Pin every third-party action in .github/workflows/ to a full commit SHA
with a trailing version comment, and bump to the latest stable release.
Defends against tag-rewrite supply-chain attacks while keeping versions
legible.
- Add COMPOSE_FILE=docker-compose.yml to tests, benchmark, and sdk-preview to prevent loading overrides in CI
- Add target: development to tests/benchmark builds, target: production to pr-scan/nightly builds
- Bump actions/checkout v4→v6, docker/build-push-action v4/v5→v6, actions/upload-artifact v4→v6, actions/github-script v7→v8
- Pin composer images to 2.8 in linter and static-analysis workflows
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jake Barnby
loks0n
Matej Bačo
Christy Jacob
Steven Nguyen
Sarthak Roy
Sushrut1101
Alex
Eldad A. Fux