chore: pin GitHub Actions to commit shas BED-7914

[lrfalslev]

Description

Updates actions to latest versions and pins them by git commit SHA for security hardening

Motivation and Context

This PR addresses: BED-7914

How Has This Been Tested?

Manually verified commit SHAs. Pipelines still pass.

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README BloodHound#672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Chores
  • Updated CI workflows to pin third-party actions to immutable commit SHAs (replacing version tags) and applied minor workflow formatting fixes; no functional changes to build, publish, or CLA behavior.

[coderabbitai]

Walkthrough

Updated GitHub Actions workflows to replace semantic action version tags with pinned commit SHA references and minor formatting fixes (branch array formatting, trailing newline/whitespace) across build, CLA, and publish workflows.

Changes

Cohort / File(s)	Summary
Build workflow .github/workflows/build.yml	Reformatted pull_request.branches array, replaced actions/setup-dotnet@v5 and actions/checkout@v6 tags with pinned commit SHA references, fixed trailing newline/whitespace; dotnet build -p:CommonSource=Dev unchanged.
CLA workflow .github/workflows/cla.yml	Replaced contributor-assistant/github-action@v2.6.1 with a pinned commit SHA reference while preserving step condition and inputs.
Publish workflow .github/workflows/publish.yml	Replaced several action version tags (actions/checkout@v2, actions/setup-dotnet@v5, softprops/action-gh-release@v1) with pinned commit SHA references; workflow triggers, job structure, and release artifact steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
I hopped through YAML, tidy and keen,
Pinned every action, neat and clean,
Brackets fixed, no trailing fluff,
Commits locked down — steady and tough,
A little hop for CI's routine.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: pin GitHub Actions to commit shas BED-7914' clearly and concisely summarizes the main change: pinning GitHub Actions to specific commit SHAs for security/reproducibility purposes, with the Jira ticket reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description follows the template and includes all required sections with appropriate information for a workflow security hardening change.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lfalslev/bed-7914

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}