fix: pin 9 actions to commit SHA

[dagecko]

Re-submission of #18017. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags.

• Pin 9 unpinned actions to full 40-character SHAs
• Add version comments for readability

Changes by file

File	Changes
autofix.yml	Pinned actions to SHA
ci.yml	Pinned actions to SHA
pkg.pr.new.yml	Pinned actions to SHA
release.yml	Pinned actions to SHA

A note on internal action pinning

This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• No workflow logic, triggers, or permissions are modified

I wrote a scanner called Runner Guard and open sourced it here.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 304f33a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR