[CI] CEML-709: Pin GitHub Actions to immutable commit SHAs

[shay79il]

Pull Request: [CI] CEML-709: Pin GitHub Actions to immutable commit SHAs

Summary

GitHub code scanning alert #17 flagged that four GitHub Actions steps used mutable version tags (@v4, @v7, @v2). Because tags are Git refs that can be force-pushed, they are not immutable — a compromised upstream repo could silently swap the code that runs in CI. This PR pins every affected uses: line to the exact commit SHA the tag currently resolves to, while preserving the tag as a trailing comment for human readability.

What Changed

• Pinned all four unpinned uses: references across three workflow files to their current commit SHAs
• Pattern follows the existing convention already used in the repo (e.g. azure/setup-helm@<sha> #v4.3.1)

File	Action	Old ref	New ref
release.yml	actions/checkout	@v4	@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4
release.yml	orhun/git-cliff-action	@v4	@f50e11560dce63f7c33227798f90b924471a88b5 #v4
pr-validation.yml	actions/github-script	@v7	@f28e40c7f34bde8b3046d885e986cb6290c5673b #v7
demos_notebook_tests.yml	actions/checkout	@v2	@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2

Actions already pinned to SHAs (unchanged): azure/setup-helm, helm/chart-releaser-action, appleboy/ssh-action.

Key Points

• Zero functional change — each SHA resolves to exactly the same commit the mutable tag pointed to
• Closes the GitHub code scanning supply-chain vulnerability alert
• Future version bumps require a deliberate SHA update in a PR, providing an audit trail

Files Changed

• Total files: 3 (0 added, 3 modified, 0 deleted)
• Main areas affected:
  • .github/workflows/: security hardening of CI action references

Testing

No logic was changed. Workflows will execute identically — the SHA-pinned actions resolve to the same code as the tags they replace.

---

Closes CEML-709

Commit History (for reference)

This PR includes 1 commit:

• ff2f7cd CEML-709: Pin GitHub Actions to immutable commit SHAs