fix: pin 8 unpinned action(s), extract 1 inline secret to env var

[dagecko]

Re-submission of #5264. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs and extracts an inline secret from a run: block into an env: mapping.

• Pin 8 unpinned actions to full 40-character SHAs
• Extract 1 inline secret from run block to env var

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
• Secret extraction: ${{ secrets.* }} in run: moves to env: block, referenced as "${ENV_VAR}" in the script
• No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (3 files)

• .github/workflows/build-and-push-image.yml
• .github/workflows/golangci-lint.yml
• .github/workflows/goreleaser.yml