Apply EF suggestions for strengthening CI security

# Feature Request

Source: https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/

Here is the list of the actions that could be taken into consideration to strengthen the CI:

- [x] Pin to commit SHAs, not tags
- [ ] Watch out for “unpinnable” actions
- [ ] Reduce your third-party action surface
- [ ] Enforce pinning in policy, not documentation
- [ ] Keep pins updated with Dependabot, but add an adoption delay
- [ ] Add runtime visibility with Harden-Runner
- [ ] Minimize token permissions and use OIDC for cloud access
- [ ] Segment high-value secrets into isolated workflows
- [ ] Pin Docker images by digest, not tag
- [ ] Continuously lint your workflows
- [ ] Prepare your incident response plan now

## Which Areas Would Be Affected?

_e.g., DPF, CI, build, transfer, etc._

## Why Is the Feature Desired?

_Are there any requirements?_

## Who will sponsor this feature?

_Please @-mention the committer that will sponsor your feature_.

## Solution Proposal

_If possible, provide a (brief!) solution proposal._


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Apply EF suggestions for strengthening CI security #190

Feature Request

Which Areas Would Be Affected?

Why Is the Feature Desired?

Who will sponsor this feature?

Solution Proposal

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Apply EF suggestions for strengthening CI security #190

Description

Feature Request

Which Areas Would Be Affected?

Why Is the Feature Desired?

Who will sponsor this feature?

Solution Proposal

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions