COPP-8737: Pin third-party actions

[Lachlan Kidson (lachlankidson)]

COPP-8737

This PR uses pinact to pin all third-party actions to a specific hash as part of our Zizmor rollout. This is a necessary security precaution for preventing supply-chain attacks. See zizmor/unpinned-uses for more details.

What do I need to do?

These PRs should "just work" - an action pinned by a commit ID is functionally equivalent to one pinned by a tag as long as the tag hasn't been fiddled with after the initial release.

How can I be sure of these changes?

You can check that the tags match the commit ID via the releases page of any given action.

In the future when we enable Zizmor on all repositories you will get warning annotations on PRs if the hash does not match the version comment, see zizmor/ref-version-mistmatch for more details.

If you'd like to opt-in to this behaviour early please see Geting started with zizmor on your repos

How do I maintain these pins going forwards?

Automatically:

• Dependabot supports commit-based pinning and will update both the commit and version tag for you.

Manually:

• Pinact can be used to programmatically convert tags to commit pins.
• Tag and commit IDs can be found via the release pages of

How this change was made

GITHUB_TOKEN=$(gh auth token) turbolift foreach -- pinact run -fix -diff -e "^[Ss]kyscanner/.*" -e "^actions/.*"

_{This PR was generated using turbolift.}

[Copilot]

Pull request overview

This PR enhances GitHub Actions workflow security by pinning third-party actions to specific commit hashes instead of mutable version tags, preventing potential supply-chain attacks as part of the Zizmor security rollout.

Changes:

• Pinned aws-actions/configure-aws-credentials@v2.2.0 to commit hash 5fd3084fc36e372ff1fff382a39b10d03659f355

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Harley Watson (unlobito)]

lgtm 🚀 pinact third-party actions