Pin first-party Actions to SHAs

[henrymercer]

Pin first-party Actions from the actions org to commit SHAs, rather than using release tags.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

n/a

Products:

n/a

Environments:

• Testing/None - This change does not impact any CodeQL workflows in production.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Development/testing only - This change cannot cause any failures in production.

How will you know if something goes wrong after this change is released?

Monitor CI.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR strengthens workflow reproducibility/supply-chain posture by pinning first-party GitHub Actions (from the actions org) to immutable commit SHAs instead of floating release tags, while retaining the human-readable tag in trailing comments for maintainability.

Changes:

• Add a pinnedUses() helper to generate uses: scalars pinned to SHAs with an inline # vX.Y.Z comment.
• Extend the pr-checks/sync-back.ts sync-back logic (and tests) to update both inline uses: "owner/action@ref" strings and pinnedUses(...) calls.
• Update templates and workflows to use SHA-pinned actions/* references with version comments.

Show a summary per file

File	Description
pr-checks/sync.ts	Introduces pinnedUses() and uses it for setup actions + checkout when generating workflows.
pr-checks/sync-back.ts	Updates sync-back to replace both inline uses: "..." and pinnedUses(...) references (ref + version comment).
pr-checks/sync-back.test.ts	Adds coverage ensuring pinnedUses(...) refs are updated correctly (SHA and version string).
pr-checks/checks/with-checkout-path.yml	Pins actions/checkout to a SHA with # v6.0.3 comment.
pr-checks/checks/submit-sarif-failure.yml	Pins actions/checkout to a SHA with # v6.0.3 comment.
pr-checks/checks/multi-language-autodetect.yml	Pins actions/setup-python to a SHA with # v6.2.0 comment.
pr-checks/checks/job-run-uuid-sarif.yml	Pins actions/upload-artifact to a SHA with # v7.0.1 comment.
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml	Pins actions/github-script to a SHA with # v8.0.0 comment.
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml	Pins actions/setup-go and actions/github-script to SHAs with version comments.
pr-checks/checks/export-file-baseline-information.yml	Pins actions/upload-artifact to a SHA with # v7.0.1 comment.
pr-checks/checks/diagnostics-export.yml	Pins actions/upload-artifact and actions/github-script to SHAs with version comments.
pr-checks/checks/config-export.yml	Pins actions/upload-artifact and actions/github-script to SHAs with version comments.
pr-checks/checks/bundle-zstd.yml	Pins actions/github-script and actions/upload-artifact to SHAs with version comments.
pr-checks/checks/bundle-toolcache.yml	Pins actions/github-script to a SHA with # v8.0.0 comment.
pr-checks/checks/bundle-from-toolcache.yml	Pins actions/github-script to a SHA with # v8.0.0 comment.
pr-checks/checks/analysis-kinds.yml	Pins actions/upload-artifact and actions/github-script to SHAs with version comments.
.github/workflows/update-supported-enterprise-server-versions.yml	Pins actions/setup-python and actions/checkout to SHAs with version comments.
.github/workflows/update-release-branch.yml	Pins actions/checkout and actions/create-github-app-token to SHAs with version comments.
.github/workflows/update-bundle.yml	Pins actions/checkout, actions/setup-python, and actions/setup-node to SHAs with version comments.
.github/workflows/test-codeql-bundle-all.yml	Pins actions/checkout and actions/setup-dotnet to SHAs with version comments.
.github/workflows/rollback-release.yml	Pins actions/checkout and actions/create-github-app-token to SHAs with version comments.
.github/workflows/rebuild.yml	Pins actions/checkout and actions/setup-node to SHAs with version comments.
.github/workflows/query-filters.yml	Pins actions/checkout and actions/setup-node to SHAs with version comments.
.github/workflows/python312-windows.yml	Pins actions/setup-python and actions/checkout to SHAs with version comments.
.github/workflows/publish-immutable-action.yml	Pins actions/checkout and actions/publish-immutable-action to SHAs with version comments.
.github/workflows/prepare-release.yml	Pins actions/checkout to a SHA with # v6.0.3 comment.
.github/workflows/pr-checks.yml	Pins actions/checkout, actions/setup-node, actions/upload-artifact, and actions/download-artifact to SHAs with version comments.
.github/workflows/post-release-mergeback.yml	Pins actions/checkout, actions/setup-node, actions/setup-python, and actions/create-github-app-token to SHAs with version comments.
.github/workflows/debug-artifacts-safe.yml	Pins actions/checkout, actions/setup-go, actions/setup-dotnet, and actions/download-artifact to SHAs with version comments.
.github/workflows/debug-artifacts-failure-safe.yml	Pins actions/checkout, actions/setup-go, actions/setup-dotnet, and actions/download-artifact to SHAs with version comments.
.github/workflows/codescanning-config-cli.yml	Pins actions/checkout and actions/setup-node to SHAs with version comments.
.github/workflows/codeql.yml	Pins actions/checkout to a SHA with # v6.0.3 comment.
.github/workflows/check-expected-release-files.yml	Pins actions/checkout to a SHA with # v6.0.3 comment.
.github/workflows/__with-checkout-path.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__upload-sarif.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__upload-ref-sha-input.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__unset-environment.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__swift-custom-build.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__swift-autobuild.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__submit-sarif-failure.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__start-proxy.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__split-workflow.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__rust.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__ruby.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__rubocop-multi-language.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__resolve-environment-action.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__remote-config.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__packaging-inputs-js.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__packaging-config-js.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__packaging-config-inputs-js.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__packaging-codescanning-config-inputs-js.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__overlay-init-fallback.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__multi-language-autodetect.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__local-bundle.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__language-aliases.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__job-run-uuid-sarif.yml	Generated workflow; updated actions/upload-artifact to a SHA pin with version comment.
.github/workflows/__javascript-source-root.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__init-with-registries.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__go-tracing-legacy-workflow.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-tracing-custom-build-steps.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-tracing-autobuilder.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-indirect-tracing-workaround.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__go-custom-queries.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__global-proxy.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__extractor-ram-threads.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__export-file-baseline-information.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__diagnostics-export.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__cpp-deptrace-enabled.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__cpp-deptrace-enabled-on-macos.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__cpp-deptrace-disabled.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__config-input.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__config-export.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__cleanup-db-cluster-dir.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__bundle-zstd.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__bundle-toolcache.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__bundle-from-toolcache.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__bundle-from-nightly.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__build-mode-rollback.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__build-mode-none.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__build-mode-manual.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__build-mode-autobuild.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__autobuild-working-dir.yml	Generated workflow; updated actions/checkout to a SHA pin with version comment.
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__autobuild-action.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__analyze-ref-input.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__analysis-kinds.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/workflows/__all-platform-bundle.yml	Generated workflow; updated actions/* references to SHA pins with version comments.
.github/actions/release-initialise/action.yml	Pins actions/setup-node and actions/setup-python to SHAs with version comments.

Copilot's findings

• Files reviewed: 34/90 changed files
• Comments generated: 0