CI actions and container images use mutable tags instead of pinned digests

## Description

GitHub Actions across workflow files use mutable tags (`@v4`, `@v3`, `@v6`) instead of commit SHA pins. A compromised upstream action repository can silently inject malicious code into the CI pipeline.

The same pattern applies to container images:
- `secrets-job.yaml:24` uses `quay.io/jumpstarter-dev/jumpstarter-utils:latest` without digest pinning
- Flasher driver hardcodes `:latest` OCI bundles at `jumpstarter_driver_flashers/driver.py:19`

SLSA attestation (`attest-build-provenance@v1`) exists but verification is consumer-opt-in.

## Suggested Fix

- Pin GitHub Actions to commit SHA digests
- Add Dependabot configuration for GitHub Actions updates
- Pin container images by digest

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI actions and container images use mutable tags instead of pinned digests #355

Description

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CI actions and container images use mutable tags instead of pinned digests #355

Description

Description

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions