ci: pin GitHub Actions and Docker images to immutable references

[BrendanWalsh]

Summary

Pin all GitHub Actions to commit SHAs and Docker base images to digest hashes to improve supply chain security and satisfy the OpenSSF Scorecard Pinned-Dependencies check (currently scoring 0/10).

What changed

GitHub Actions pinned to commit SHAs (12 workflow files)

Workflow	Action	Pinned To
acknowledge-new-issues	peter-evans/create-or-update-comment	e8674b07… (v5)
acknowledge-new-prs	peter-evans/create-or-update-comment	e8674b07… (v5)
ado-integration	mhamilton723/github-actions-issue-to-work-item	9bd9d441… (master)
ado-pr-to-workitem	danhellem/github-actions-pr-to-work-item	496254e4… (master)
check-dead-links	actions/checkout, lycheeverse/lychee-action	SHAs (v4, v2)
check-semantic-prs	amannn/action-semantic-pull-request	e9fabac3… (v5.4.0)
codeql	actions/checkout, github/codeql-action/*	SHAs (v4, v3)
dependency-review	actions/checkout, actions/dependency-review-action	SHAs (v4, v4)
pr-validation	actions/checkout, actions/setup-python, actions/setup-java	SHAs (v4, v5, v4)
remove-awaiting-response-label	octokit/request-action	02f5e7c6… (v2.x)
remove-old-issues	dwieeb/needs-reply	71e8d514… (v2)
scorecards	actions/checkout (was tag, now SHA)	34e11487… (v4)

Already pinned (no changes): add-triage-label.yml, website-deploy.yml, scorecards.yml (remaining actions)

Docker base images pinned to digest hashes (8 Dockerfiles)

Image	Digest
mcr.microsoft.com/mirror/docker/library/ubuntu:22.04	sha256:104ae837…
mcr.microsoft.com/openjdk/jdk:11-mariner	sha256:844a3637…
mcr.microsoft.com/mmlspark/spark2.4:v4_mini	sha256:a7da0d7c…

Why

• Supply chain security: Pinning to immutable references (commit SHAs and image digests) prevents tag-hijacking attacks where a malicious actor could push new code under an existing tag.
• OpenSSF Scorecard: This directly addresses the Pinned-Dependencies check, which currently scores 0/10.
• Reproducibility: Builds are now fully reproducible regardless of upstream tag movements.

Impact

• No functional changes — all references resolve to the same code/images that were previously used.
• Dependabot already monitors github-actions updates daily and will create PRs when new versions are available.
• Version comments (e.g., # v4) are included on each pinned line for maintainability.

[github-actions]

Hey @BrendanWalsh 👋!
Thank you so much for contributing to our repository 🙌.
Someone from SynapseML Team will be reviewing this pull request soon.

We use semantic commit messages to streamline the release process.
Before your pull request can be merged, you should make sure your first commit and PR title start with a semantic prefix.
This helps us to create release messages and credit you for your hard work!

Examples of commit messages with semantic prefixes:

• fix: Fix LightGBM crashes with empty partitions
• feat: Make HTTP on Spark back-offs configurable
• docs: Update Spark Serving usage
• build: Add codecov support
• perf: improve LightGBM memory usage
• refactor: make python code generation rely on classes
• style: Remove nulls from CNTKModel
• test: Add test coverage for CNTKModel

To test your commit locally, please follow our guild on building from source.
Check out the developer guide for additional guidance on testing your change.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 5a746ee.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/remove-awaiting-response-label.yml

Package	Version	License	Issue Type
octokit/request-action	02f5e7c637a73a3b12ed81015fa7fb5f11cc5d7d	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/lycheeverse/lychee-action	8646ba30535128ac92d33dfc9133794bfdd9b411	🟢 4.6	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 6 Found 13/19 approved changesets -- score normalized to 6 Maintained 🟢 5 2 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 5 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/octokit/request-action	02f5e7c637a73a3b12ed81015fa7fb5f11cc5d7d	🟢 6.4	Details Check Score Reason Maintained 🟢 7 8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7 Code-Review 🟢 5 Found 4/8 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 7 SAST tool detected but not run on all commits
actions/actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/check-dead-links.yml
• .github/workflows/remove-awaiting-response-label.yml
• .github/workflows/scorecards.yml