security(ci): pin third-party actions to commit SHAs

[skhaitan]

Summary

Step 4 Bundle 3 — pin all third-party GitHub Actions to commit SHAs (replacing floating tags like @v4, @v7).

Why

Floating tags (@v4) point to a moving target. If the upstream action's v4 tag is repointed (by accident, by the maintainer, or by a stolen-PAT supply-chain attack), our workflows pick up the change on the next run with zero review. The 2025-03 tj-actions/changed-files incident is the canonical example — a stolen maintainer PAT repointed v35 at malicious code overnight, every consumer's workflows ran the payload.

SHA-pinning eliminates that vector. The trailing # vX comment keeps the version visible to humans.

What changed

Every uses: <owner>/<repo>@<vN> in .github/workflows/*.yml rewritten to uses: <owner>/<repo>@<sha> # vN.

The SHAs were resolved from the action repo's tag refs on 2026-05-15 via gh api repos/<owner>/<repo>/git/ref/tags/<tag> and recorded in /tmp/step4/pin-map.tsv (Sneha's local; included below for audit).

Resolved-tag manifest:

actions/cache                          @v4 → 0057852bfaa89a56745cba8c7296529d2fc39830
actions/checkout                       @v4 → 34e114876b0b11c390a56381ad16ebd13914f8d5
actions/create-github-app-token        @v1 → d72941d797fd3113feb6b93fd0dec494b13a2547
actions/github-script                  @v7 → f28e40c7f34bde8b3046d885e986cb6290c5673b
actions/setup-node                     @v4 → 49933ea5288caeca8642d1e84afbd3f7d6820020
actions/setup-python                   @v5 → a26af69be951a213d495a4c3e4e4022e16d87065
actions/upload-artifact                @v4 → ea165f8d65b6e75b540449e92b4886f43607fa02
ahmadnassri/action-workflow-queue      @v1 → 542658b3a8270cac81ae15d401b0d974732808ac
anthropics/claude-code-action          @v1 → 51ea8ea73a139f2a74ff649e3092c25a904aed7e
google-github-actions/auth             @v2 → c200f3691d83b41bf9bbd8638997a462592937ed
google-github-actions/setup-gcloud     @v2 → e427ad8a34f8676edf47cf7d7925499adf3eb74f

Driven by: SECURITY-WORKFLOWS-TEMPLATE-PLAN §"Pin third-party actions by commit SHA" and 2026-05-13 rival-review consensus (Gemini, OpenAI).

Test plan

• CI: Gitleaks pass, scan-pr pass, Review new dependencies pass
• Sample 1 workflow per repo and confirm the SHA in the file matches the manifest above

🤖 Generated with Claude Code