feat: pin GitHub Actions to SHA hashes and add security linters

.github/workflows/main.yaml

@@ -26,7 +26,7 @@ jobs:
       dry-run: ${{ steps.check-dry-run.outputs.enabled }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 2
 
@@ -64,22 +64,25 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Lint pinned actions
+        run: bash tools/linter_actions_pinned.sh
 
       - name: Get list of changed C# files
         id: changed-files
-        uses: tj-actions/changed-files@v46
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46
         with:
           files: |
             **.cs
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Cache NuGet packages
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.*proj') }}
@@ -116,15 +119,15 @@ jobs:
           fi
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: failure()
         with:
           name: test-results-unit
           path: ./test-results/*.trx
           retention-days: 7
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: coverage-unit
@@ -166,15 +169,15 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Download all coverage artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: coverage-*
           path: ./all-coverage
@@ -192,21 +195,21 @@ jobs:
             -title:"Weaviate C# Client Coverage"
 
       - name: Upload HTML coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: coverage-report-html
           path: ./coveragereport
           retention-days: 7
 
       - name: Add coverage to PR comment
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         if: github.event_name == 'pull_request'
         with:
           header: coverage
           path: ./coveragereport/SummaryGithub.md
 
       - name: Download all test results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         continue-on-error: true
         with:
           pattern: test-results-*
@@ -249,18 +252,18 @@ jobs:
           if [ -z "${{ secrets.NUGET_APIKEY }}" ]; then echo "Warning: NUGET_APIKEY is not set"; fi
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
           fetch-tags: true
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Cache NuGet packages
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/.*proj') }}
@@ -275,7 +278,7 @@ jobs:
         run: dotnet nuget push './out/*.nupkg' --skip-duplicate --api-key ${{ secrets.NUGET_APIKEY }} --source https://api.nuget.org/v3/index.json
 
       - name: GH Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           generate_release_notes: true
           draft: true

.github/workflows/pr-security-lint.yaml

@@ -0,0 +1,27 @@
+name: PR Security Lint
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+# No permissions at workflow level — grant only what's needed at job level
+permissions: {}
+
+jobs:
+  hidden-unicode-check:
+    name: Check for hidden Unicode characters
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout base branch
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+
+      - name: Check PR diff for hidden Unicode
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr diff ${{ github.event.pull_request.number }} | bash tools/linter_hidden_unicode.sh --stdin

.github/workflows/test-on-weaviate-version.yml

@@ -36,15 +36,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Cache NuGet packages
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.*proj') }}
@@ -55,7 +55,7 @@ jobs:
         run: dotnet restore
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         if: ${{ !github.event.pull_request.head.repo.fork && github.triggering_actor != 'dependabot[bot]' }}
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -86,23 +86,23 @@ jobs:
         run: /bin/bash ci/stop_weaviate.sh ${{ inputs.weaviate-version }}
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: failure()
         with:
           name: test-results-integration-${{ inputs.weaviate-version }}
           path: ./test-results/*.trx
           retention-days: 7
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: coverage-integration-${{ inputs.weaviate-version }}
           path: ./test-results/**/coverage.cobertura.xml
           retention-days: 7
 
       - name: Test Report
-        uses: dorny/test-reporter@v1
+        uses: dorny/test-reporter@3eeb9fc888e82e8be2fb356bbeec2750231672bc # v1
         if: failure() && !inputs.dry-run
         with:
           name: Integration Tests - Weaviate ${{ inputs.weaviate-version }}

tools/linter_actions_pinned.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Lint GitHub Actions workflow files to ensure all external actions are pinned to SHA hashes.
+# Usage: bash tools/linter_actions_pinned.sh
+
+set -euo pipefail
+
+ERRORS=0
+
+for workflow in .github/workflows/*.yaml .github/workflows/*.yml; do
+    [ -f "$workflow" ] || continue
+
+    while IFS= read -r line; do
+        lineno=$(echo "$line" | cut -d: -f1)
+        content=$(echo "$line" | cut -d: -f2-)
+
+        # Extract the action reference (everything after "uses:")
+        action_ref=$(echo "$content" | sed -n 's/.*uses:[[:space:]]*//p' | xargs)
+
+        # Skip local actions (starting with ./)
+        if [[ "$action_ref" == ./* ]]; then
+            continue
+        fi
+
+        # Extract the version part (after @, before space or # comment)
+        version=$(echo "$action_ref" | sed -n 's/.*@\([^ #]*\).*/\1/p')
+
+        if [ -z "$version" ]; then
+            echo "::error file=${workflow},line=${lineno}::Action missing version pin: ${action_ref}"
+            ERRORS=$((ERRORS + 1))
+            continue
+        fi
+
+        # Check that the version is a 40-character hex SHA
+        if ! echo "$version" | grep -qE '^[0-9a-f]{40}$'; then
+            echo "::error file=${workflow},line=${lineno}::Action not pinned to SHA: ${action_ref} (version: ${version})"
+            ERRORS=$((ERRORS + 1))
+        fi
+    done < <(grep -n 'uses:' "$workflow")
+done
+
+if [ "$ERRORS" -gt 0 ]; then
+    echo ""
+    echo "ERROR: Found ${ERRORS} action(s) not pinned to a SHA hash."
+    echo "Replace tag references (e.g., @v5) with the full commit SHA (e.g., @93cb6ef...)"
+    echo "Preserve the tag as a comment: uses: actions/checkout@<SHA> # v5"
+    exit 1
+fi
+
+echo "All GitHub Actions are pinned to SHA hashes."