Pin actions to full-length commit SHAs

[data-douser]

This PR:

• pins each GitHub Action, regardless of publisher/maintainter, to its full-length commit SHA (instead of tag) to ensure that all actions refs are immutable;
• updates the .github/instructions/*.md for actions and workflows.

Outline of Changes

Key changes include:

Security and Workflow Best Practices

• All external GitHub Actions references in workflow files under .github/workflows/ and .github/actions/ are now pinned to their full 40-character commit SHAs, with a trailing comment indicating the original tag (e.g., # v6). This applies to actions such as actions/checkout, actions/setup-node, actions/cache, actions/setup-python, actions/setup-java, actions/setup-go, actions/setup-dotnet, ruby/setup-ruby, actions/dependency-review-action, and actions/upload-artifact. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26]

Documentation and Instructions Update

• The instructions file .github/instructions/github_workflows_yaml.instructions.md is updated to:
  • Apply to both .github/workflows/ and .github/actions/ directories.
  • Clearly require that all external GitHub Actions must be referenced by full commit SHA, never by tag or branch, and provide guidance on how to resolve a tag to its SHA. [1] [2]
  • Remove the previous preference for using the latest stable tag, replacing it with a strict requirement for SHA pinning.

These changes significantly improve the security posture of the repository’s CI/CD pipelines and provide clear guidance for future workflow edits.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c337f2c.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	2031cfc080254a8a887f58cffee85186f0e49e48	🟢 7.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	53b83947a5a98c8d113130e565377fae1a50d02f	🟢 6	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	53b83947a5a98c8d113130e565377fae1a50d02f	🟢 6	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/dependency-review.yml
• .github/workflows/release-npm.yml
• .github/workflows/update-codeql.yml

[Copilot]

Pull request overview

This PR hardens the repository’s CI/CD security posture by making all external GitHub Action references immutable (pinning to full commit SHAs) and updating Copilot workflow-editing instructions accordingly.

Changes:

• Pin external uses: references in workflows and composite actions to full 40-character commit SHAs with trailing # <tag> comments.
• Update Copilot instructions to require SHA pinning (and expand scope to include .github/actions/ YAML).

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/update-codeql.yml	Pin actions/checkout and actions/setup-node to commit SHAs (plus comment tags).
.github/workflows/release.yml	Pin actions/download-artifact and actions/upload-artifact to commit SHAs.
.github/workflows/release-vsix.yml	Pin checkout/setup-node/upload-artifact to commit SHAs.
.github/workflows/release-tag.yml	Pin checkout/setup-node to commit SHAs.
.github/workflows/release-npm.yml	Pin checkout/setup-node/upload-artifact to commit SHAs.
.github/workflows/release-codeql.yml	Pin checkout/upload-artifact to commit SHAs.
.github/workflows/query-unit-tests.yml	Pin checkout/setup-node to commit SHAs.
.github/workflows/query-unit-tests-swift.yml	Pin checkout/setup-node to commit SHAs.
.github/workflows/lint-and-format.yml	Pin checkout/setup-node to commit SHAs.
.github/workflows/dependency-review.yml	Pin checkout and dependency-review-action to commit SHAs.
.github/workflows/copilot-setup-steps.yml	Pin checkout/setup-node/cache to commit SHAs.
.github/workflows/client-integration-tests.yml	Pin checkout/setup-node to commit SHAs in both jobs.
.github/workflows/build-server.yml	Pin checkout/setup-node to commit SHAs.
.github/workflows/build-and-test-extension.yml	Pin checkout/setup-node/cache to commit SHAs.
.github/skills/add-mcp-support-for-new-language/workflow-template.yml	Pin checkout and CodeQL init action to commit SHAs.
.github/instructions/github_workflows_yaml.instructions.md	Require SHA pinning and broaden instructions’ intended scope to actions/workflows YAML.
.github/actions/setup-codeql-environment/action.yml	Pin setup/caching/runtime actions inside the composite action to commit SHAs.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.