ci: Pin GitHub Actions dependencies to commit SHAs for supply-chain security

## Summary

All third-party GitHub Actions in this repository's workflows are currently referenced by **mutable version tags** (e.g., `actions/checkout@v4`). This is a supply-chain security risk — tags can be force-pushed to point to malicious code.

## Recommendation

Pin all third-party GitHub Actions to their **full commit SHA** while preserving the version in a comment for readability:

```yaml
# Before (insecure)
uses: actions/checkout@v4

# After (secure)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
```

## Affected Files

- `.github/workflows/ci.yml`
- `.github/workflows/npm-publish.yml`

## Actions Pinned

5 action references across 2 workflow file(s).

## References

- [GitHub Security Hardening Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [OpenSSF Scorecard: Pinned-Dependencies](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: Pin GitHub Actions dependencies to commit SHAs for supply-chain security #11

Summary

Recommendation

Affected Files

Actions Pinned

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

ci: Pin GitHub Actions dependencies to commit SHAs for supply-chain security #11

Description

Summary

Recommendation

Affected Files

Actions Pinned

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions