chore(ci): pin actions in non-PR-triggered workflows (#3193)

## What changed
- Pinned external GitHub Actions to full commit SHAs in non-PR-triggered
workflows:
  - `.github/workflows/nightly-pypi-build.yml`
  - `.github/workflows/pypi-build-artifacts.yml`
  - `.github/workflows/python-release-docs.yml`
  - `.github/workflows/python-release.yml`
  - `.github/workflows/stale.yml`
  - `.github/workflows/svn-build-artifacts.yml`
- Updated one command in `pypi-build-artifacts.yml` from expression
interpolation to shell env usage:
  - `uv version "${{ env.VERSION }}"` -> `uv version "$VERSION"`

## Why
- Fixes `zizmor` findings for `unpinned-uses` by replacing mutable refs
with immutable SHAs.
- Reduces supply-chain risk from tag/branch drift while preserving
workflow behavior.
- Fixes `template-injection` warning by avoiding direct expression
expansion inside `run`.

## Verification
- `uvx --from zizmor zizmor --offline .github/workflows/ --fix=all`
- Result: `No findings to report.`

Author: kevinjqliu

.github/workflows/nightly-pypi-build.yml

@@ -34,11 +34,12 @@ jobs:
     outputs:
       VERSION: ${{ steps.set-version.outputs.VERSION }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: 3.12
 
@@ -53,7 +54,9 @@ jobs:
           echo "VERSION=${CURRENT_VERSION}.dev${TIMESTAMP}" >> "$GITHUB_OUTPUT"
 
       - name: Debug version
-        run: echo "Publishing version ${{ steps.set-version.outputs.VERSION }}"
+        run: echo "Publishing version ${STEPS_SET_VERSION_OUTPUTS_VERSION}"
+        env:
+          STEPS_SET_VERSION_OUTPUTS_VERSION: ${{ steps.set-version.outputs.VERSION }}
 
   nightly-build:
     needs: set-version
@@ -74,7 +77,7 @@ jobs:
 
     steps:
     - name: Download all the artifacts
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
       with:
         merge-multiple: true
         path: dist/
@@ -83,7 +86,7 @@ jobs:
     - name: Publish to TestPyPI
       id: publish-testpypi
       continue-on-error: true
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
       with:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true

.github/workflows/pypi-build-artifacts.yml

@@ -39,11 +39,12 @@ jobs:
         os: [ ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-15-intel, macos-latest ]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: |
             3.10
@@ -57,7 +58,7 @@ jobs:
       - name: Set version with RC
         env:
           VERSION: ${{ inputs.VERSION }}
-        run: uv version "${{ env.VERSION }}"
+        run: uv version "$VERSION"
 
       # Publish the source distribution with the version that's in
       # the repository, otherwise the tests will fail
@@ -86,7 +87,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: ls -lah dist/* && cp dist/* wheelhouse/
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: "pypi-release-candidate-${{ matrix.os }}"
           path: ./wheelhouse/*
@@ -97,7 +98,7 @@ jobs:
       - pypi-build-artifacts
     steps:
       - name: Merge Artifacts
-        uses: actions/upload-artifact/merge@v4
+        uses: actions/upload-artifact/merge@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: "pypi-release-candidate-${{ inputs.VERSION }}"
           pattern: pypi-release-candidate*

.github/workflows/python-release-docs.yml

@@ -35,8 +35,10 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: 3.12
       - name: Install UV

.github/workflows/python-release.yml

@@ -62,8 +62,8 @@ jobs:
             fi
           else
             echo "Workflow triggered manually via workflow_dispatch."
-            VERSION="${{ github.event.inputs.version }}"
-            RC="${{ github.event.inputs.rc }}"
+            VERSION="${GITHUB_EVENT_INPUTS_VERSION}"
+            RC="${GITHUB_EVENT_INPUTS_RC}"
 
             # Validate version (e.g., 1.0.0)
             if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -81,27 +81,36 @@ jobs:
           # Export variables for future steps
           echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
           echo "RC=$RC" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }}
+          GITHUB_EVENT_INPUTS_RC: ${{ github.event.inputs.rc }}
 
       - name: Display Extracted Version and RC
         run: |
-          echo "Using Version: ${{ steps.validate-inputs.outputs.VERSION }}"
-          echo "Using RC: ${{ steps.validate-inputs.outputs.RC }}"
+          echo "Using Version: ${STEPS_VALIDATE_INPUTS_OUTPUTS_VERSION}"
+          echo "Using RC: ${STEPS_VALIDATE_INPUTS_OUTPUTS_RC}"
+        env:
+          STEPS_VALIDATE_INPUTS_OUTPUTS_VERSION: ${{ steps.validate-inputs.outputs.VERSION }}
+          STEPS_VALIDATE_INPUTS_OUTPUTS_RC: ${{ steps.validate-inputs.outputs.RC }}
 
   validate-library-version:
     runs-on: ubuntu-latest
     needs:
       - validate-inputs
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: 3.12
 
       - name: Install UV
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
+        with:
+          enable-cache: false
 
       - name: Validate current pyiceberg version
         env:

.github/workflows/stale.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'apache'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10.2.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           # stale issues
           stale-issue-label: 'stale,security'

.github/workflows/svn-build-artifacts.yml

@@ -39,11 +39,12 @@ jobs:
         os: [ ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-15-intel, macos-latest ]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 1
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: |
             3.10
@@ -78,7 +79,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: ls -lah dist/* && cp dist/* wheelhouse/
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: "svn-release-candidate-${{ matrix.os }}"
           path: ./wheelhouse/*
@@ -89,7 +90,7 @@ jobs:
       - svn-build-artifacts
     steps:
       - name: Merge Artifacts
-        uses: actions/upload-artifact/merge@v4
+        uses: actions/upload-artifact/merge@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: "svn-release-candidate-${{ inputs.VERSION }}"
           pattern: svn-release-candidate*