ci: pin GitHub Actions to server SHAs and add hidden-unicode lint

[mpartipilo]

Summary

• Pin all uses: refs in GitHub Actions workflows to the same commit SHAs used by weaviate/weaviate, so this client stays in lockstep with the server
• Preserve the tag (e.g. # v6) as a trailing comment for readability
• Add .github/workflows/pr-security-lint.yaml that scans every PR diff for hidden Unicode / trojan-source characters by delegating to the reusable composite shipped in ci: delegate SHA-pinning to native policy, expose unicode scan as composite weaviate#11093 (pinned to merge commit 3e52fc80a244f4644d4facc6a4e705ea6eda9039)

Context

Two complementary layers of GitHub Actions hardening:

1. SHA pinning — going forward, GitHub's repo-level "Require actions to be pinned to a full-length commit SHA" policy (shipped 2025-08-15) will enforce this at execution time for every workflow. This commit is the initial consolidation pass.
2. Hidden-Unicode scan — the native policy doesn't cover trojan-source attacks. The shared composite in weaviate/weaviate is invoked here so all five Weaviate SDKs share one implementation.

Security notes for the new workflow

• pull_request_target runs the workflow definition from the base branch, never from the PR.
• permissions: {} at workflow level; pull-requests: read is the only grant.
• The composite is pinned to a 40-char SHA — upstream tag retargeting can't alter what runs here.
• No PR-controlled refs are checked out; the composite fetches the diff text via the GitHub API.

Tradeoffs of delegating to an upstream composite

Pros

• Single source of truth for the scan logic — fixes/improvements ship to all 5 SDKs via one SHA bump per repo, not by syncing 5 copies of bash.
• Composite is pinned to a 40-char SHA, so upstream tag retargeting can't change what runs here without a reviewable diff.
• pull_request_target runs the workflow definition from the base branch and the composite never checks out PR-controlled refs — a malicious PR can't alter the linter that's checking it.
• Minimal blast radius: permissions: {} at workflow level, pull-requests: read at job level, no secrets referenced.
• Composable — adding more scanners upstream (shell-script lint, etc.) propagates to every client automatically.

Cons

• Cross-repo runtime coupling: deleting or restructuring weaviate/weaviate/.github/actions/security-lint breaks all 5 clients until the SHA is bumped.
• pull_request_target is a foot-gun — a future editor adding ref: pull_request.head.sha or referencing a secret would re-introduce the attack surface this design is built to avoid. The file header warns against it, but the discipline lives in the reviewer.
• SHA-bump treadmill: upstream improvements don't propagate until each client opens a PR to bump the pinned SHA. Dependabot can automate this if we wire it up.
• Failure logs reference a path inside weaviate/weaviate rather than this repo, so debugging a false positive requires hopping to another repo to read the script.
• Cold-start adds a small network fetch of the composite per run.

Test plan

• CI workflows run and pass on this branch
• pr-security-lint job runs on this PR and passes (clean diff)

🤖 Generated with Claude Code

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca