chore: pin external GitHub Actions to exact SHAs

.github/workflows/code-quality.yml

@@ -12,7 +12,7 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: ./.github/actions/install-env
       - name: Run pre-commit on all files
         run: poetry run pre-commit run --all-files

.github/workflows/unit-tests.yml

@@ -15,7 +15,7 @@ jobs:
       matrix:
         python-version: ["3.10", "3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: ./.github/actions/install-env
         with:
           python-version: ${{ matrix.python-version }}

.pre-commit-config.yaml

@@ -36,3 +36,11 @@ repos:
     rev: 0.7.1
     hooks:
       - id: nbstripout
+
+  - repo: local
+    hooks:
+      - id: check-external-actions-pinned
+        name: Check GitHub Actions are pinned
+        entry: pre-commit-hooks/check_pinned_actions.sh
+        language: script
+        pass_filenames: false

pre-commit-hooks/check_pinned_actions.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Only run if .github/ files are staged
+staged_github_files=$(git diff --cached --name-only --diff-filter=ACM | grep '^\.github/')
+if [ -z "$staged_github_files" ]; then
+  exit 0
+fi
+
+# Check for unpinned external GitHub Actions (not using commit SHA)
+offenders=$(echo "$staged_github_files" | grep -E '\.github/(workflows|actions)/' |
+  xargs grep -E "uses:[[:space:]]*[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+@" |
+  grep -v "\.github/actions" |
+  grep -v -E "@[0-9a-f]{40}($|[^0-9a-f])")
+
+if [ -n "$offenders" ]; then
+  echo "❌ Error: Detected external GitHub Actions that are not pinned to a commit SHA." >&2
+  echo "Please update your workflows accordingly to prevent supply chain attacks!" >&2
+  echo "Offending lines:" >&2
+  echo "$offenders" >&2
+  exit 1
+fi