Pin GitHub Actions to commit SHAs

[oskarszoon]

Summary

This PR pins all external GitHub Actions to their full commit SHAs to resolve the SonarQube security warning githubactions:S7637.

Using version tags (e.g., @v4) for GitHub Actions is security-sensitive because tags can be moved to point to different commits. Pinning to commit SHAs ensures the exact code being executed is known and cannot be changed without updating the workflow files.

Changes

All external GitHub Actions have been pinned to their commit SHAs:

Action	Version	Commit SHA (first 8 chars)
actions/checkout	v4	08eba0b2
actions/setup-go	v5	d35c59ab
actions/setup-python	v5	a26af69b
actions/upload-artifact	v4	ea165f8d
actions/download-artifact	v4	d3f86a10
actions/github-script	v7	f28e40c7
docker/setup-buildx-action	v3	e468171a
docker/login-action	v3	5e57cd11
SonarSource/sonarqube-scan-action	v6	fd88b7d7
sonarsource/sonarqube-quality-gate-action	v1.2.0	cf038b0e
golangci/golangci-lint-action	v8	4afd733a
anthropics/claude-code-action	v1	e8bad572
dataaxiom/ghcr-cleanup-action	v1.0.16	cd0cdb90

Format

Each pinned reference includes a comment with the original version tag for easy reference:

uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4

Testing

• All workflow files are syntactically valid YAML
• No functionality changes - only security hardening through commit pinning
• SHAs verified against GitHub API for each action's tagged version

Security Impact

✅ Resolves SonarQube security hotspot githubactions:S7637
✅ Prevents potential supply chain attacks via tag manipulation
✅ Maintains version visibility through inline comments

[claude]

🤖 Claude Code Review

Status: Complete

---

Current Review:

This PR successfully implements security hardening by pinning all GitHub Actions to commit SHAs. The changes are clean and well-executed:

Verified:

• All 80 action references now use full commit SHAs instead of version tags
• Spot-checked SHAs match their corresponding version tags (v4, v5, v8, etc.)
• Inline comments preserved for easy version reference (e.g., # v4)
• No functionality changes - purely security hardening
• YAML syntax is valid across all 12 workflow files

Security Impact:

• Resolves SonarQube security hotspot githubactions:S7637
• Prevents tag manipulation attacks
• Ensures reproducible workflow execution

No issues found. This is a straightforward security improvement that follows GitHub Actions best practices.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud