Harden CI: SHA-pin all actions, add persist-credentials: false

Pin all GitHub Actions to full commit SHAs to prevent supply-chain
attacks via tag mutation. Add persist-credentials: false to all
checkout steps to limit token exposure. All 8 workflow files updated.

Actions pinned:
- actions/checkout v4 (34e1148)
- actions/setup-python v5 (a26af69)
- actions/setup-node v4 (49933ea)
- actions/upload-artifact v4 (ea165f8)
- actions/github-script v7 (f28e40c)
- actions/labeler v5 (8558fd7)
- dependabot/fetch-metadata v2 (21025c7)
- jgehrcke/github-repo-stats RELEASE (d80572c)
- astral-sh/setup-uv v3 (caf0cab)

Author: jpr5

.github/workflows/ash-full-repository-scan.yml

@@ -17,12 +17,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.10'
 
@@ -112,7 +113,7 @@ jobs:
 
       - name: Upload ASH results as artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ash-full-scan-${{ github.run_id }}
           path: |
@@ -123,7 +124,7 @@ jobs:
 
       - name: Create issue for critical findings (monthly scan only)
         if: github.event_name == 'schedule' && steps.scan-summary.outputs.has_findings == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/ash-security-comment.yml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Post comment on PR
         if: steps.pr-info.outputs.pr_number
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/ash-security-scan.yml

@@ -13,8 +13,9 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Get changed files
@@ -49,7 +50,7 @@ jobs:
 
       - name: Set up Python
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.10'
 
@@ -216,7 +217,7 @@ jobs:
 
       - name: Upload ASH results and PR metadata
         if: steps.changed-files.outputs.any_changed == 'true' && always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ash-security-results
           path: /tmp/ash-artifacts/

.github/workflows/dependabot.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/js-lint.yml

@@ -17,7 +17,9 @@ jobs:
         working-directory: frontend
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Get changed JS/TS files
         id: changed-files
@@ -34,7 +36,7 @@ jobs:
 
       - name: Set up Node.js
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20'
 

.github/workflows/label.yml

@@ -13,6 +13,6 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/python-lint.yml

@@ -14,7 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Get changed Python files
         id: changed-files
@@ -25,13 +27,13 @@ jobs:
 
       - name: Set up Python
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.11'
 
       - name: Install uv
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3
 
       - name: Install ruff
         if: steps.changed-files.outputs.any_changed == 'true'

.github/workflows/repo-stats.yml

@@ -20,7 +20,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: run-ghrs
-              uses: jgehrcke/github-repo-stats@RELEASE
+              uses: jgehrcke/github-repo-stats@d80572c9029636cd0e97e3a79e7a9c293bea3b02 # RELEASE
               with:
                   ghtoken: ${{ secrets.GHRS_GITHUB_API_TOKEN }}
                   ghpagesprefix: "https://awslabs.github.io/fullstack-solution-template-for-agentcore"