chore: pin GitHub Actions to commit SHAs

[slawomirbabicz]

Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. actions/checkout@v4) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable. The # tag comment preserves human readability so reviewers can tell which version is pinned.

Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork).

Changes

• actions/checkout@v6 -> actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

  • Version: v6.0.2 | Latest: v6.0.2 | Release age: 88d
  • Commit: actions/checkout@de0fac2

• actions-rust-lang/audit@v1 -> actions-rust-lang/audit@72c09e02f132669d52284a3323acdb503cfc1a24 # v1.2.7

  • Version: v1.2.7 | Latest: v1.2.7 | Release age: 92d
  • Commit: actions-rust-lang/audit@72c09e0

• actions/create-github-app-token@v3 -> actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3

  • Version: v3 | Latest: v3.0.0 | Release age: 25d
  • Commit: actions/create-github-app-token@f8d387b

• actions/upload-artifact@v7 -> actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7

  • Version: v7 | Latest: v3.2.2 | Release age: 22d
  • Commit: actions/upload-artifact@bbbca2d

• EmbarkStudios/cargo-deny-action@v2 -> EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15

  • Version: v2.0.15 | Latest: v2.0.15 | Release age: 90d
  • Commit: EmbarkStudios/cargo-deny-action@3fd3802

• dorny/paths-filter@v4 -> dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1

  • Version: v4.0.1 | Latest: v4.0.1 | Release age: 21d
  • Commit: dorny/paths-filter@fbd0ab8

• actions-rust-lang/setup-rust-toolchain@v1 -> actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4

  • Version: v1.15.4 | Latest: v1.15.4 | Release age: 24d
  • Commit: actions-rust-lang/setup-rust-toolchain@150fca8

• actions/download-artifact@v8 -> actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

  • Version: v8.0.1 | Latest: v3.1.0-node20 | Release age: 22d
  • Commit: actions/download-artifact@3e5f45b
  • Warnings: 1 security advisory(ies) found, Action has 1 known advisory(ies)

• actions/cache@v5 -> actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4

  • Version: v5.0.4 | Latest: v5.0.4 | Release age: 20d
  • Commit: actions/cache@6682284

• actions/setup-python@v6 -> actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

  • Version: v6.2.0 | Latest: v6.2.0 | Release age: 76d
  • Commit: actions/setup-python@a309ff8

• JamesIves/github-pages-deploy-action@v4 -> JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0

  • Version: v4.8.0 | Latest: v4.8.0 | Release age: 88d
  • Commit: JamesIves/github-pages-deploy-action@d92aa23

• rust-lang/crates-io-auth-action@v1 -> rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1

  • Version: v1 | Latest: v1.0.4 | Release age: 15d
  • Commit: rust-lang/crates-io-auth-action@b7e9a28

• svenstaro/upload-release-action@v2 -> svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # 2.11.5

  • Version: 2.11.5 | Latest: 2.11.5 | Release age: 22d
  • Commit: svenstaro/upload-release-action@29e53e9

• actions/github-script@v8 -> actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8

  • Version: v8 | Latest: v8 | Release age: 215d
  • Commit: actions/github-script@ed59741

Files modified

• .github/workflows/audit.yml
• .github/workflows/broadcast-frontend-hash.yml
• .github/workflows/build-frontend-canister.yml
• .github/workflows/deny.yml
• .github/workflows/e2e.yml
• .github/workflows/fmt.yml
• .github/workflows/lint.yml
• .github/workflows/publish-manifest.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .github/workflows/shellcheck.yml
• .github/workflows/unit.yml
• .github/workflows/update-docs.yml
• .github/workflows/update-ic-did.yml
• .github/workflows/update-motoko.yml
• .github/workflows/update-replica-version.yml

Security warnings

• 1 security advisory(ies) found
• Action has 1 known advisory(ies)