[release/v7.6.1] [StepSecurity] ci: Harden GitHub Actions tags by daxian-dbw · Pull Request #27236 · PowerShell/PowerShell

daxian-dbw

Backport of #27201 to release/v7.6.1

Triggered by @daxian-dbw on behalf of @step-security-bot

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

Required tooling change
Optional tooling change (include reasoning)

Backports GitHub Actions tag hardening to pin mutable workflow action references to immutable SHAs in the release/v7.6.1 CI workflows.

Customer Impact

Customer reported
Found internally

Regression

REQUIRED: Check exactly one box.

This is not a regression.

Testing

Verified by cherry-picking onto release/v7.6.1, resolving workflow conflicts by preserving the release-branch workflow structure and pinning the existing action versions to immutable SHAs, then confirming the staged diffs were limited to the intended action hardening updates. No local workflow run was performed; CI on the backport PR will validate the workflows.

Risk

REQUIRED: Check exactly one box.

High
Medium
Low

Medium risk because the change affects multiple CI workflows and reusable workflow references, which can break automation if pinned incorrectly. The resolution preserved the release branch workflow structure and applied only the intended tag hardening changes.

Merge Conflicts

Conflicts occurred in .github/workflows/labels.yml, .github/workflows/linux-ci.yml, .github/workflows/macos-ci.yml, .github/workflows/verify-markdown-links.yml, .github/workflows/windows-ci.yml, .github/workflows/windows-packaging-reusable.yml, and .github/workflows/xunit-tests.yml. The release branch used older major versions of several actions than main. Resolved by keeping the release-branch workflow structure and pinning those existing action versions to immutable SHAs instead of upgrading action major versions as part of this backport.