ci: pin remaining GitHub Actions to commit SHAs

[Ankitsinghsisodya]

Problem

Multiple workflows reference GitHub Actions using mutable refs: semver tags (e.g. @v4, @v5) and @main for knative/actions. Tags and branch heads can be moved, which complicates supply-chain review and is flagged by many security checklists (e.g. OpenSSF) in favor of full commit SHAs with a human-readable version in a comment.

Expected

• Every uses: in .github/workflows/ should pin to a 40-char commit SHA, with a trailing comment noting the previous tag (e.g. # v4).

Scope (example)

• actions/*, docker/*, codecov/*, and other third-party actions currently using tags
• knative/actions/setup-go@main and knative/actions/.github/workflows/reusable-*.yaml@main — pin to a concrete SHA of the knative/actions repository

/area CI

/assign @Ankitsinghsisodya

[knative-prow]

@Ankitsinghsisodya: The label(s) area/ci cannot be applied, because the repository doesn't have them.

Details

In response to this:

Problem

Multiple workflows reference GitHub Actions using mutable refs: semver tags (e.g. @v4, @v5) and @main for knative/actions. Tags and branch heads can be moved, which complicates supply-chain review and is flagged by many security checklists (e.g. OpenSSF) in favor of full commit SHAs with a human-readable version in a comment.

Expected

• Every uses: in .github/workflows/ should pin to a 40-char commit SHA, with a trailing comment noting the previous tag (e.g. # v4).

Scope (example)

• actions/*, docker/*, codecov/*, and other third-party actions currently using tags
• knative/actions/setup-go@main and knative/actions/.github/workflows/reusable-*.yaml@main — pin to a concrete SHA of the knative/actions repository

/area CI

/assign @Ankitsinghsisodya

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.