chore: pin GitHub Actions to commit SHAs

[slawomirbabicz]

Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. actions/checkout@v4) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable. The # tag comment preserves human readability so reviewers can tell which version is pinned.

Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork).

Changes

• actions/checkout@v3 -> actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

  • Version: v3.6.0 | Latest: v6.0.2 | Release age: 88d
  • Commit: actions/checkout@f43a0e5

• actions/cache@v3 -> actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0

  • Version: v3.5.0 | Latest: v5.0.4 | Release age: 21d
  • Commit: actions/cache@6f8efc2

Files modified

• .github/workflows/ci.yml