Security hardening: pin GitHub Actions to immutable commit SHAs

## Summary
Current workflows reference actions by mutable tags (for example `actions/checkout@v6`, `actions/setup-node@v6`, `actions/setup-python@v6`).

## Risk
Mutable refs can change upstream without review, which increases CI/CD supply-chain risk.

## Recommendation
Pin all GitHub Actions to immutable commit SHAs, and periodically bump them using Dependabot/Renovate.

## Candidate files
- `.github/workflows/ci.yml`
- `.github/workflows/test.yml`



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security hardening: pin GitHub Actions to immutable commit SHAs #146

Summary

Risk

Recommendation

Candidate files

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security hardening: pin GitHub Actions to immutable commit SHAs #146

Description

Summary

Risk

Recommendation

Candidate files

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions