From 189c9666007ec19e3cb9b0f18d0b06a9a21a65db Mon Sep 17 00:00:00 2001
From: Sasa Junuzovic <sasa@Sasas-MacBook-Air.local>
Date: Sun, 19 Apr 2026 20:38:39 -0700
Subject: [PATCH] security: SHA-pin manual workflows and prune dead lock
 entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

P0 remediation from security audit (#92, #1014).

Manual workflows (not gh-aw compiled) now SHA-pinned:
- ci.yml: checkout@v6, setup-uv@v7
- codeql.yml: checkout@v6, codeql-action/init@v4, codeql-action/analyze@v4
- copilot-setup-steps.yml: checkout@v6, setup-uv@v7
  (setup-cli@v0.68.1 line intentionally untouched)
- dependency-review.yml: checkout@v6, dependency-review-action@v4.9.0
- pipeline-orchestrator.yml: checkout@v6

actions-lock.json: removed unused entries
- actions/github-script@v8 (zero references)
- github/gh-aw/actions/setup@v0.58.1 (zero references)

All SHAs verified via GitHub API. Triple-reviewed by Codex, Sonnet 4.6,
and Opus 4.6 — all clean.

Refs #92 #1014

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/aw/actions-lock.json                | 10 ----------
 .github/workflows/ci.yml                    |  4 ++--
 .github/workflows/codeql.yml                |  6 +++---
 .github/workflows/copilot-setup-steps.yml   |  4 ++--
 .github/workflows/dependency-review.yml     |  4 ++--
 .github/workflows/pipeline-orchestrator.yml |  2 +-
 6 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 9402d8a2..73df5e9d 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -1,10 +1,5 @@
 {
   "entries": {
-    "actions/github-script@v8": {
-      "repo": "actions/github-script",
-      "version": "v8",
-      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
-    },
     "actions/github-script@v9": {
       "repo": "actions/github-script",
       "version": "v9",
@@ -14,11 +9,6 @@
       "repo": "github/gh-aw-actions/setup",
       "version": "v0.68.3",
       "sha": "ba90f2186d7ad780ec640f364005fa24e797b360"
-    },
-    "github/gh-aw/actions/setup@v0.58.1": {
-      "repo": "github/gh-aw/actions/setup",
-      "version": "v0.58.1",
-      "sha": "fa061e89469ef007881d22d3af5a8c9e62363a0d"
     }
   }
 }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d34eafd0..35f062fb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,10 +8,10 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - run: uv sync
       - run: make ci
       - name: Check diff coverage (new/changed lines ≥ 90%)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 68f1bf57..331a5140 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,8 +13,8 @@ jobs:
       contents: read
       actions: read
     steps:
-      - uses: actions/checkout@v6
-      - uses: github/codeql-action/init@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: python
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
index c7661d86..ccdb48d0 100644
--- a/.github/workflows/copilot-setup-steps.yml
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -19,12 +19,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Install gh-aw extension
         uses: github/gh-aw/actions/setup-cli@5a06d310cf45161bde77d070065a1e1489fc411c # v0.68.1
         with:
           version: v0.68.1
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Install Python dependencies
         run: uv sync
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index a0ec5ebf..c736afa9 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -10,5 +10,5 @@ jobs:
   review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/.github/workflows/pipeline-orchestrator.yml b/.github/workflows/pipeline-orchestrator.yml
index aab7e26b..5b843352 100644
--- a/.github/workflows/pipeline-orchestrator.yml
+++ b/.github/workflows/pipeline-orchestrator.yml
@@ -57,7 +57,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GH_AW_WRITE_TOKEN }}