Use commit SHA with version comments for all workflow action references (#239)

Standardize all GitHub Actions workflow references to use commit SHAs
with version comments instead of mutable tags, ensuring deterministic
builds and supply chain security.

### Changes

- **GitHub Actions**: Updated `actions/checkout`,
`actions/download-artifact`, `actions/upload-artifact`,
`actions/upload-pages-artifact`, `actions/configure-pages`,
`actions/deploy-pages` to SHA references
- **PSModule Actions**: Updated all PSModule actions (`Auto-Release`,
`Document-PSModule`, `GitHub-Script`, `Build-PSModule`,
`Install-PSModuleHelpers`, `Get-PesterCodeCoverage`,
`Get-PesterTestResults`, `Invoke-ScriptAnalyzer`, `Test-PSModule`,
`Invoke-Pester`, `Publish-PSModule`) to SHA references
- **13 workflow files updated** in `.github/workflows/`

### Format

```yaml
# Before
uses: actions/checkout@v6

# After  
uses: actions/checkout@1af3b93 # v6.0.0
```

Dependabot supports SHA references for automated update PRs.

<!-- START COPILOT CODING AGENT SUFFIX -->



<details>

<summary>Original prompt</summary>

> 
> ----
> 
> *This section details on the original issue you should resolve*
> 
> <issue_title>🩹 [Patch]: Use commit SHA with specific version comments
for all workflow action references</issue_title>
> <issue_description>### Describe the change
> 
> Standardize all GitHub Actions workflow references in this repository
so that every action uses a commit SHA, with a comment specifying the
most specific version tag (e.g., `# v1.2.3`).
> 
> Why:
> - Ensures deterministic builds and protects against unexpected updates
or supply chain attacks.
> - Improves maintainability and readability by documenting the exact
version in use.
> 
> Examples:
> **✅ Correct:**
> ```yaml
>   - name: Checkout Code
> uses: actions/checkout@1af3b93 #
v1.2.3
>     with:
>       persist-credentials: false
> ```
> **❌ Incorrect:**
> ```yaml
>   - name: Checkout Code
>     uses: actions/checkout@v1
> ```
> Scope of change:
> - Update all workflow files in `.github/workflows/*. yml` to reference
actions by SHA with a version comment, instead of by tag.
> - Use the most specific version tag in comments (e.g., `v1.2.3`
instead of `v1`).
> - Affected actions may include but are not limited to:
`actions/checkout`, `actions/download-artifact`,
`actions/upload-artifact`, `actions/configure-pages`,
`actions/deploy-pages`, custom PSModule actions, etc.
> - Ensure CI and linting checks do not break.
> - Document changes in affected files.
> 
> Security Note:
> Dependabot is configured to notify and create PRs when upstream
actions/workflows update. Dependabot supports SHA references, so using
them does not reduce security or update capabilities.
> 
> Acceptance:
> - [ ] All workflows use commit SHA with a version comment specifying
the most specific tag
> - [ ] No workflows reference actions by tag (e.g., `@v1`)
> - [ ] All CI/CD checks pass
> - [ ] Documentation is updated as needed</issue_description>
> 
> ## Comments on the Issue (you are @copilot in this section)
> 
> <comments>
> </comments>
> 


</details>

- Fixes #238

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/PSModule/Process-PSModule/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>

Author: Copilot

.github/workflows/Auto-Release.yml

@@ -26,9 +26,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Auto-Release
-        uses: PSModule/Auto-Release@v1
+        uses: PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 # v1.9.5
         with:
           IncrementalPrerelease: false

.github/workflows/Build-Docs.yml

@@ -48,33 +48,33 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Download module artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: module
           path: ${{ inputs.WorkingDirectory }}/outputs/module
 
       - name: Document module
-        uses: PSModule/Document-PSModule@v1
+        uses: PSModule/Document-PSModule@7e50d9f41753417346ff75b3601a90524aa8ab7e # v1.0.11
         with:
           Name: ${{ inputs.Name }}
           WorkingDirectory: ${{ inputs.WorkingDirectory }}
 
       - name: Upload docs artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: docs
           path: ${{ inputs.WorkingDirectory }}/outputs/docs
           if-no-files-found: error
           retention-days: 1
 
       - name: Commit all changes
-        uses: PSModule/GitHub-Script@v1
+        uses: PSModule/GitHub-Script@00547bff5a143fbfc23a912a783fbfe9c470815c # v1.7.4
         with:
           Debug: ${{ inputs.Debug }}
           Prerelease: ${{ inputs.Prerelease }}

