CI: pin third-party GitHub Actions to specific commit SHAs for security #5142
Description
I think we should improve the security of our CI/CD pipelines by pinning all third-party GitHub Actions in our .github/workflows/ directory to immutable commit SHAs instead of mutable version tags (like @v6 or @stable).
Currently, our workflows rely on mutable tags (e.g. uses: actions/checkout@v6). If a bad actor compromises one of these third-party action repositories, they can maliciously move the v6 tag to point to a compromised commit, injecting malware into boa's trusted, privileged CI environment on our next runner execution.
Following OpenSSF and GitHub advanced security recommendations, we should refactor all uses: statements to reference specific 40-character commit hashes.
For instance, this:
uses: actions/checkout@v6
Becomes this:
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v6.0.0
This guarantees that our CI pipeline remains completely immutable and immune to supply chain tag-hijacking attacks. Additionally, since we already run dependabot, our .github/dependabot.yml will easily and automatically keep these SHA strings updated for us safely.