chore: pin GitHub Actions to commit shas BED-7914

[lrfalslev]

Description

Updates actions to latest versions and pins them by git commit SHA for security hardening

Motivation and Context

This PR addresses: BED-7914

How Has This Been Tested?

Manually verified commit SHAs. Pipelines still pass.

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README BloodHound#672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to pin dependencies to specific commit references for improved build reproducibility and security.
  • Normalized formatting and whitespace in workflow configuration files.

[coderabbitai]

Walkthrough

GitHub Actions workflows across four files have been updated to pin external actions to specific commit SHAs instead of semantic version tags. The changes include actions/checkout, actions/setup-dotnet, and other GitHub-maintained and third-party actions, along with minor whitespace normalization.

Changes

Cohort / File(s)	Summary
GitHub Actions Pinning .github/workflows/build-and-test.yml, .github/workflows/publish-dev-package.yml	Replaced semantic version tags (@v6, @v5) with immutable commit SHA references for actions/checkout and actions/setup-dotnet. Normalized trailing whitespace and file endings.
CLA Workflow .github/workflows/cla.yml	Pinned contributor-assistant/github-action to a specific commit SHA instead of version tag @v2.6.1.
Publish Workflow .github/workflows/publish.yml	Pinned seven GitHub Actions to commit SHAs: actions/checkout, web3j/substr-action, actions/setup-dotnet, actions/upload-artifact, actions/download-artifact, nikeee/docfx-action, and JamesIves/github-pages-deploy-action. Adjusted YAML indentation in multi-line blocks and removed trailing whitespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With SHA pins now in place,
Actions run with trusty grace,
Immutable refs, no more drift,
Security gets a precise gift,
Reproducible builds, I must say—
Hooray! Hooray! Hip-hip-hooray! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning GitHub Actions to commit SHAs, matching all workflow file updates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description follows the required template with all key sections completed: Description, Motivation and Context (with issue link), Testing details, Types of changes (Chore selected), and Checklist with appropriate items checked.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lfalslev/bed-7914

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}