fix: pin 50 unpinned actions to commit SHA, extract 1 secret to env var

[dagecko]

Re-submission of #45010. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise. @tarekziade @ydshieh

I noticed you fixed the critical findings from the original PR, which is great. This resubmission covers the remaining items.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 50 unpinned actions across workflow files to full 40-character SHAs
• Add version comments for readability (e.g., @abc123 # v6)
• Extract 1 secret from run block to env var

Additional Findings

There are additional findings that require manual review (23 comment-triggered workflows without author authorization checks, 1 secret exfiltration path). Happy to share details privately if interested.

A note on internal action pinning

This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as $ENV_VAR in the script
• No workflow logic, triggers, or permissions are modified

I put up some research on this on Twitter and a research site if you want more context. I wrote a scanner called Runner Guard and open sourced it here.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)