This is a re-submission of #12223, which was closed due to a branch issue on my end. Same fixes, apologies for the noise.

Security: Harden GitHub Actions workflows

Hey, I found some CI/CD security issues in this repo's GitHub Actions workflows. These are the same vulnerability classes that were exploited in the tj-actions/changed-files supply chain attack. I've been reviewing repos that are affected and submitting fixes where I can.

This PR applies mechanical fixes and flags anything else that needs a manual look. Happy to answer any questions.

Fixes applied

Rule	Severity	File	Description
RGS-007	high	.github/workflows/ci.yml	Pinned 5 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/compressed-size.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/deploy-docs.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/release-drafter.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/release.yml	Pinned 2 third-party action(s) to commit SHA

Additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks or reference unpinned third-party actions are vulnerable to code injection and supply chain attacks. These are the same vulnerability classes exploited in the tj-actions/changed-files incident which compromised CI secrets across thousands of repositories.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: Pins third-party actions to immutable commit SHAs (original version tag preserved as comment)

---

If this PR is not welcome, just close it and I won't send another.