Use Commit Hash instead of Versions for GitHub Workflow Actions

[simonkurtz-MSFT]

Please consider using commit hashes in the GitHub instructions file as part of the pinned dependencies OpenSSF aspect

Using a commit hash uses an explicit commit rather than anything that could be represented by a version string. This prevents version drift - accidental or intentional - which can result in malicious activity or breaking updates with the same version tag.

[aaronpowell]

If you think that'd be a valuable improvement on the instruction, please send through a PR.

[Kyle-Peters-SkillSafe]

+1 on commit hash pinning. Tag mutability is one of those things that sounds theoretical until it isn't — the xz-utils backdoor showed how even well-maintained projects can have their release artifacts compromised, and a mutable tag is the easiest vector for that.

This same supply chain principle is becoming urgent in the AI skill/plugin space too. Skills are essentially code-that-runs-with-your-permissions, and right now most distribution happens via "grab this from GitHub and trust the tag." ClawHavoc exploited exactly this pattern to distribute 1,184 malicious skills through a permissive registry earlier this month.

SkillSafe applies the same integrity-first approach to AI skills — SHA-256 tree hashes on every version, dual-side verification (publisher and consumer both scan independently), and immutable version records. Same idea as pinning to a commit hash: if the content changes, the hash changes, and the verification fails.

@aaronpowell's suggestion to send a PR is the right call — a concrete diff is worth more than a feature request. Happy to help review if someone puts one together.

[simonkurtz-MSFT]

You're right. I needed to just write it down as I was otherwise occupied and didn't want to forget about it.

I'll get a PR going shortly.

[simonkurtz-MSFT]

Hi @Kyle-Peters-SkillSafe, fyi, PR has been submitted.

[aaronpowell]

Change merged