Request: Use SHA-pinned action references for security-constrained repositories

[rjmurillo]

Problem

Repositories with security rulesets requiring "all actions must be pinned to full-length commit SHA" cannot use Factory-AI/droid-action because it internally references actions using version tags instead of commit SHAs.

Error

When running the droid-action in a repository with SHA-pinning requirements:

The action actions/upload-artifact@v4 is not allowed in <repo> 
because all actions must be pinned to a full-length commit SHA.

Root Cause

In action.yml, the action uses:

- uses: actions/upload-artifact@v4

GitHub's repository rulesets apply SHA-pinning requirements recursively to all nested action dependencies, including those referenced by composite actions.

Requested Change

Update internal action references to use full-length commit SHAs:

# Before
- uses: actions/upload-artifact@v4

# After
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0

Why This Matters

• SLSA Level 2+ compliance requires immutable action references
• Supply chain security prevents tag manipulation attacks
• Enterprise adoption often mandates SHA-pinning for all third-party actions
• GitHub's security hardening guide recommends this practice: Security hardening for GitHub Actions

Affected Versions

Version	SHA	Status
v1 tag	65dab2847e1b4a8a24332cfdef116e4ac3777789	Contains non-pinned references
Latest	e3f8be9f34bb41b11e852e836cb64e81f13fba59	Contains non-pinned references

Additional Context

This is a blocking issue for security-conscious organizations. We would like to use droid-action for automated PR reviews but cannot until internal dependencies are SHA-pinned.

Thank you for considering this enhancement!