chore: pin third-party GitHub Actions to commit SHAs

[mahangu]

Pins third-party GitHub Actions in this repo to immutable commit SHAs.

Tracking: DEVPROD-1072

Summary

• Pinned distinct third-party action refs in this PR: 13
• Checked Jetpack-owned GitHub Actions source areas:
  • .github/workflows/*.yml
  • .github/files/*/workflows/*.yml copied mirror workflow templates
  • .github/actions/**/action.yml local composite action metadata
• Mirror template coverage checked: mirror-.github, gh-autotagger, gh-autorelease, gh-wp-svn-autopublish, gh-npmjs-autopublisher, and gh-e2e. The only non-GitHub third-party action in those copied workflow templates is peter-evans/repository-dispatch, which is pinned here.
• GitHub-owned actions/* refs are left as tag refs; this pass is scoped to non-GitHub third-party actions.
• Dependabot GitHub Actions coverage: not added. Jetpack already uses self-hosted Renovate, and its config covers GitHub Actions workflow files plus copied mirror workflow templates under .github/files/*/workflows/*.yml.

Testing instructions

• Review the diff and confirm third-party uses: refs are pinned to 40-character commit SHAs.
• Run the verification commands below to confirm each label resolves to the pinned commit SHA.
• Confirm CI remains green.

Does this pull request change what data or activity we track or use?

No.

Verification commands

verify_action_ref() {
  owner="$1"
  repo="$2"
  ref="$3"
  expected="$4"
  gh api graphql \
    -f owner="$owner" \
    -f name="$repo" \
    -f ref="refs/tags/$ref" \
    -f query='query($owner:String!,$name:String!,$ref:String!){repository(owner:$owner,name:$name){ref(qualifiedName:$ref){target{__typename oid ... on Tag{target{oid}}}}}}' \
    --jq "{action:\"$owner/$repo\",ref:\"$ref\",resolved_sha:(.data.repository.ref.target.target.oid // .data.repository.ref.target.oid),expected_sha:\"$expected\",matches:((.data.repository.ref.target.target.oid // .data.repository.ref.target.oid)==\"$expected\")}"
}

verify_action_ref anthropics claude-code-action v1.0.110 ef50f123a3a9be95b60040d042717517407c7256
verify_action_ref docker build-push-action v7.2.0 f9f3042f7e2789586610d6e8b85c8f03e5195baf
verify_action_ref docker login-action v4.2.0 650006c6eb7dba73a995cc03b0b2d7f5ca915bee
verify_action_ref docker metadata-action v6.1.0 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
verify_action_ref docker setup-buildx-action v4.1.0 d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
verify_action_ref dorny paths-filter v4.0.1 fbd0ab8f3e69293af611ebaee6363fc25e6d187d
verify_action_ref grafana run-k6-action v1.4.0 de51a7390bdf0ac85a3bef493691bd71d4c7c158
verify_action_ref grafana setup-k6-action v1.2.1 db07bd9765aac508ef18982e52ab937fe633a065
verify_action_ref peter-evans repository-dispatch v4.0.1 28959ce8df70de7be546dd1250a005dd32156697
verify_action_ref pnpm action-setup v5.0.0 fc06bc1257f339d1d5d8b3a19a8cae5388b55320
verify_action_ref renovatebot github-action v46.0.2 e23f4d9675532445118c886434f5a34292b630b4
verify_action_ref shivammathur setup-php 2.37.1 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc
verify_action_ref slackapi slack-github-action v3.0.1 af78098f536edbc4de71162a307590698245be95

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• 🔴 Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[anomiex]

Except for the addition of a Dependabot configuration when we already use Renovate, this seems reasonable to do what it intends.

Whether what it intends is actually a useful thing versus mainly making more work for us to maintain, I'm not sure.

[anomiex]

We already use Renovate to update things. It would probably be better to make any necessary config changes there rather than adding a second bot.

[tbradsha]

Along with @anomiex's comment about using Renovate, it seems per the original issue is to update all such usages in the Automattic org. I notice several mirror repos are on that list, and those actions would need to updated here, not in the mirror repos directly.

Finally, I notice there are three additional workflows with third-party actions that were missed (the first one is used by many of the existing workflows and the latter two are pushed out to the mirror repos):

.github/actions/tool-setup/action.yml
.github/files/gh-npmjs-autopublisher/workflows/npmjs-autopublisher.yml
.github/files/gh-wp-svn-autopublish/workflows/wp-svn-autopublish.yml

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the chore/devprod-1072-pin-actions-shas branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack chore/devprod-1072-pin-actions-shas

bin/jetpack-downloader test jetpack-mu-wpcom-plugin chore/devprod-1072-pin-actions-shas

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[mahangu]

@anomiex @tbradsha Thank you both for your reviews! 🙏🏾

I pushed a follow-up. Removed Dependabot and checked the mirror workflow sources in .github/files/*/workflows/*.yml: the only non-GitHub third-party action there was already pinned. The missed pins were in .github/actions/tool-setup/action.yml, and those are now pinned too.

I updated the PR body with the gh api commands for checking each SHA. Please let me know if there is anything else or if I've missed something? Thank you!

[jp-launch-control]

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report

[tbradsha]

Sorry, I improperly flagged two first-party ones. 😄 But now it looks good.

Objection no longer relevant.