🔒 Pin GitHub Actions to commit SHAs (#2069)

## 🔒 Pin GitHub Actions to commit SHAs

This PR pins all GitHub Actions to their exact commit SHA instead of
mutable tags or branch names.

**Why?**
Pinning to a SHA prevents supply chain attacks where a tag (e.g. `v4`)
could be moved to point to malicious code.

### Changes

| Workflow | Action | Avant | Après | SHA |
|---|---|---|---|---|
| `trufflehog.yml` | `actions/checkout` | `v4` | `v6.0.2` |
`de0fac2e4500…` |
| `trufflehog.yml` | `trufflesecurity/trufflehog` | `main` | `main` |
`6bd2d14f7a4b…` |
| `ollama-template-update.yml` | `actions/checkout` | `v3` | `v6.0.2` |
`de0fac2e4500…` |
| `ollama-template-update.yml` | `actions/github-script` | `v6` | `v6` |
`d7906e4ad0b1…` |
| `documentation.yml` |
`huggingface/doc-builder/.github/workflows/build_main_documentation.yml`
| `main` | `main` | `90b4ee2c10b8…` |
| `pr-documentation.yml` |
`huggingface/doc-builder/.github/workflows/build_pr_documentation.yml` |
`main` | `main` | `90b4ee2c10b8…` |
| `upload-pr-documentation.yml` |
`huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml`
| `main` | `main` | `90b4ee2c10b8…` |
| `update-specs.yml` | `actions/checkout` | `v3` | `v6.0.2` |
`de0fac2e4500…` |
| `update-specs.yml` | `actions/setup-node` | `v3` | `v3` |
`3235b876344d…` |
| `update-specs.yml` | `pnpm/action-setup` | `v2` | `v2` |
`eae0cfeb286e…` |
| `update-specs.yml` | `peter-evans/create-pull-request` | `v7` | `v7` |
`22a9089034f4…` |
| `agents-publish.yml` | `actions/checkout` | `v5` | `v6.0.2` |
`de0fac2e4500…` |
| `agents-publish.yml` | `actions/setup-node` | `v4` | `v4` |
`49933ea5288c…` |
| `agents-publish.yml` | `actions/setup-node` | `v4` | `v4` |
`49933ea5288c…` |
| `agents-publish.yml` | `peter-evans/repository-dispatch` | `v2` | `v2`
| `bf47d102fdb8…` |

> 🤖 Generated by `/github-actions-audit` — [security/pin-actions-to-sha]


Closes huggingface/tracking-issues#145

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are limited to CI workflow `uses:` references, but a
wrong SHA could break releases/docs/spec update automation.
> 
> **Overview**
> Pins all referenced GitHub Actions and reusable doc-builder workflows
in `.github/workflows/*` to immutable commit SHAs (replacing version
tags/`main`) for supply-chain hardening.
> 
> This updates checkout/node/pnpm/action helpers as well as
`doc-builder`, TruffleHog scanning, and PR/spec automation workflows
without changing the underlying job logic.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
41ede40. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: paulinebm

.github/workflows/agents-publish.yml

@@ -28,15 +28,15 @@ jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: "24"
           cache: "pnpm"
@@ -61,7 +61,7 @@ jobs:
 
       - run: pnpm --filter agents... build && pnpm publish --no-git-checks .
       # hack - reuse actions/setup-node@v4 just to set a new registry
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: "24"
           registry-url: "https://npm.pkg.github.com"
@@ -70,7 +70,7 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
-        uses: peter-evans/repository-dispatch@v2
+        uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570  # v2
         with:
           event-type: doc-build
           token: ${{ secrets.BOT_ACCESS_TOKEN }}

.github/workflows/documentation.yml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   build:
-    uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@main
+    uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3  # main
     with:
       commit_sha: ${{ github.sha }}
       package: huggingface.js

.github/workflows/ollama-template-update.yml

@@ -14,7 +14,7 @@ jobs:
   update-ollama-templates:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         if: github.repository == 'huggingface/huggingface.js'
 
       - name: Prepare
@@ -76,7 +76,7 @@ jobs:
 
       - name: Create PR
         if: steps.changes.outputs.HAS_CHANGES == 'true' && github.repository == 'huggingface/huggingface.js'
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410  # v6
         env:
           CURRENT_DATE: ${{ steps.prepare.outputs.CURRENT_DATE }}
           NEW_BRANCH: ${{ steps.changes.outputs.NEW_BRANCH }}

.github/workflows/pr-documentation.yml

@@ -16,7 +16,7 @@ concurrency:
 
 jobs:
   build:
-    uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@main
+    uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3  # main
     with:
       commit_sha: ${{ github.sha }}
       pr_number: ${{ github.event.number }}

.github/workflows/trufflehog.yml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
       - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b  # main
         with:
           extra_args: --results=verified,unknown

.github/workflows/update-specs.yml

@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Setup
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610  # v3
         with:
           node-version: "20"
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b  # v2
         with:
           run_install: true
 
@@ -37,7 +37,7 @@ jobs:
 
       # Create or update Pull Request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676  # v7
         with:
           token: ${{ secrets.TOKEN_INFERENCE_SYNC_BOT }}
           commit-message: Update tasks specs (automated commit)

.github/workflows/upload-pr-documentation.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   build:
-    uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@main
+    uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3  # main
     with:
       package_name: huggingface.js
     secrets: