[create] Harden GitHub workflows for Scorecard compliance

[Copilot]

Related Issue

haxtheweb/issues#2810

Figma Link

N/A

Description of Changes

create already had Scorecard enabled, but key workflows still used mutable action tags and deprecated output syntax. This PR tightens workflow security posture to better align with Scorecard expectations.

What changed:

• Workflow action pinning
  • Pinned actions/checkout, actions/setup-node, and actions/cache in build.yml to immutable commit SHAs.
  • Pinned contributor-assistant/github-action in cla.yml to an immutable commit SHA.
• Deprecated GitHub Actions syntax removal
  • Replaced ::set-output in build.yml with $GITHUB_OUTPUT.
• Scope
  • No application/runtime code changes; workflow configuration only.

Why this change was needed:

Using floating action tags weakens supply-chain guarantees and can reduce Scorecard posture. Updating to SHA-pinned actions and current output APIs reduces that risk with minimal operational change.

# before
run: echo "::set-output name=dir::$(yarn cache dir)"

# after
run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🎨 Style/formatting changes
• ♻️ Code refactoring
• 🔧 Configuration changes

Testing Checklist

• I have tested this change locally
• I have added/updated tests for my changes
• All existing tests pass
• I have tested on multiple browsers (if applicable)
• I have tested on mobile devices (if applicable)
• I have verified accessibility compliance
• I have tested with screen readers (if applicable)

Quality Assurance

• I have followed the project's coding conventions
• I have updated documentation where necessary
• I have added comments to complex code
• My changes don't introduce console warnings/errors
• I have checked for performance implications

Ways to Test This Change

1. Open .github/workflows/build.yml and confirm action references are SHA-pinned and set-output is removed.
2. Open .github/workflows/cla.yml and confirm the contributor assistant action is SHA-pinned.
3. Trigger workflows via PR/push and confirm runs execute with no workflow syntax errors.

Screenshots/Recordings

Before:

N/A (workflow/config-only change)

After:

N/A (workflow/config-only change)

Additional Notes

Pins selected match the referenced action release tags at time of update.

Checklist

• I have read the contributing guidelines
• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.securityscorecards.dev
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)