Pin third-party GitHub Actions to SHA hashes

## Problem

All third-party action references in our workflows use floating tags:

- \`actions/checkout@v4\`
- \`actions/setup-node@v4\`
- \`actions/setup-python@v5\`
- \`actions/upload-artifact@v4\`
- \`actions/download-artifact@v4\`
- \`foundry-rs/foundry-toolchain@v1\`
- \`marocchino/sticky-pull-request-comment@v2\`
- \`crytic/slither-action@v0.4.0\`
- \`dorny/paths-filter@v3\`

A compromised tag means a compromised workflow. Since these workflows handle \`PRIVATE_KEY\` and run on consumer repos, this is a meaningful supply-chain risk. GitHub's [hardening guidance](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) recommends pinning to full commit SHAs.

## Proposal

1. Pin every \`uses:\` reference to a full commit SHA, with the human-readable tag in a trailing comment for review-time clarity, e.g. \`uses: actions/checkout@<sha> # v4.2.2\`.
2. Add \`.github/dependabot.yml\` to keep these pins fresh on a weekly cadence.

## Notes

- Related to but distinct from #34, which concerns the \`etherform-ref\` default for self-references.
- First-party (\`actions/*\`) actions are typically considered lower-risk than third-party — but pinning them too costs nothing and keeps the policy uniform.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin third-party GitHub Actions to SHA hashes #40

Problem

Proposal

Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Pin third-party GitHub Actions to SHA hashes #40

Description

Problem

Proposal

Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions