Pin actions to full-length commit SHA refs

[data-douser]

What This PR Contributes

This pull request enforces best practices and improves security for GitHub Actions workflows in the repository. The main changes are the introduction of clear instructions for workflow management and the pinning of all external GitHub Actions to full-length commit SHAs, replacing any tag or branch references. This ensures workflow reproducibility and mitigates risks from upstream changes.

Outline of Changes

Security and Dependency Management Improvements

• All external GitHub Actions in workflow files are now pinned to their full 40-character commit SHAs, with comments indicating the original tag for clarity. This includes actions such as actions/checkout, actions/setup-node, actions/setup-python, actions/cache, actions/upload-artifact, actions/download-artifact, github/codeql-action, and peter-evans/create-pull-request, as well as reusable and custom actions. This change significantly reduces the risk of supply chain attacks by preventing unexpected updates to action code. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]

Documentation and Contributor Guidance

• A new instructions file .github/instructions/github_workflows_yaml.instructions.md has been added. This document outlines strict requirements and preferences for editing workflow YAML files, emphasizing the need to pin actions by SHA, use explicit permissions, avoid deprecated syntax, and follow best practices for security and maintainability.

These changes ensure that workflows are more secure, easier to audit, and maintain consistent standards across the repository.

Future Works

[Copilot]

Pull request overview

This PR improves GitHub Actions supply-chain security and workflow reproducibility by replacing tag/branch-based uses: references with full-length commit SHA pins across the repository’s workflows, and adds repository-specific guidance for maintaining workflow YAML consistently.

Changes:

• Pinned external GitHub Actions and reusable workflows to full 40-character commit SHAs (with trailing comments noting the original tag/branch).
• Updated multiple CI/release workflows to use the pinned SHAs for checkout, artifact, CodeQL, Node/Python setup, cache, and toolkit actions.
• Added .github/instructions/github_workflows_yaml.instructions.md documenting workflow-editing requirements (pinning, permissions, conventions).

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/update-codeql.yml	Pins checkout/setup-node/create-pull-request action references to SHAs.
.github/workflows/release.yml	Pins download-artifact action reference to a SHA.
.github/workflows/release-tag.yml	Pins checkout and setup-node actions to SHAs in the reusable release-tag workflow.
.github/workflows/release-codeql.yml	Pins checkout and upload-artifact actions to SHAs in the reusable release workflow.
.github/workflows/ql-unit-tests-windows.yml	Pins checkout/setup-node/upload/download artifact actions to SHAs for Windows unit tests.
.github/workflows/ql-unit-tests-linux.yml	Pins checkout/install-qlt/setup-node/upload/download artifact actions to SHAs for Linux unit tests.
.github/workflows/codeql-ql.yml	Pins the referenced reusable workflow to a commit SHA.
.github/workflows/code_scanning.yml	Pins checkout, codeql-action init/analyze, setup-python, cache, and upload-artifact to SHAs.
.github/workflows/cds-extractor-dist-bundle.yml	Pins checkout and setup-node actions to SHAs for extractor bundle validation.
.github/instructions/github_workflows_yaml.instructions.md	Adds repo guidance enforcing SHA pinning and workflow security conventions.