Pin reusable workflow refs to immutable SHA (fixes #5940, #5941)

[Copilot]

Replaces mutable @main refs in all reusable workflow uses: directives with the pinned commit SHA 2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9. Using branch-name refs is a supply-chain risk: a compromised or force-pushed main in kubestellar/infra would silently execute arbitrary code in all consuming workflows.

---

📝 Summary of Changes

• All 11 affected workflows in .github/workflows/ updated to pin kubestellar/infra reusable workflow refs to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9

---

Changes Made

• Updated add-help-wanted.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated ai-fix.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated assignment-helper.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated copilot-automation.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated copilot-dco.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated feedback.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated greetings.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated label-helper.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated pr-verifier.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated scorecard.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
• Updated stale.yml — @main → @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9

Before / After:

# Before
uses: kubestellar/infra/.github/workflows/reusable-stale.yml@main

# After
uses: kubestellar/infra/.github/workflows/reusable-stale.yml@2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9

---

Checklist

• I have reviewed the project's contribution guidelines.
• I have performed a self-review of my changes.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• All CI checks are passing.

Security Considerations

If this PR modifies any security-sensitive files, confirm:

• Dockerfiles — verified base images, avoided running as root
• Kubernetes manifests — checked RBAC permissions and secrets handling
• CI/CD workflows — inspected for command injection or credential exposure
• Dependencies — validated new packages, checked for known vulnerabilities
• Security configs — changes align with project security policies

Leave unchecked if not applicable. See CONTRIBUTING.md for details.

---

Screenshots or Logs (if applicable)

N/A — YAML-only change, no runtime behavior altered.

---

👀 Reviewer Notes

Workflows with elevated permissions (ai-fix.yml, copilot-automation.yml, greetings.yml, pr-verifier.yml) already have fork guards in place; this change removes the remaining supply-chain exposure by eliminating all mutable ref dependencies on kubestellar/infra.

Original prompt

Pin all reusable workflow references in .github/workflows/ from @main to immutable commit SHA 2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9.

Files to update:

1. .github/workflows/add-help-wanted.yml - line 12: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
2. .github/workflows/ai-fix.yml - line 28: change @a160acca0bdce1ac6c649e006d680d5f6d53024e to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
3. .github/workflows/assignment-helper.yml - line 12: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
4. .github/workflows/copilot-automation.yml - line 31: change @a160acca0bdce1ac6c649e006d680d5f6d53024e to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
5. .github/workflows/copilot-dco.yml - line 12: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
6. .github/workflows/feedback.yml - line 13: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
7. .github/workflows/greetings.yml - line 22: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
8. .github/workflows/label-helper.yml - line 14: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
9. .github/workflows/pr-verifier.yml - line 17: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
10. .github/workflows/scorecard.yml - line 19: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9
11. .github/workflows/stale.yml - line 13: change @main to @2cdb7c22649c4e5cd36edc2d2fc57de96949e7a9

This fixes security issues #5940 and #5941. All affected workflows already have fork guards where needed (ai-fix.yml, copilot-automation.yml, greetings.yml, pr-verifier.yml).

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 3499bdf Initial plan

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[netlify]

❌ Deploy Preview for kubestellar-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	3499bdf
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellar-docs/deploys/6a3380b0eec1ba0008ffa816

[kubestellar-prow]

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.