chore: pin all GitHub Actions to commit SHAs

.github/dependabot.yml

@@ -2,6 +2,14 @@ version: 2
 
 # Dependabot configuration for automated dependency updates
 # This configuration covers all package ecosystems in the TraceRTM project
+#
+# Archive/legacy paths are intentionally NOT scanned:
+#   - /ARCHIVE/CONFIG/**     (legacy config, alerts batch-dismissed 2026-04)
+#   - /ARCHIVE/**            (any archived subtree)
+# All `directory:` entries below point to ACTIVE paths only.
+# Do NOT add ARCHIVE/** paths to any `directory:` or `directories:` field.
+# If an archive is reactivated, restore it under an active path instead of
+# pointing Dependabot at ARCHIVE/.
 
 updates:
   # Frontend monorepo (npm/bun)
@@ -88,7 +96,9 @@ updates:
 
   # Python backend (root pyproject.toml)
   - package-ecosystem: "pip"
-    directory: "/"
+    directories:
+      - "/"
+      - "!/ARCHIVE/**"
     schedule:
       interval: "weekly"
       day: "tuesday"
@@ -236,7 +246,9 @@ updates:
 
   # GitHub Actions workflows
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "!/ARCHIVE/**"
     schedule:
       interval: "weekly"
       day: "thursday"

.github/workflows/alert-sync-issues.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Sync CI/Dependabot/CodeQL Alerts To Issues
-        uses: actions/github-script@v7
+        uses: actions/github-script@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           script: |
             const owner = context.repo.owner;

.github/workflows/architecture.yml

@@ -10,15 +10,15 @@ jobs:
   architecture:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install UV
         uses: astral-sh/setup-uv@v2
         with:
           version: "latest"
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           cache: 'pip'
         with:
@@ -34,14 +34,14 @@ jobs:
         run: tach show --mermaid > architecture.md
 
       - name: Upload architecture diagram
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f8efc29b200d32929f49075959781ed54ec270c
         with:
           name: architecture-diagram
           path: architecture.md
 
       - name: Comment architecture on PR
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           script: |
             const fs = require('fs');

.github/workflows/benchmarks.yml

@@ -13,8 +13,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@330a01c490aca151604b8cf639adc76d48f6c5d4
         with:
           go-version: '1.23'
           cache-dependency-path: backend/go.sum
@@ -24,7 +24,7 @@ jobs:
           GOTOOLCHAIN: local
         run: go test ./benchmarks/... -bench=. -benchmem -count=3 -timeout=5m | tee benchmark-results.txt
       - name: Upload benchmark results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f8efc29b200d32929f49075959781ed54ec270c
         with:
           name: go-benchmark-results
           path: backend/benchmark-results.txt

.github/workflows/canary-deploy.yml

@@ -44,7 +44,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Validate image tag
       run: |
@@ -79,7 +79,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Configure kubectl
       run: |
@@ -139,7 +139,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Configure kubectl
       run: |
@@ -210,7 +210,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Configure kubectl
       run: |
@@ -267,7 +267,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Configure kubectl
       run: |
@@ -341,7 +341,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Configure kubectl
       run: |

.github/workflows/chaos-tests.yml

@@ -77,10 +77,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           cache: 'pip'
         with:
@@ -188,7 +188,7 @@ jobs:
 
       - name: Upload chaos test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f8efc29b200d32929f49075959781ed54ec270c
         with:
           name: chaos-test-results
           path: |
@@ -215,7 +215,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up kubectl
         uses: azure/setup-kubectl@v4

.github/workflows/chromatic.yml

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           cache: 'npm'
         with:
@@ -50,7 +50,7 @@ jobs:
           bun-version: latest
 
       - name: Cache Bun dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4
         with:
           path: ~/.bun/install/cache
           key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
@@ -73,15 +73,15 @@ jobs:
 
       - name: Upload chromatic report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f8efc29b200d32929f49075959781ed54ec270c
         with:
           name: chromatic-report
           path: frontend/apps/web/junit-report.xml
           retention-days: 30
 
       - name: Comment PR with results
         if: github.event_name == 'pull_request' && always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           script: |
             const fs = require('fs');

.github/workflows/ci-cd.yml

@@ -12,7 +12,7 @@ jobs:
     outputs:
       code: ${{ steps.filter.outputs.code }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
     - id: filter
@@ -53,10 +53,10 @@ jobs:
           - 5432:5432
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@0057852bfaa89a56745cba8c7296529d2fc39830
       with:
         python-version: '3.11'
 
@@ -83,10 +83,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@0057852bfaa89a56745cba8c7296529d2fc39830
       with:
         python-version: '3.11'
 
@@ -111,7 +111,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v2
@@ -129,7 +129,7 @@ jobs:
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Deploy to production
       run: |