.github/workflows/Build-Module.yml

@@ -29,13 +29,13 @@ jobs:
       GH_TOKEN: ${{ github.token }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Build module
-        uses: PSModule/Build-PSModule@v4
+        uses: PSModule/Build-PSModule@fe8cc14a7192066cc46cb9514659772ebde05849 # v4.0.9
         with:
           Name: ${{ inputs.Name }}
           ArtifactName: ${{ inputs.ArtifactName }}

.github/workflows/Build-Site.yml

@@ -42,16 +42,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Install-PSModuleHelpers
-        uses: PSModule/Install-PSModuleHelpers@v1
+        uses: PSModule/Install-PSModuleHelpers@e05e9875aafc0a1e63fc13989b3b683a7ef6444f # v1.0.5
 
       - name: Download docs artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: docs
           path: ${{ inputs.WorkingDirectory }}/outputs/docs
@@ -65,7 +65,7 @@ jobs:
           pip install mkdocs-git-committers-plugin-2
 
       - name: Structure site
-        uses: PSModule/GitHub-Script@v1
+        uses: PSModule/GitHub-Script@00547bff5a143fbfc23a912a783fbfe9c470815c # v1.7.4
         with:
           Debug: ${{ inputs.Debug }}
           Prerelease: ${{ inputs.Prerelease }}
@@ -173,7 +173,7 @@ jobs:
             mkdocs build --config-file mkdocs.yml --site-dir ../../_site
           }
 
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           name: github-pages
           path: ${{ inputs.WorkingDirectory }}/_site

.github/workflows/Get-CodeCoverage.yml

@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Get-CodeCoverage
-        uses: PSModule/Get-PesterCodeCoverage@v1
+        uses: PSModule/Get-PesterCodeCoverage@a7923eefbf55b452f9b1534c5b50ca9bd192f810 # v1.0.3
         id: Get-CodeCoverage
         with:
           CodeCoveragePercentTarget: ${{ inputs.CodeCoveragePercentTarget }}

.github/workflows/Get-Settings.yml

@@ -65,13 +65,13 @@ jobs:
       ModuleTestSuites: ${{ fromJson(steps.Get-Settings.outputs.result).ModuleTestSuites }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Get-Settings
-        uses: PSModule/GitHub-Script@v1
+        uses: PSModule/GitHub-Script@00547bff5a143fbfc23a912a783fbfe9c470815c # v1.7.4
         id: Get-Settings
         env:
           PSMODULE_GET_SETTINGS_INPUT_Name: ${{ inputs.Name }}

.github/workflows/Get-TestResults.yml

@@ -50,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Get-TestResults
-        uses: PSModule/Get-PesterTestResults@v1
+        uses: PSModule/Get-PesterTestResults@0c1d8cde9575b192831f76e87d3f7e825a7d8ff4 # v1.0.7
         id: Get-TestResults
         with:
           SourceCodeTestSuites: ${{ inputs.SourceCodeTestSuites }}

.github/workflows/Lint-SourceCode.yml

@@ -50,12 +50,12 @@ jobs:
     runs-on: ${{ inputs.RunsOn }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
       - name: Lint-SourceCode
-        uses: PSModule/Invoke-ScriptAnalyzer@v4
+        uses: PSModule/Invoke-ScriptAnalyzer@0b13023a981f4c94136bba6193a9abd2d936cbc1 # v4.1.1
         with:
           Debug: ${{ inputs.Debug }}
           Prerelease: ${{ inputs.Prerelease }}

.github/workflows/Linter.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           fetch-depth: 0

.github/workflows/Test-Module.yml

@@ -81,18 +81,18 @@ jobs:
     runs-on: ${{ inputs.RunsOn }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
       - name: Download module artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: module
           path: ${{ inputs.WorkingDirectory }}/outputs/module
 
       - name: Test-Module
-        uses: PSModule/Test-PSModule@v3
+        uses: PSModule/Test-PSModule@80b0364db8192e73f584603c68a127de171f881f # v3.0.6
         with:
           Name: ${{ inputs.Name }}
           Debug: ${{ inputs.Debug }}
@@ -107,18 +107,18 @@ jobs:
     runs-on: ${{ inputs.RunsOn }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
       - name: Download module artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: module
           path: ${{ inputs.WorkingDirectory }}/outputs/module
 
       - name: Lint-Module
-        uses: PSModule/Invoke-ScriptAnalyzer@v4
+        uses: PSModule/Invoke-ScriptAnalyzer@0b13023a981f4c94136bba6193a9abd2d936cbc1 # v4.1.1
         with:
           Path: outputs/module
           Debug: ${{ inputs.Debug }}