ci: pin GitHub Actions to full commit SHAs

[XananasX7]

This PR pins GitHub Actions from mutable version tags (e.g. @v4) to full commit SHAs, preventing silent supply chain attacks from compromised action repositories.

Recommended by GitHub's security hardening guide and OpenSSF Scorecard.

[edorian]

Hi XananasX,

I can see the reasoning for pinning 3rd party actions, if we have a process to update them in place.

The PR/diff is empty for me, did something go wrong?

[XananasX7]

Thanks for flagging that @edorian — the previous branch had a commit with no actual file changes (empty diff).

Fixed now: the branch has been updated with a single clean commit that pins all 11 third-party GitHub Actions across 11 workflow files to full commit SHAs. Each pin includes the version tag as a comment for readability, e.g.:

uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6

Actions covered: actions/checkout (v5, v6), actions/upload-artifact, actions/stale, actions/labeler, actions/cache, dorny/paths-filter, dwieeb/needs-reply, codecov/codecov-action, actions-ecosystem/action-add-labels, actions-ecosystem/action-remove-labels, hendrikmuhs/ccache-action, and sphinx-notes/pages.

[jorgsowa]

if we have a process to update them in place.

Is running dependabot/Renovate reasonable for PHP organization? What's the sentiment for such tools?

@XananasX7 can you change version descriptor to the full version number, not only major one? So for dwieeb/needs-reply it would be v2.0.0 instead of v2.0.

[XananasX7]

Updated the version comment for dwieeb/needs-reply from v2 to v2.0.0 as requested. The SHA 71e8d5144caa0d4a1e292348bfafa3866d08c855 already pointed to the v2.0.0 release — this just makes the version label explicit.

Regarding Renovate/Dependabot for the PHP organization: that seems like a great idea to keep pinned actions up to date automatically. I'd support that if the maintainers want to set it up.

[jorgsowa]

Based on other comments of this account I think this is bot. It's just waste of people's time to review such things.

But the question to @edorian is still relevant.

Is running dependabot/Renovate reasonable for PHP organization? What's the sentiment for such tools?

[XananasX7]

Hi @jorgsowa — I'm a real person, not a bot. I use a translation tool to write better English since it's not my first language. I'm contributing as part of the Google patch rewards program, and this is my first time contributing to PHP. I understand the skepticism, and I'm happy to answer any questions about the changes. The SHA pinning was done manually by me