[Security] Pin GitHub Actions to a full-length commit SHA

[juliendoutre]

Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the DataDog organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the tj-actions incident). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to #sdlc-security on Slack.

Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like in this example.

---

This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.12%. Comparing base (43b48ff) to head (1267fcf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #44   +/-   ##
=======================================
  Coverage   63.12%   63.12%           
=======================================
  Files           7        7           
  Lines         377      377           
  Branches       49       49           
=======================================
  Hits          238      238           
  Misses        101      101           
  Partials       38       38           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.