[plan] Pin the 2 remaining unpinned GitHub Actions to SHA commits

[github-actions]

Objective

Identify and pin the 2 remaining unpinned GitHub Actions to immutable SHA commits, achieving 100% action pinning across all workflow files.

Context

Currently 3,777 of 3,779 GitHub Actions are properly pinned (99.9%). The 2 remaining unpinned actions expose workflows to supply chain attacks via tag manipulation or repository compromise.

Approach

1. Find unpinned actions:

   grep -r "uses:" .github/workflows/*.yml .github/workflows/*.yaml | grep -v "@[0-9a-f]\{40\}"

2. For each unpinned action:

   • Identify the current version tag (e.g., v4.1.1)
   • Get the SHA commit: git ls-remote https://github.com/(owner)/(repo) (tag)
   • Replace: uses: actions/checkout@v4 → uses: actions/checkout@abc123... # v4.1.1

3. Test all affected workflows to ensure they still function correctly

4. Update documentation: Add a section to specs/github-actions-security-best-practices.md explaining:

   • Why SHA pinning is critical for supply chain security
   • How to find SHA commits for version tags
   • How to update pinned actions during maintenance

Files to Modify

• .github/workflows/*.yml (workflow files with unpinned actions)
• specs/github-actions-security-best-practices.md (add SHA pinning documentation)

Acceptance Criteria

• All 2 unpinned actions identified and documented
• All actions replaced with SHA-pinned versions with version comments
• All affected workflows tested and verified functional
• Documentation added to specs/github-actions-security-best-practices.md
• 100% GitHub Actions pinning rate achieved (3,779/3,779)

Priority

High - This closes a critical supply chain security gap
Related to #5537

AI generated by Plan Command for discussion #5535