COPP-8737: Pin third-party actions

[Lachlan Kidson (lachlankidson)]

COPP-8737

This PR uses pinact to pin all third-party actions to a specific hash as part of our Zizmor rollout. This is a necessary security precaution for preventing supply-chain attacks. See zizmor/unpinned-uses for more details.

What do I need to do?

These PRs should "just work" - an action pinned by a commit ID is functionally equivalent to one pinned by a tag as long as the tag hasn't been fiddled with after the initial release.

How can I be sure of these changes?

You can check that the tags match the commit ID via the releases page of any given action.

In the future when we enable Zizmor on all repositories you will get warning annotations on PRs if the hash does not match the version comment, see zizmor/ref-version-mistmatch for more details.

If you'd like to opt-in to this behaviour early please see Getting started with zizmor on your repos.

How do I maintain these pins going forwards?

Automatically:

• Dependabot supports commit-based pinning and will update both the commit ID and version tag comment for you.

Manually:

• Pinact can be used to programmatically convert tags to commit pins.
• Tag and commit IDs can be found via the GitHub release pages of any actions.

How this change was made

A list of repositories was created by performing a code search against the current actions allowlist, pinact was then applied:

GITHUB_TOKEN=$(gh auth token) turbolift foreach -- pinact run -fix -diff -e "^[Ss]kyscanner/.*" -e "^actions/.*"

_{This PR was generated using turbolift.}

[Copilot]

Pull request overview

This PR pins a third-party GitHub Action to a specific commit hash to prevent supply-chain attacks, as part of the Zizmor security rollout.

Changes:

• Pinned aws-actions/configure-aws-credentials action to commit hash while maintaining version tag in comment

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Lachlan Kidson (lachlankidson)]

Duplicates #1