ci(security): pin all 3rd-party actions to commit SHAs (closes #7091) (#7102)

Per GitHub's security hardening guide for actions:
> Pinning an action to a full length commit SHA is currently the only
> way to use an action as an immutable release.

Tags are mutable. A compromised maintainer could force-push v3 → a
malicious commit that lands silently in our CI on next run. SHA
pinning makes the action immutable until we explicitly update.

7 actions pinned (resolved 2026-05-06 via `git ls-remote`):

  codecov/codecov-action@v6           → 57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
  docker/build-push-action@v7         → bcafcacb16a39f128d818304e6c9c0c18556b85f
  docker/login-action@v4              → 4907a6ddec9925e35a0a9e82d7399ccc52663121
  docker/setup-buildx-action@v4       → 4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
  dorny/paths-filter@v3               → d1c1ffe0248fe513906c8e24db8ea791d46f8590
  orhun/git-cliff-action@v4           → f50e11560dce63f7c33227798f90b924471a88b5
  softprops/action-gh-release@v3      → b4309332981a82ec1c5618f44dd2e27cc8bfbfda

11 occurrences across 6 workflows. Trailing `# vX` comment preserves
human-readable version intent for future SHA bumps.

actions/* (first-party, GitHub-maintained) left tag-pinned per common
practice — the supply-chain risk surface is much smaller for those.

Dependabot already covers `github-actions` ecosystem in
`.github/dependabot.yml` — it'll auto-PR SHA updates as new versions
release, using the version comment for changelog inference.

Co-authored-by: t <t@t>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/workflows/autoresearch-image.yml

@@ -21,14 +21,14 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7
         with:
           context: autobot-backend/services/autoresearch
           file: autobot-backend/services/autoresearch/Dockerfile

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
       frontend: ${{ steps.filter.outputs.frontend }}
     steps:
       - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590  # v3
         id: filter
         with:
           filters: |
@@ -160,7 +160,7 @@ jobs:
         fi
 
     - name: Upload coverage reports
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6
       with:
         files: ./coverage.xml
         flags: unittests

.github/workflows/docker-smoke-test.yml

@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4
 
       - name: Create .env from .env.example
         run: cp .env.example .env

.github/workflows/frontend-test.yml

@@ -91,7 +91,7 @@ jobs:
         run: npm run test:coverage
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6
         with:
           files: ./autobot-frontend/coverage/lcov.info
           directory: ./autobot-frontend/coverage

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Determine next version
         id: version
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5  # v4
         with:
           config: cliff.toml
           args: --bumped-version
@@ -59,7 +59,7 @@ jobs:
       - name: Generate release notes (git-cliff)
         if: steps.check.outputs.release_needed == 'true'
         id: cliff_notes
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5  # v4
         with:
           config: cliff.toml
           args: --latest --strip header
@@ -79,7 +79,7 @@ jobs:
 
       - name: Update CHANGELOG.md (full history index)
         if: steps.check.outputs.release_needed == 'true'
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5  # v4
         with:
           config: cliff.toml
           args: --verbose
@@ -101,7 +101,7 @@ jobs:
 
       - name: Create GitHub Release
         if: steps.check.outputs.release_needed == 'true'
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3
         with:
           tag_name: ${{ steps.check.outputs.version }}
           name: ${{ steps.check.outputs.version }}

.github/workflows/security.yml

@@ -34,7 +34,7 @@ jobs:
       deps: ${{ steps.filter.outputs.deps }}
     steps:
       - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590  # v3
         id: filter
         with:
           filters: |