[IMPROVE] pipeline-security immutable refs and provenance inputs

[JeremyZeng77]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: pipeline-security
Skill path: skills/devsecops/pipeline-security/

What Was Wrong

The pipeline-security skill already covered GitHub Actions pinning and provenance at a high level, but it did not go far enough on mutable action refs, reusable workflow governance, Docker-based action/container digest pinning, or provenance binding for privileged build inputs.

That left two problems:

• under-reporting real supply-chain risk when same-org actions, reusable workflows, or build containers were mutable
• over-reporting low-impact read-only workflows where a narrowly scoped exception can be justified

Closes #2559

What This PR Fixes

• adds reusable workflow pinning and update-policy guidance to dependency-chain review
• expands third-party service review to cover same-org actions, reusable workflows, Docker-based actions, and job/service container digests
• adds explicit low-impact exception criteria for read-only lint/format jobs to reduce false positives
• requires provenance review to bind attestations to workflow refs, action SHAs, container digests, and other privileged build inputs
• bumps the skill patch version and changelog entry for the new guidance

Evidence

Before: the skill could miss mutable refs in reusable workflows and build containers, and it did not clearly separate low-impact read-only jobs from privileged pipelines.

After: the skill requires reviewers to classify action/workflow/container pinning with privilege context, justify any exception, and verify that attestations cover the inputs that actually produced the artifact.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing validation still passes

Local Validation

• git diff --check passed
• git diff --cached --check passed before commit
• targeted marker check passed for reusable workflow pinning, low-impact exception guidance, and workflow/action/container provenance binding

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: can provide privately if accepted

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).