[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security

[tobz]

🔒 Security Enhancement: GitHub Actions Pinning

📋 What This PR Does

This PR automatically pins GitHub Actions references from tag-based versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...) while preserving the original tag as a comment for readability.
No functional changes to your workflows - they'll work exactly the same way

🎯 Why This Matters

Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.

🤖 Keep Actions Updated with Dependabot

Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:

Create or update .github/dependabot.yml:

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

This will:

• 🔄 Check for action updates weekly
• 📬 Create PRs automatically when newer versions are available
• 🏷️ Update both the SHA hash and the comment with the new tag
• 🎯 Keep your actions secure AND up-to-date

🤝 Questions or Concerns?

For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.

---

This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.

[pr-commenter]

Binary Size Analysis (Agent Data Plane)

Target: 237d677 (baseline) vs 28ddc62 (comparison) diff
Baseline Size: 361.67 MiB
Comparison Size: 361.67 MiB
Size Change: +0 B (+0.00%)
Pass/Fail Threshold: +5%
Result: PASSED ✅

Changes by Module

Module	File Size	Symbols
anon.6963da505859e1c5d18d13cd64b99327.1.llvm.18346481645097822742	+130 B	1
anon.6963da505859e1c5d18d13cd64b99327.1.llvm.13927291151371000795	-130 B	1
anon.6963da505859e1c5d18d13cd64b99327.4.llvm.18346481645097822742	+115 B	1
anon.6963da505859e1c5d18d13cd64b99327.4.llvm.13927291151371000795	-115 B	1
anon.6963da505859e1c5d18d13cd64b99327.3.llvm.18346481645097822742	+109 B	1
anon.6963da505859e1c5d18d13cd64b99327.3.llvm.13927291151371000795	-109 B	1
anon.6963da505859e1c5d18d13cd64b99327.0.llvm.18346481645097822742	+97 B	1
anon.6963da505859e1c5d18d13cd64b99327.0.llvm.13927291151371000795	-97 B	1
anon.6963da505859e1c5d18d13cd64b99327.2.llvm.18346481645097822742	+95 B	1
anon.6963da505859e1c5d18d13cd64b99327.2.llvm.13927291151371000795	-95 B	1

Detailed Symbol Changes

    FILE SIZE        VM SIZE    
 --------------  -------------- 
  [NEW]    +130  [NEW]     +40    anon.6963da505859e1c5d18d13cd64b99327.1.llvm.18346481645097822742
  [NEW]    +115  [NEW]     +25    anon.6963da505859e1c5d18d13cd64b99327.4.llvm.18346481645097822742
  [NEW]    +109  [NEW]     +19    anon.6963da505859e1c5d18d13cd64b99327.3.llvm.18346481645097822742
  [NEW]     +97  [NEW]      +7    anon.6963da505859e1c5d18d13cd64b99327.0.llvm.18346481645097822742
  [NEW]     +95  [NEW]      +5    anon.6963da505859e1c5d18d13cd64b99327.2.llvm.18346481645097822742
  [DEL]     -95  [DEL]      -5    anon.6963da505859e1c5d18d13cd64b99327.2.llvm.13927291151371000795
  [DEL]     -97  [DEL]      -7    anon.6963da505859e1c5d18d13cd64b99327.0.llvm.13927291151371000795
  [DEL]    -109  [DEL]     -19    anon.6963da505859e1c5d18d13cd64b99327.3.llvm.13927291151371000795
  [DEL]    -115  [DEL]     -25    anon.6963da505859e1c5d18d13cd64b99327.4.llvm.13927291151371000795
  [DEL]    -130  [DEL]     -40    anon.6963da505859e1c5d18d13cd64b99327.1.llvm.13927291151371000795
  [ = ]       0  [ = ]       0    TOTAL

[pr-commenter]

Regression Detector (Agent Data Plane)

Regression Detector Results

Run ID: 296c0561-b3fc-4b72-a72f-be08e62830ef

Baseline: 237d677
Comparison: 28ddc62
Diff

Optimization Goals: ✅ Improvement(s) detected

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
✅	otlp_ingest_logs_adp	memory utilization	-9.09	[-9.52, -8.67]	1	(metrics) (profiles) (logs)

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gates_rss_idle	memory utilization	+0.25	[+0.21, +0.28]	1	(metrics) (profiles) (logs)
➖	quality_gates_rss_dsd_heavy	memory utilization	+0.03	[-0.11, +0.18]	1	(metrics) (profiles) (logs)
➖	dsd_uds_100mb_3k_contexts_throughput	ingress throughput	+0.00	[-0.02, +0.02]	1	(metrics) (profiles) (logs)
➖	dsd_uds_1mb_3k_contexts_throughput	ingress throughput	+0.00	[-0.06, +0.06]	1	(metrics) (profiles) (logs)
➖	dsd_uds_512kb_3k_contexts_throughput	ingress throughput	-0.00	[-0.05, +0.05]	1	(metrics) (profiles) (logs)
➖	dsd_uds_10mb_3k_contexts_throughput	ingress throughput	-0.01	[-0.20, +0.17]	1	(metrics) (profiles) (logs)
➖	quality_gates_rss_dsd_ultraheavy	ingress throughput	-0.04	[-0.11, +0.03]	1	(metrics) (profiles) (logs)
➖	quality_gates_rss_dsd_medium	memory utilization	-0.15	[-0.32, +0.01]	1	(metrics) (profiles) (logs)
➖	quality_gates_rss_dsd_low	memory utilization	-0.43	[-0.56, -0.29]	1	(metrics) (profiles) (logs)
➖	dsd_uds_500mb_3k_contexts_throughput	ingress throughput	-1.04	[-1.17, -0.92]	1	(metrics) (profiles) (logs)
➖	otlp_ingest_metrics_adp	memory utilization	-4.47	[-4.65, -4.29]	1
✅	otlp_ingest_logs_adp	memory utilization	-9.09	[-9.52, -8.67]	1	(metrics) (profiles) (logs)

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	quality_gates_rss_dsd_heavy	memory_usage	10/10	(metrics) (profiles) (logs)
✅	quality_gates_rss_dsd_low	memory_usage	10/10	(metrics) (profiles) (logs)
✅	quality_gates_rss_dsd_medium	memory_usage	10/10	(metrics) (profiles) (logs)
✅	quality_gates_rss_dsd_ultraheavy	memory_usage	10/10	(metrics) (profiles) (logs)
✅	quality_gates_rss_idle	memory_usage	10/10	(metrics) (profiles) (logs)

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".