[Feature Request]: security: pin all third-party action references to commit SHAs

[Chrico]

Is your feature request related to a problem?

The inpsyde/reusable-workflows repository references third-party GitHub Actions across its workflows and (future) composite actions. Several of these references currently use floating tag-based versioning, for example:

# ❌ Tag can be silently reassigned
- uses: actions/checkout@v4
- uses: shivammathur/setup-php@v2

Tags in GitHub are mutable - a repository owner (or an attacker who has compromised one) can silently move a tag to point at a different commit. This means a workflow that looked safe at review time can begin executing different, potentially malicious, code without any change to our own repository.

Because inpsyde/reusable-workflows is consumed by projects across the entire Syde engineering organization, a supply-chain compromise here would have a blast radius covering every project that uses these workflows.

Describe the desired solution

Replace every third-party action reference in the repository - in both reusable workflows and composite actions - with a full immutable commit SHA, retaining the human-readable tag as an inline comment:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: shivammathur/setup-php@a36e1e52f4eda7b07b6efa9255cf9c4b5f756ea4 # v2.33.0

Scope:

• Audit all .github/workflows/*.yml files and any .github/actions/*/action.yml composite actions for tag-based or branch-based third-party action references
• Replace each with the corresponding commit SHA (found via the action's GitHub releases page or the tag's commit link)
• Add the version tag as a trailing comment for maintainability
• Add a note to the repository's contributing guide / README documenting this requirement, so future PRs don't reintroduce floating references

Current actions in use:

Name	Version
actions/checkout	v4, v6
actions/download-artifact	v4, v8
actions/github-script	v7
actions/setup-node	v4
actions/upload-artifact	v4
ddev/github-action-setup-ddev	v1
inpsyde/actions/setup-wireguard	v1
montudor/action-zip	v1
ramsey/composer-install	v3
shivammathur/setup-php	v2
svenstaro/upload-release-action	v2
webfactory/ssh-agent	v0.9.0, v0.9.1

Describe the alternatives that you have considered

• Continue using floating tags: Simple, but violates our Engineering Handbook policy and exposes every consuming project to supply-chain risk. Not acceptable.

Additional context

• Our Engineering Handbook policy (Secure Version Control already documents SHA pinning as mandatory for all Syde projects. This issue brings inpsyde/reusable-workflows into compliance with its own published standard, which is especially important given that it serves as the reference implementation for every other project.
• The GitHub security hardening guide covers this in detail, including the concept of transitive risk: even a correctly SHA-pinned action can be exposed if an action it depends on uses floating references.
• To find the SHA for a given tag: navigate to the action's GitHub repository → Releases → click the tag → copy the full commit hash from the URL or the commit link.

Acceptance criteria:

• All third-party action references in /.github/workflows/ are pinned to a full 40-character commit SHA
• All third-party action references in /.github/actions/ (composite actions) are pinned to a full commit SHA
• Each SHA has the corresponding version tag noted as a comment
• A Dependabot configuration (/.github/dependabot.yml) is added or updated to track github-actions dependencies

Code of Conduct

• I agree to follow this project's Code of Conduct

[2ndkauboy]

Since we use those third-party actions in many workflows, I want to introduce the idea of having our own "wrapper actions". This would allow us to pin the third-party actions to a specific commit hash in one place only. We could have a repository inpsyde/checkout with an action like this:

# inpsyde/checkout/action.yml
name: 'Inpsyde Checkout'
description: 'Pinned wrapper around actions/checkout'
runs:
  using: composite
  steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

We can even use tags in that repo for our own pinned tags, like one for v4 and another one for v3. Using Renovate or Dependabot, we can make sure to keep our wrapper up to date with the latest (verified and tested) upstream version of the third-party action.