COPP-8737: Pin third-party actions

[Lachlan Kidson (lachlankidson)]

COPP-8737

This PR uses pinact to pin all third-party actions to a specific hash as part of our Zizmor rollout. This is a necessary security precaution for preventing supply-chain attacks. See zizmor/unpinned-uses for more details.

What do I need to do?

These PRs should "just work" - an action pinned by a commit ID is functionally equivalent to one pinned by a tag as long as the tag hasn't been fiddled with after the initial release.

How can I be sure of these changes?

You can check that the tags match the commit ID via the releases page of any given action.

In the future when we enable Zizmor on all repositories you will get warning annotations on PRs if the hash does not match the version comment, see zizmor/ref-version-mistmatch for more details.

If you'd like to opt-in to this behaviour early please see Getting started with zizmor on your repos.

How do I maintain these pins going forwards?

Automatically:

• Dependabot supports commit-based pinning and will update both the commit ID and version tag comment for you.

Manually:

• Pinact can be used to programmatically convert tags to commit pins.
• Tag and commit IDs can be found via the GitHub release pages of any actions.

How this change was made

A list of repositories was created by performing a code search against the current actions allowlist, pinact was then applied:

GITHUB_TOKEN=$(gh auth token) turbolift foreach -- pinact run -fix -diff -e "^[Ss]kyscanner/.*" -e "^actions/.*"

_{This PR was generated using turbolift.}

[Copilot]

Pull request overview

This PR pins third-party GitHub Actions to specific commit hashes as a security measure to prevent supply-chain attacks, following the Zizmor rollout for safer GitHub Actions workflows.

Changes:

• Pinned asdf-vm/actions/install@v4 to commit hash b7bcd026f18772e44fe1026d729e1611cc435d47 (v4.0.1)
• Pinned peaceiris/actions-gh-pages@v4 to commit hash 4f9cc6602d3f66b9c108549d475ec49e8ef4d45e (v4.0.0)