[StepSecurity] ci: Harden GitHub Actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @iav. Please merge the Pull Request to incorporate the requested changes. Please tag @iav on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

• Chores
  • Improved CI/CD pipeline stability and consistency through workflow configuration updates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bcc6277e-b63d-4282-af8d-5137397da983

📥 Commits

Reviewing files that changed from the base of the PR and between 80068e7 and 2c44100.

📒 Files selected for processing (1)

• .github/workflows/maintenance-check-kernel-security.yml

---

📝 Walkthrough

Walkthrough

This PR updates a GitHub Actions workflow to pin the actions/checkout action to a specific commit hash instead of using the floating v6 version tag. The pinning is applied consistently across two checkout steps in the maintenance kernel security workflow.

Changes

Workflow Security Hardening

Layer / File(s)	Summary
Pin actions/checkout to specific commit .github/workflows/maintenance-check-kernel-security.yml	Both actions/checkout steps are pinned to commit de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2): the initial repository checkout and the fetch of a13xp0p0v/kconfig-hardened-check.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops through workflows bright,
Version pinning done just right,
No floating tags to cause dismay,
Security locked in every way! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references hardening GitHub Actions, which directly relates to the core change of pinning action versions to commit SHAs for security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!