peter-evans/create-pull-request, codespell-project/actions-codespell, github/gh-aw/actions/setup-cli

Documentation & instructions

• instructions/github-actions-ci-cd-best-practices.instructions.md: Strengthened guidance to require SHA pinning (not just recommend it), added supply chain attack rationale, updated all code examples with real SHAs
• agents/github-actions-expert.agent.md: Changed Action Pinning recommendation from "use @v4 for balance" to requiring full SHA; updated checklist and best practices summary
• agents/se-gitops-ci-specialist.agent.md: Updated all inline workflow examples to use SHA-pinned references

---

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

---

Additional Notes

Auto-generated .lock.yml files were intentionally excluded — those are machine-managed and not subject to manual pinning.

---

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

[Copilot]

Pull request overview

Pins GitHub Actions uses: references to immutable commit SHAs (with readable version comments) to reduce supply-chain risk from mutable tags/branches, and updates the repo’s CI/CD guidance to require SHA pinning.

Changes:

• Updated multiple .github/workflows/*.yml files to use full commit SHAs instead of mutable refs like @v* / @main.
• Strengthened GitHub Actions guidance (instructions + agents) to require SHA pinning and explain the rationale.
• Updated workflow examples across docs/agents to reflect SHA-pinned action usage.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
instructions/github-actions-ci-cd-best-practices.instructions.md	Updates workflow examples and guidance to require SHA pinning; adds supply-chain rationale.
agents/github-actions-expert.agent.md	Tightens “Action Pinning” guidance to require full SHAs and updates checklist/summary text.
agents/se-gitops-ci-specialist.agent.md	Updates embedded workflow snippets to use SHA-pinned actions.
.github/workflows/validate-readme.yml	Pins checkout/setup-node/sticky-comment actions to SHAs.
.github/workflows/validate-agentic-workflows-pr.yml	Pins checkout/setup-cli/sticky-comment actions to SHAs.
.github/workflows/publish.yml	Pins checkout/setup-node to SHAs.
.github/workflows/deploy-website.yml	Pins checkout/setup-node/pages actions to SHAs.
.github/workflows/copilot-setup-steps.yml	Pins checkout to a SHA.
.github/workflows/contributors.yml	Pins checkout/setup-node/create-pull-request to SHAs.
.github/workflows/codespell.yml	Pins checkout/codespell action to SHAs.
.github/workflows/check-pr-target.yml	Pins github-script to a SHA.
.github/workflows/check-plugin-structure.yml	Pins checkout/github-script to SHAs.
.github/workflows/check-line-endings.yml	Pins checkout to a SHA.

[simonkurtz-MSFT]

The 1P actions upload-artifact and download-artifact have been updated to latest major versions. The previous versions relied on Node 20 which is in maintenance and should be EOL next month. The latest versions use latest LTS (24).

Node.js Releases

[simonkurtz-MSFT]

Hi @aaronpowell & @brunoborges, could you please kick off the PR target branch check again? I changed it from main to staged. Thank you!

[aaronpowell]

Since you branched from the main branch not staged, and as a result all the materialised plugins are included in this PR.

You can attempt to fix this with a rebase:

git fetch origin staged
git rebase --onto origin/staged origin/main <branch name>
git push --force-with-lease

If that does not resolve it, you can run npm run plugin:clean which will delete the materialised plugins and you can commit that change.

[simonkurtz-MSFT]

Hi @aaronpowell & @brunoborges, I fixed this up. Fortunately, a squash-merge makes my initial mistakes go away. =)