security: pin tibdex/github-app-token to SHA in ci.yml (TeamPCP)

[sgerlach]

Summary

Addresses Finding 2 from the TeamPCP supply chain audit (March 2026): tibdex/github-app-token was pinned to the mutable @v2 tag in ci.yml. Mutable tags can be silently redirected to malicious commits — the exact technique used in the TeamPCP/Trivy/Checkmarx compromise chain.

Change

Pinned all 2 occurrences of tibdex/github-app-token in ci.yml to a specific commit SHA:

tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0

The SHA was verified against the dereferenced annotated tag object for v2.1.0.

⚠️ Note: prepare-release.yml has 3 additional occurrences of the same pattern and should be addressed in a follow-up PR (or can be added to this branch).

Why this matters

These workflows use HAWKY_APP_PRIVATE_KEY to push commits directly to main and create tags. If the tibdex action were compromised via a mutable tag redirect, the attacker's code would run with those credentials — full write access to the repo.

References

• Sysdig TeamPCP campaign
• Aqua Security Trivy incident

[sgerlach]

Update: Switched from tibdex/github-app-token (third-party) to actions/create-github-app-token (official GitHub-maintained action in the actions org), pinned to SHA f8d387b (v3).

Input names changed accordingly: app_id → app-id, private_key → private-key. Output (token) is unchanged.

Using the first-party action reduces supply-chain risk — GitHub controls the actions namespace directly, unlike third-party repos which can change ownership or be compromised independently.