Implement GitHub Actions pinning automation for improved security

[Copilot]

This PR implements an automated system to pin GitHub Actions to their full-length commit SHAs instead of using version tags, significantly improving the security posture of the repository by preventing supply chain attacks.

Problem

The existing CI/CD workflow was using unpinned GitHub Actions with version tags:

• actions/checkout@v3 (used 3 times across jobs)
• actions/setup-node@v3 (used 3 times across jobs)

This creates a security vulnerability where malicious actors could potentially move these tags to point to compromised commits, allowing them to inject malicious code into the CI/CD pipeline.

Solution

Created a comprehensive automation system that:

1. Scans workflow files in .github/workflows/ to identify unpinned GitHub Actions
2. Fetches commit SHAs from the GitHub API for the latest version of each action tag
3. Updates workflow files to replace tags with full 40-character commit SHAs
4. Validates changes to ensure YAML syntax remains correct after updates

Key Features

• Smart filtering: Only processes GitHub-hosted actions, automatically skips local actions (./action) and already-pinned actions
• Comprehensive error handling: Gracefully handles non-existent actions, API failures, and invalid YAML
• Dry-run mode: Preview changes before applying them with --dry-run flag
• Detailed logging: Verbose output shows exactly what actions are being updated
• Test coverage: Full test suite validates all core functionality

Usage

# Preview changes
npm run pin-actions-dry

# Apply changes
npm run pin-actions

# Run tests
npm test

# Use the bash wrapper for CI/CD
./scripts/pin-actions.sh

Results

All 6 instances of unpinned actions have been successfully updated:

• actions/checkout@v3 → actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
• actions/setup-node@v3 → actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610

The workflow file remains fully functional and passes YAML validation. Future runs of the automation will detect that all actions are already pinned and report "All GitHub Actions are already pinned to commit SHAs."

Files Added

• scripts/pin-github-actions.js - Main automation script with GitHub API integration
• scripts/pin-actions.sh - Bash wrapper with auto-commit functionality
• test/pin-github-actions.test.js - Comprehensive test suite
• Updated README.md with detailed documentation and usage examples
• Enhanced package.json with new npm scripts for easier usage

This implementation follows security best practices and provides a reusable solution for maintaining GitHub Actions security across the project lifecycle.

This pull request was created as a result of the following prompt from Copilot chat.

Automate the process of pinning GitHub Actions to a full-length commit SHA in workflow YAML files to improve security. Specifically:

1. Identify all workflow files (typically in the .github/workflows directory) that use unpinned GitHub Actions (e.g., actions/checkout@v3 or actions/setup-node@v3).
2. Parse these workflow files to find all uses: statements with unpinned GitHub Actions.
3. Fetch the latest full-length commit SHA for each action from their respective GitHub repositories.
4. Replace the tag (e.g., @v3) with the corresponding full-length commit SHA in the workflow files.
5. Ensure that the updates are made safely and that the workflows remain valid after the change.
6. Commit the updated workflow files with a descriptive commit message (e.g., "Pin GitHub Actions to full-length commit SHAs for improved security").

Include thorough testing of the automation script to ensure it handles edge cases (e.g., non-existent actions, already pinned actions, actions with custom tags) and update documentation to describe how the automation works.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.