ci: pin GitHub Actions to commit SHAs for supply chain security

[Copilot]

GitHub Actions workflows were using unpinned version tags (e.g., @v4), creating supply chain risk where compromised action maintainers could push malicious updates.

Changes

Pinned all unpinned actions to immutable commit SHAs across 4 workflow files:

• codeql.yml: actions/checkout, github/codeql-action/init, github/codeql-action/analyze
• container-scan.yml: github/codeql-action/upload-sarif (2×)
• pr-title.yml: amannn/action-semantic-pull-request
• release.yml: actions/checkout, actions/setup-node, docker/login-action, docker/setup-buildx-action, docker/build-push-action (2×), softprops/action-gh-release, actions/upload-artifact

# Before
uses: actions/checkout@v4

# After
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4

Version comments retained for maintainability. SHAs consistent with existing pinned actions elsewhere in the repo.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Pin GitHub Actions to commit SHAs</issue_title>
<issue_description>## Priority
Medium

Description

Currently, GitHub Actions workflows use unpinned action versions (e.g., @v2, @v3), which creates a supply chain security risk. Action maintainers could push malicious updates to these tags.

Impact

• Severity: Medium
• Attack Vector: Compromised GitHub Action could inject malicious code
• Risk: Supply chain attack, CI/CD compromise

Proposed Solution

Pin all GitHub Actions to specific commit SHAs instead of tags:

# Instead of: uses: actions/checkout@v2
# Use: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.4.0

Add comments with the version for readability.

Affected Files

Review all workflow files in .github/workflows/

Effort Estimate

~2 hours

References

• Source: Daily Security Review Discussion [Security Review] Daily Security Review - January 16, 2026 #228
• Best Practice: GitHub Security Best Practices</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Pin GitHub Actions to commit SHAs #252

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	77.19%	1300/1684
Statements	77.27%	1333/1725
Functions	77.17%	142/184
Branches	69.76%	450/645

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`