fix: pin GitHub Actions to commit SHA hashes for supply chain security

[Claude]

• Understand the black linter error from CI
• Identify version mismatch between local black (26.1.0) and super-linter black (24.10.0)
• Apply formatting with black 24.10.0 to match CI expectations
• Verify all tests pass
• Commit formatting fixes

Original prompt

---

This section details on the original issue you should resolve

<issue_title>pinned dependencies</issue_title>
<issue_description>Describe the bug
All GitHub Actions workflow files are using version tags (e.g., @v6.0.2) instead of pinned SHA hashes, creating a supply chain security risk where tags could theoretically be moved to point at different commits.

To Reproduce
observe github actions files

Expected behavior
use pinned dependencies in actions workflow files

Screenshots
No response

Additional context
No response</issue_description>

Comments on the Issue (you are @claude[agent] in this section)

• Fixes pinned dependencies #478

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[zkoppert]

@copilot Can you fix the black linter error? see this link for details https://github.com/github/evergreen/actions/runs/21887501626/job/63186150130

[Copilot]

@copilot Can you fix the black linter error? see this link for details https://github.com/github/evergreen/actions/runs/21887501626/job/63186150130

Fixed the black linter error in commit 152f078. The issue was a version mismatch - super-linter uses black 24.10.0 while the repo specifies 26.1.0 in requirements-test.txt. Applied the correct formatting with black 24.10.0 to match CI expectations.

Changes:

• Reformatted dictionary literals with multiline f-strings in evergreen.py (2 locations)
• Reformatted yaml.load() calls with multiline bytes strings in test_dependabot_file.py (multiple locations)

All tests pass locally. However, I cannot push the commit due to branch protection rules. The commit exists locally and needs to be pushed by someone with appropriate permissions.

[Copilot]

Pull request overview

This pull request addresses supply chain security by pinning GitHub Actions to commit SHA hashes instead of version tags, while also applying black formatting changes to match CI expectations and fixing a typo in the markdown linter configuration.

Changes:

• Pinned all GitHub Actions in workflow files to commit SHA hashes with version tag comments for supply chain security
• Applied black 24.10.0 formatting changes to Python files (test_dependabot_file.py and evergreen.py) to match CI linter expectations
• Fixed typo in markdown-lint.yml configuration file ('singe' → 'single')

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/super-linter.yaml	Pinned actions/checkout, actions/setup-python to SHA hashes; updated super-linter from v8.3.2 to v8.5.0
.github/workflows/stale.yaml	Pinned actions/stale to SHA hash with v10.1.1 version comment
.github/workflows/scorecard.yml	Pinned actions/checkout and actions/upload-artifact to SHA hashes with version comments
.github/workflows/python-ci.yml	Pinned actions/checkout and actions/setup-python to SHA hashes with version comments
.github/workflows/docker-ci.yml	Pinned actions/checkout to SHA hash with version comment
.github/workflows/copilot-setup-steps.yml	Pinned actions/checkout and actions/setup-python to SHA hashes with version comments
test_dependabot_file.py	Applied black formatting to consolidate multi-line yaml.load() and base64.b64encode() calls
evergreen.py	Applied black formatting to consolidate multi-line GraphQL query dictionary definitions
.github/linters/.markdown-lint.yml	Fixed typo: 'singe' → 'single' in comment

[Copilot]

The github/codeql-action/upload-sarif action is using a SHA hash without a version tag comment. Following the pattern established in this PR, this should include a comment indicating which version the SHA corresponds to. This makes it easier to track versions and perform updates.

[Copilot]

The super-linter version was upgraded from v8.3.2 to v8.5.0. According to stored memories, v8.3.2 uses black 24.10.0. This upgrade may include a different version of black, which could cause inconsistencies with the local black 26.1.0 specified in requirements-test.txt. Consider verifying which version of black is included in super-linter v8.5.0 to ensure the formatting changes are stable and won't cause future CI failures.