security: pin GitHub Actions references to commit SHAs

[pavlovic-ivan]

Summary

Pins all GitHub Actions references in this repo to 40-character commit SHAs, replacing tag and branch references. This is a supply-chain hardening change with no expected functional impact — every SHA was resolved from its current tag/branch at audit time (2026-05-27).

Why

Tag-pinned actions can be silently compromised if the upstream tag is rotated to a malicious commit. Branch-pinned actions (e.g. @main, @release/v1, @stable) are even riskier — anyone with push access upstream can change what runs in CI.

GitHub's own recommendation: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Notes

• Branch-pinned refs (@main, @release/v1, @stable) were resolved to the branch HEAD at audit time — re-verify before merge if the upstream branch has moved since.
• Part of an org-wide audit covering 26 G-Research repos. The full pinning plan and resolved SHAs are tracked in a local audit project.
• No functional change is expected; CI should pass identically.

[netlify]

✅ Deploy Preview for mlops-studio ready!

Name	Link
🔨 Latest commit	97dcec9
🔍 Latest deploy log	https://app.netlify.com/projects/mlops-studio/deploys/6a16e3865d846a0008429f19
😎 Deploy Preview	https://deploy-preview-3--mlops-studio.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.