[plan] Pin the remaining unpinned GitHub Action to SHA

[github-actions]

Objective

Identify and pin the single remaining unpinned GitHub Action to its commit SHA to achieve 100% action pinning compliance (5,715/5,715).

Context

The static analysis report shows we have 99.9% action pinning compliance with only 1 action remaining unpinned. Pinning actions to commit SHAs prevents supply chain attacks by ensuring we use known, verified versions of actions.

Approach

Step 1: Identify the unpinned action

cd .github/workflows
grep -rn 'uses:' *.lock.yml | grep -v '@[a-f0-9]\{40\}' | grep -v 'uses: \./'

Step 2: Find the commit SHA for the action

# For example, if the action is actions/checkout@v4:
gh api repos/actions/checkout/git/ref/tags/v4 --jq '.object.sha'

Step 3: Update the source .md file (NOT the .lock.yml)

Find the corresponding .md workflow file and update it:

# Before:
uses: actions/example@v1

# After:
uses: actions/example@abc123def789  # v1.0.0

Step 4: Recompile the workflow

make recompile

Step 5: Verify 100% compliance

cd .github/workflows
grep -rn 'uses:' *.lock.yml | grep -v '@[a-f0-9]\{40\}' | grep -v 'uses: \./' | wc -l
# Should return 0

Files to Modify

• One workflow .md file in .github/workflows/ (to be identified)
• Corresponding .lock.yml file will be regenerated by make recompile

Acceptance Criteria

• Unpinned action is identified
• Action is pinned to commit SHA with version comment
• Source .md file is updated (not the .lock.yml)
• Workflow recompiled successfully with make recompile
• Verification shows 0 unpinned actions
• Action pinning rate is 100% (5,715/5,715)

Estimated Effort

15 minutes
Related to #7992

AI generated by Plan Command for discussion #7983