fix: pin GitHub Actions dependencies to SHA hashes

[Claude]

Pull Request

Proposed Changes

All GitHub Actions workflow files were using version tags (e.g., @v6.0.2) instead of pinned SHA hashes, creating a supply chain security risk where tags could be moved to point at different commits.

Changes Made

Pinned all GitHub Actions dependencies to immutable SHA hashes with inline version comments for maintainability:

• actions/checkout@v6.0.2 → de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
• actions/setup-python@v6.2.0 → a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
• actions/upload-artifact@v6.0.0 → b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
• actions/stale@v10.1.1 → 997185467fa4f803885201cee163a9f38240193d # v10.1.1

Files Updated

• .github/workflows/scorecard.yml
• .github/workflows/linter.yaml
• .github/workflows/docker-image.yml
• .github/workflows/python-package.yml
• .github/workflows/stale.yaml

Other actions (ossf/scorecard-action, github/codeql-action, super-linter, github/contributors, peter-evans/create-issue-from-file, github/ospo-reusable-workflows) were already using SHA hashes.

Readiness Checklist

Author/Contributor

• If documentation is needed for this change, has that been included in this pull request
• run make lint and fix any issues that you have introduced
• run make test and ensure you have test coverage for the lines you are introducing
• If publishing new data to the public (scorecards, security scan results, code quality results, live dashboards, etc.), please request review from @jeffrey-luszcz

Reviewer

• Label as either fix, documentation, enhancement, infrastructure, maintenance, or breaking

Original prompt

---

This section details on the original issue you should resolve

<issue_title>pinned dependencies</issue_title>
<issue_description>### Describe the bug

All GitHub Actions workflow files are using version tags (e.g., @v6.0.2) instead of pinned SHA hashes, creating a supply chain security risk where tags could theoretically be moved to point at different commits.

To Reproduce

observe github actions files

Expected behavior

use pinned dependencies in actions workflow files

Screenshots

No response

Additional context

No response</issue_description>

Comments on the Issue (you are @claude[agent] in this section)

• Fixes pinned dependencies #111

[Copilot]

Pull request overview

This PR improves supply-chain security hygiene by pinning GitHub Actions workflow dependencies to immutable commit SHA hashes (instead of mutable version tags), and includes a couple of small text/formatting tweaks in the Python code and Docker metadata.

Changes:

• Pin actions/* dependencies in multiple GitHub Actions workflows to full commit SHAs with inline version comments.
• Update super-linter/super-linter reference in the linter workflow (note: this is also a version bump).
• Fix spelling of “occurring” in user-facing descriptions and adjust an auth error raise formatting.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
measure_innersource.py	Fix docstring spelling (“occurring”).
auth.py	Reformat ValueError raise message for missing auth env vars.
Dockerfile	Fix spelling in image/action labels (“occurring”).
.github/workflows/stale.yaml	Pin actions/stale to a commit SHA with version comment.
.github/workflows/scorecard.yml	Pin actions/checkout and actions/upload-artifact to commit SHAs.
.github/workflows/python-package.yml	Pin actions/checkout and actions/setup-python to commit SHAs.
.github/workflows/linter.yaml	Pin actions/checkout and actions/setup-python; also updates super-linter SHA/version.
.github/workflows/docker-image.yml	Pin actions/checkout to a commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.