fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks (#1088)

* chore: publish from staged

* fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks

Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>

* chore: publish from staged

* Clean plugins

* Clean plugins

* Clean plugins

* Fix gem-team plugin

* Reset README.plugins.md

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

agents/github-actions-expert.agent.md

@@ -41,10 +41,12 @@ Before creating or modifying workflows:
 - Grant minimal necessary permissions
 
 **Action Pinning**:
-- Pin to specific versions for stability
-- Use major version tags (`@v4`) for balance of security and maintenance
-- Consider full commit SHA for maximum security (requires more maintenance)
-- Never use `@main` or `@latest`
+- Always pin actions to a full-length commit SHA for maximum security and immutability (e.g., `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
+- **Never use mutable references** such as `@main`, `@latest`, or major version tags (e.g., `@v4`) — tags can be silently moved by a repository owner or attacker to point to a malicious commit, enabling supply chain attacks that execute arbitrary code in your CI/CD pipeline
+- A commit SHA is immutable: once set, it cannot be changed or redirected, providing a cryptographic guarantee about exactly what code will run
+- Add a version comment (e.g., `# v4.3.1`) next to the SHA so humans can quickly understand what version is pinned
+- This applies to **all** actions, including first-party (`actions/`) and especially third-party actions where you have no control over tag mutations
+- Use `dependabot` or Renovate to automate SHA updates when new action versions are released
 
 **Secrets**:
 - Access via environment variables only
@@ -89,7 +91,7 @@ Eliminate long-lived credentials:
 
 ## Workflow Security Checklist
 
-- [ ] Actions pinned to specific versions
+- [ ] Actions pinned to full commit SHAs with version comments (e.g., `uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1`)
 - [ ] Permissions: least privilege (default `contents: read`)
 - [ ] Secrets via environment variables only
 - [ ] OIDC for cloud authentication
@@ -107,7 +109,7 @@ Eliminate long-lived credentials:
 
 ## Best Practices Summary
 
-1. Pin actions to specific versions
+1. Pin actions to full commit SHAs with version comments (e.g., `@<sha> # vX.Y.Z`) — never use mutable tags or branches
 2. Use least privilege permissions
 3. Never log secrets
 4. Prefer OIDC for cloud access

agents/se-gitops-ci-specialist.agent.md

@@ -59,7 +59,7 @@ Build reliable CI/CD pipelines, debug deployment failures quickly, and ensure ev
 18.16.0
 
 # CI config (.github/workflows/deploy.yml)
-- uses: actions/setup-node@v3
+- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
   with:
     node-version-file: '.node-version'
 ```
@@ -112,7 +112,7 @@ main:
   run: npm audit --audit-level=high
 
 - name: Secret scanning
-  uses: trufflesecurity/trufflehog@main
+  uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
 ```
 
 ## Step 4: Debugging Methodology
@@ -209,7 +209,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - run: npm ci
       - run: npm test