#22250: ci: pin GitHub Actions to SHA and harden Dockerfiles

## Summary - **CRITICAL-13**: Pin all GitHub Actions from mutable version tags (`@v4`, `@v3`, etc.) to immutable SHA hashes across all workflow files and composite actions. Prevents supply chain attacks via compromised action tags. - **CRITICAL-14**: Replace pipe-to-shell Bun installation (`curl | bash`) in `Dockerfile` and `Dockerfile.sandbox-common` with download-then-execute pattern (download to `/tmp`, execute, cleanup). - Enable zizmor `unpinned-uses` rule now that all actions are pinned. ### Actions pinned | Action | SHA | Tag | |--------|-----|-----| | `actions/checkout` | `34e114876b0b11c390a56381ad16ebd13914f8d5` | v4 | | `actions/setup-node` | `49933ea5288caeca8642d1e84afbd3f7d6820020` | v4.4.0 | | `actions/setup-python` | `a26af69be951a213d495a4c3e4e4022e16d87065` | v5 | | `actions/setup-java` | `c1e323688fd81a25caa38c78aa6df2d33d3e20d9` | v4 | | `actions/upload-artifact` | `ea165f8d65b6e75b540449e92b4886f43607fa02` | v4 | | `actions/download-artifact` | `d3f86a106a0bac45b974a628896c90dbdf5c8093` | v4 | | `actions/cache` | `0057852bfaa89a56745cba8c7296529d2fc39830` | v4 | | `actions/stale` | `5bef64f19d7facfb25b37b414482c7164d639639` | v9 | | `docker/setup-buildx-action` | `8d2750c68a42422c14e847fe6c8ac0403b4cbd6f` | v3 | | `docker/login-action` | `c94ce9fb468520275223c153574b00df6fe4bcc9` | v3 | | `docker/build-push-action` | `10e90e3645eae34f1e60eeb005ba3a3d33f178e8` | v6 | | `android-actions/setup-android` | `9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407` | v3 | | `gradle/actions/setup-gradle` | `ed408507eac070d1f99cc633dbcf757c94c7933a` | v4 | | `oven-sh/setup-bun` | `3d267786b128fe76c2f16a390aa2448b815359f3` | v2 | ## Test plan - [ ] CI workflows still trigger and pass on this branch - [ ] Docker build succeeds with download-then-execute Bun pattern - [ ] `zizmor` scan passes with `unpinned-uses` enabled - [ ] Verify SHA hashes match expected release tags <!-- greptile_comment --> <h3>Greptile Summary</h3> Pins GitHub Actions to immutable SHA hashes and hardens Dockerfile Bun installations to prevent supply chain attacks. - Pins 14 different GitHub Actions across all workflow files (`.github/workflows/*`) and composite actions (`.github/actions/*`) from mutable version tags to SHA hashes - Replaces `curl | bash` Bun installation pattern with download-then-execute in `Dockerfile` and `Dockerfile.sandbox-common` - Enables zizmor `unpinned-uses` rule with hash policy now that pinning is complete One unpinned action remains in `Swabble/.github/workflows/ci.yml` that should be included. Homebrew installation in `Dockerfile.sandbox-common:40` still uses `curl | bash` - consider hardening for consistency. <h3>Confidence Score: 4/5</h3> - Safe to merge with one missing action pin that should be fixed - PR successfully hardens CI security by pinning actions to SHAs and removing pipe-to-shell patterns. One unpinned action in Swabble/.github/workflows/ci.yml was missed, which should be addressed before merge to achieve complete coverage. Dockerfile changes are correct and follow security best practices. - Fix the unpinned action in `Swabble/.github/workflows/ci.yml` before merging _{Last reviewed commit: f481853} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->