[AAASM-3686] 🔒 (ci): Pin third-party reusable workflows to commit SHAs

[Chisanan232]

Description

Pins the third-party reusable workflow used by rw_run_all_test_and_record.yaml to an immutable commit SHA instead of the mutable @master ref.

All 5 call sites of Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml (the unit-test, integration-test, e2e-test, contract-test, and all-test codecov-finish jobs) are pinned to 4a6480470b90c0b6139e05489868585fa50aad6f (master HEAD as of 2026-05-26, resolved via the GitHub API). A trailing # master (...) comment preserves the human-readable ref for future bumps.

These jobs forward CODECOV_TOKEN and SONAR_TOKEN to the called workflow; with a mutable @master ref, a compromise of the upstream default branch could exfiltrate those secrets. A SHA pin makes the executed third-party code immutable (supply-chain hardening).

Type of Change

• 🔧 Bug fix (CI supply-chain hardening)

Breaking Changes

• No

Related Issues

• Related JIRA ticket: AAASM-3686

Testing

• No tests required (explain why)

CI workflow change only. Validated: SHA + path resolved against the GitHub API (rw_upload_test_cov_report.yaml exists at the pinned commit), YAML parses, and actionlint reports no issues.

Checklist

• Code follows project style guidelines
• Self-review completed
• All tests passing

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

🔎 Claude Code review — fix-wave

CI: Fully green — incl. SonarCloud, unit/integration 3.13, CodeQL, pip-audit, CI Success, codecov/patch. No red checks.
Scope vs AAASM-3686: On-target. Pins all 5 call sites of the third-party Chisanan232/.../rw_upload_test_cov_report.yaml from mutable @master to immutable SHA 4a6480470b90c0b6139e05489868585fa50aad6f, with a # master (4a64804, 2026-05-26) provenance comment. Single workflow file, exactly 5 line swaps — no scope creep. (Note: the ticket also mentions ci.yaml/release.yml/Template-Python-UV-Project@master refs; this PR closes the rw_run_all_test_and_record.yaml cov-report subset only — remaining refs are a reasonable follow-up if not covered elsewhere.)
Side-effects / regression: NONE — workflow-only, no behavior change. Verified the pinned SHA 4a64804 equals the current upstream master HEAD (committed 2026-05-26, matching the comment), so the executed third-party code is byte-identical to what @master resolved to today — pure supply-chain immutability, no functional delta. Path rw_upload_test_cov_report.yaml confirmed present at the pinned SHA (HTTP 200). actionlint clean (exit 0). ; Intended breaking: N/A (#182 is non-breaking).
Readiness: Ready to merge.
— Claude Code (automated PR review, 2026-06-25)