Summary
All GitHub Actions referenced in .github/workflows/ and .github/actions/ should be pinned to their full 40-character commit SHA (instead of mutable tags like @v6) to ensure immutable, tamper-resistant CI/CD references. Additional supply chain hardening measures should also be applied.
This follows the same patterns already applied to codeql-development-mcp-server in:
Actions to Pin
The following external action references currently use mutable tags and need to be pinned to their corresponding commit SHAs:
.github/workflows/copilot-setup-steps.yml
.github/workflows/lint-and-format.yml
actions/checkout@v6actions/setup-node@v6
.github/workflows/codeql-qlt-unit-tests.yml
actions/checkout@v6 (×3)actions/upload-artifact@v7actions/download-artifact@v8
.github/actions/setup-codeql-environment/action.yml
actions/cache@v4 (×4)actions/setup-node@v6actions/setup-python@v6 (×2)actions/setup-java@v5 (×2)actions/setup-go@v6 (×2)actions/setup-dotnet@v5ruby/setup-ruby@v1 (×2)advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main — currently pinned to main branch, should also use a SHA
Format
Each pinned reference should use the format:
uses: actions/checkout@<full-40-char-sha> # v6
The trailing comment preserves the human-readable tag for maintainability.
Additional Supply Chain Hardening (optional, same PR or follow-up)
Acceptance Criteria
Summary
All GitHub Actions referenced in
.github/workflows/and.github/actions/should be pinned to their full 40-character commit SHA (instead of mutable tags like@v6) to ensure immutable, tamper-resistant CI/CD references. Additional supply chain hardening measures should also be applied.This follows the same patterns already applied to
codeql-development-mcp-serverin:Actions to Pin
The following external action references currently use mutable tags and need to be pinned to their corresponding commit SHAs:
.github/workflows/copilot-setup-steps.ymlactions/checkout@v6.github/workflows/lint-and-format.ymlactions/checkout@v6actions/setup-node@v6.github/workflows/codeql-qlt-unit-tests.ymlactions/checkout@v6(×3)actions/upload-artifact@v7actions/download-artifact@v8.github/actions/setup-codeql-environment/action.ymlactions/cache@v4(×4)actions/setup-node@v6actions/setup-python@v6(×2)actions/setup-java@v5(×2)actions/setup-go@v6(×2)actions/setup-dotnet@v5ruby/setup-ruby@v1(×2)advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main— currently pinned tomainbranch, should also use a SHAFormat
Each pinned reference should use the format:
The trailing comment preserves the human-readable tag for maintainability.
Additional Supply Chain Hardening (optional, same PR or follow-up)
.github/instructions/file for actions/workflows that enforces SHA-pinning guidance for Copilot (similar togithub_workflows_yaml.instructions.mdin the MCP server repo)permissions:blocks)Require actions to be pinned to a full-length commit SHAin repo admin settings for actions.Acceptance Criteria
.github/workflows/*.ymland.github/actions/**/*.ymlare pinned to full commit SHAs with tag comments@v6,@v1,@main, etc.)