chore: pin GitHub Actions to commit SHAs

[slawomirbabicz]

Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. actions/checkout@v4) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable. The # tag comment preserves human readability so reviewers can tell which version is pinned.

Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork).

Changes

• actions/checkout@v5 -> actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

  • Version: v5.0.1 | Latest: v6.0.2 | Release age: 89d
  • Commit: actions/checkout@93cb6ef

• jdx/mise-action@v3 -> jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3

  • Version: v3.6.3 | Latest: v4.0.1 | Release age: 17d
  • Commit: jdx/mise-action@5228313

• actions/setup-node@v6 -> actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

  • Version: v6.3.0 | Latest: v6.3.0 | Release age: 36d
  • Commit: actions/setup-node@53b8394

Files modified

• .github/workflows/ci.yml
• .github/workflows/publish.yml