SHA pin first-party GitHub Actions

[williammartin]

Closes #13490.

What

Replaces every actions/* and github/* uses: reference in .github/workflows/*.yml with the equivalent commit SHA, preserving the human-readable version in a trailing comment. This matches the convention already used for third-party action pins in this repo, e.g. golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0.

Unique pins introduced:

Action	Pinned to
actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
actions/setup-go	4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
actions/upload-artifact	043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
actions/download-artifact	3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
github/codeql-action/{init,analyze,upload-sarif}	7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

actions/attest was already SHA-pinned and is unchanged.

Some screenshots to verify shas above:

Why

Per #13490: with the 3-day dependabot cooldown configured for both gomod and github-actions, version-tag references give no real benefit (dependabot still opens PRs on patch releases) while leaving us exposed to tag-mutation supply chain attacks on first-party namespaces. SHA pinning is the more consistent and defensible posture and matches what we already do for third-party actions.

Verification

• Every changed checkout/setup-go/codeql-action/upload-artifact call is exercised by the lint, go, codeql, and govulncheck workflows on this PR.
• The release-only paths in deployment.yml (download-artifact, additional upload-artifact/checkout invocations) are not exercised by PR workflows. Since this change only swaps the ref (no argument changes), and the same actions are exercised elsewhere on PR, the residual risk at the next release is low.
• Dependabot natively parses <sha> # vX.Y.Z pins and will bump both the SHA and the comment on the next patch release, validating the chosen format.

Out of scope

• desktop/gh-cli-and-desktop-shared-workflows/...@main reusable workflow references. These are jointly owned with the desktop team and we should pin the actions used in them, but I don't think we suffer much exposure by keeping first party on @main?

[Copilot]

Pull request overview

Pins first-party GitHub Actions (actions/*, github/*) in the repository workflows to immutable commit SHAs (with trailing version comments) to reduce tag-mutation supply-chain risk and align with existing third-party pinning practices.

Changes:

• Replaced actions/checkout and actions/setup-go version-tag references with commit-SHA pins across CI workflows.
• Pinned github/codeql-action/* steps to a specific commit SHA in CodeQL and SARIF upload workflows.
• Pinned artifact upload/download actions used in the release/deployment workflow to specific commit SHAs.

Show a summary per file

File	Description
.github/workflows/lint.yml	Pins checkout and setup-go to SHAs for lint and govulncheck jobs.
.github/workflows/govulncheck.yml	Pins checkout, setup-go, and CodeQL SARIF upload action to SHAs.
.github/workflows/go.yml	Pins checkout and setup-go to SHAs for build and integration tests.
.github/workflows/detect-spam.yml	Pins checkout to a SHA for the spam-detection workflow.
.github/workflows/deployment.yml	Pins checkout, setup-go, and artifact upload/download actions to SHAs in release/deployment jobs.
.github/workflows/codeql.yml	Pins checkout, setup-go, and CodeQL actions (init/analyze/upload-sarif) to SHAs.
.github/workflows/bump-go.yml	Pins checkout and setup-go to SHAs for the scheduled Go bump workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 0