Pin actions to full-length commit SHAs (#190)

* Pin actions to full-length commit SHAs

This commit:

- pins each GitHub Action, regardless of publisher/maintainter, to
  its full-length commit SHA (instead of tag) to ensure that all
  actions refs are immutable;
- updates the .github/instructions/*.md for actions and workflows;

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>

* Update github_workflows_yaml.instructions.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>

---------

Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: data-douser

.github/actions/setup-codeql-environment/action.yml

@@ -82,7 +82,7 @@ runs:
     - name: Cache `gh-codeql` extension and CodeQL packages (Unix)
       id: cache-codeql-unix
       if: runner.os != 'Windows'
-      uses: actions/cache@v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
       with:
         path: |
           ~/.local/share/gh-codeql
@@ -94,7 +94,7 @@ runs:
     - name: Cache `gh-codeql` extension and CodeQL packages (Windows)
       id: cache-codeql-windows
       if: runner.os == 'Windows'
-      uses: actions/cache@v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
       with:
         path: |
           ~\AppData\Local\GitHub\gh-codeql
@@ -320,7 +320,7 @@ runs:
 
     - name: Setup Node.js
       if: inputs.install-language-runtimes == 'true'
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
       with:
         cache: 'npm'
         cache-dependency-path: 'package-lock.json'
@@ -330,7 +330,7 @@ runs:
     - name: Cache language runtimes
       id: cache-runtimes
       if: inputs.install-language-runtimes == 'true'
-      uses: actions/cache@v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
       with:
         path: |
           ~/go/pkg/mod
@@ -344,42 +344,42 @@ runs:
 
     - name: Setup Python (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'true'
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ inputs.python-version }}
         cache: 'pip'
 
     - name: Setup Python (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'false'
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ inputs.python-version }}
 
     - name: Setup Java (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'true'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: ${{ inputs.java-version }}
         cache: 'maven'
 
     - name: Setup Java (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'false'
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: ${{ inputs.java-version }}
 
     - name: Setup Go (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'true'
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
       with:
         go-version: ${{ inputs.go-version }}
         cache: true
 
     - name: Setup Go (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'false'
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
       with:
         go-version: ${{ inputs.go-version }}
         cache: false
@@ -388,7 +388,7 @@ runs:
     - name: Cache .NET packages
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp')
       id: cache-dotnet-packages
-      uses: actions/cache@v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
       with:
         path: |
           ~/.nuget/packages
@@ -400,20 +400,20 @@ runs:
 
     - name: Setup .NET (for C#)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp')
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
       with:
         dotnet-version: ${{ inputs.dotnet-version }}
 
     - name: Setup Ruby (with cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'true'
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: true
 
     - name: Setup Ruby (without cache)
       if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'false'
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: false

.github/instructions/github_workflows_yaml.instructions.md

@@ -1,17 +1,18 @@
 ---
-applyTo: '.github/workflows/*.{yml,yaml}'
+applyTo: '.github/{actions,workflows}/**/*.{yml,yaml}'
 description: 'Instructions for editing GitHub Actions workflows for this repository.'
 ---
 
-# Copilot Instructions for `.github/workflows/*.{yml,yaml}` files
+# Copilot Instructions for `.github/{actions,workflows}/**/*.{yml,yaml}` files
 
 ## PURPOSE
 
-This file contains instructions for working with GitHub Actions workflow files in the `.github/workflows/` directory of the `codeql-development-mcp-server` repository.
+This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-development-mcp-server` repository.
 
 ## REQUIREMENTS
 
 - **ALWAYS run `npm run build-and-test` from the repo root directory and ensure it passes completely before committing any changes. This is MANDATORY and must be verified before every commit.**
+- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its underlying commit SHA (handling annotated tags correctly), run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG^{}`; for branch-based refs, use `refs/heads/BRANCH`.
 - ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows.
 - ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions.
 - ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability.
@@ -22,14 +23,14 @@ This file contains instructions for working with GitHub Actions workflow files i
 
 ## PREFERENCES
 
-- PREFER using the latest stable versions of GitHub Actions (e.g., `actions/checkout@v6`, `actions/setup-node@v6`).
 - PREFER explicit permissions declarations using the `permissions` key for security.
 - PREFER descriptive step names that include the workflow context (e.g., "Lint and Format - Checkout repository").
 - PREFER matrix strategies for testing multiple versions when applicable.
 - PREFER adding summary outputs using `$GITHUB_STEP_SUMMARY` for better workflow visibility.
 
 ## CONSTRAINTS
 
+- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.**
 - NEVER use overly broad permissions.
 - NEVER leave any trailing whitespace on any line.
 - NEVER use deprecated GitHub Actions or workflow syntax.

.github/skills/add-mcp-support-for-new-language/workflow-template.yml

@@ -44,10 +44,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up CodeQL CLI
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@480db559a14342288b67e54bd959dd52dc3ee68f # v3
         with:
           languages: '{LANGUAGE}'
 

.github/workflows/build-and-test-extension.yml

@@ -31,10 +31,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js environment
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
@@ -64,7 +64,7 @@ jobs:
           install-language-runtimes: 'false'
 
       - name: Cache VS Code for integration tests
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           key: vscode-test-${{ runner.os }}-stable
           path: extensions/vscode/.vscode-test

.github/workflows/build-server.yml

@@ -29,10 +29,10 @@ jobs:
 
     steps:
       - name: Build Server - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Build Server - Setup Node.js environment
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'

.github/workflows/client-integration-tests.yml

@@ -44,10 +44,10 @@ jobs:
 
     steps:
       - name: MCP Integration Tests - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: MCP Integration Tests - Setup Node.js environment
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
@@ -157,10 +157,10 @@ jobs:
 
     steps:
       - name: CODEQL_PATH Tests - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: CODEQL_PATH Tests - Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'

.github/workflows/copilot-setup-steps.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Copilot Setup - Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         ## TODO : fix and/or rework to avoid "token not provided" error when this workflow
         ## is initiated purely for use by Copilot Coding Agent (CCA) (i.e. not triggered
         ## by normal code change). Uncomment the `with` section or refactor approach.
@@ -45,7 +45,7 @@ jobs:
         #  token: ${{ secrets.QL_DEV_TOKEN }}
 
       - name: Copilot Setup - Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
@@ -78,7 +78,7 @@ jobs:
           npm run bundle:server
 
       - name: Copilot Setup - Cache VS Code for integration tests
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           key: vscode-test-${{ runner.os }}-stable
           path: extensions/vscode/.vscode-test

.github/workflows/dependency-review.yml

@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
         with:
           config-file: '.github/dependency-review-config.yml'

.github/workflows/lint-and-format.yml

@@ -17,10 +17,10 @@ jobs:
 
     steps:
       - name: Lint and Format - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Lint and Format - Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'

.github/workflows/query-unit-tests-swift.yml

@@ -33,10 +33,10 @@ jobs:
 
     steps:
       - name: Query Unit Tests - swift - Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Query Unit Tests - swift - Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'