security(ci): pin GHA using immutable digests instead of mutable versions

[mvanhorn]

Summary

Pin every third-party GitHub Actions uses: reference across the workflow files and the composite action.yml to its full 40-character commit SHA, with the human-readable version tag preserved as a trailing comment so Renovate and Dependabot can keep them current.

Why this change

Referencing actions by mutable version tags (e.g. actions/setup-node@v6, github/codeql-action/init@v4) is a supply-chain risk: a tag can be silently repointed by an upstream maintainer or a compromised account, changing the code that runs in CI without any visible diff here. Pinning to immutable commit digests closes that vector. For a security-scanning tool this also hardens the project against the exact class of issue it helps users detect. Requested in #597 and acknowledged by the maintainer.

What changed

• Pinned all external actions to verified commit SHAs with a # vX.Y.Z tag comment: actions/checkout → df4cb1c (v6.0.3), actions/setup-node → 48b55a0 (v6.4.0), actions/upload-pages-artifact → fc324d3 (v5.0.0), actions/deploy-pages → cd2ce8f (v5.0.0), actions/attest-build-provenance → e8998f9 (v2.4.0), github/codeql-action/{init,autobuild,analyze,upload-sarif} → 8aad20d (v4.36.2).
• Touched ci.yml, codeql.yml, docs-site.yml, release.yml, self-scan.yml, and action.yml.
• Left the first-party OWASP/cve-lite-cli@v1 self-reference in self-scan.yml on its major tag (intentional, tracks the major release line).

Validation

• Each SHA was resolved from the action's release tag via the GitHub API (repos/<action>/git/ref/tags/<tag>, dereferencing annotated tags to the underlying commit) and cross-checked against the precise semver tag pointing at that commit; the trailing comment reflects that exact version.
• All six files parse as valid YAML.
• grep -rE "uses: .+@v[0-9]" .github/ action.yml now returns only the intentionally-unpinned first-party self-reference; no third-party mutable tags remain.
• No behavior change beyond the pin.

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

CI/build configuration only; no runtime or scanning behavior change.

Notes

Closes #597.

[sonukapoor]

Hi @mvanhorn - the PR looks good, just needs a rebase onto the current main before we can merge. Could you run git fetch upstream && git rebase upstream/main and push when you get a chance?

[sonukapoor]

Hey @mvanhorn — this branch has fallen behind main. Could you rebase against main and push? CI is green on the current commits so it should be straightforward.

[sonukapoor]

Hey @mvanhorn - this branch is a bit behind main. Could you rebase against main and force-push? Happy to review once it's up to date.

[sonukapoor]

Hey, this branch is behind main - could you rebase against the latest main and push? Happy to pick this up for review once it's up to date.

[sonukapoor]

SHA pinning with version comments is the right pattern for preventing tag mutation attacks. One thing to confirm before merge: were these SHAs generated by a pinning tool (e.g. pin-github-action)? The v6.x version comments are higher than what I can independently verify - if those are accurate that is fine, but want to make sure the comments match the actual tags rather than being placeholder values.