Update GitHub Actions

[coliff]

This pull request introduces a new GitHub Actions workflow for OSSF Scorecard supply-chain security analysis and updates all existing workflow dependencies to use specific commit SHAs for improved security and reproducibility. Additionally, it updates the spellchecker configuration to recognize "ossf" as a valid term.

Security and CI improvements:

• Added a new .github/workflows/ossf-scorecard.yml workflow to run OSSF Scorecard analysis on the repository, enhancing supply-chain security monitoring.
• Updated all GitHub Actions in workflow files (such as actions/checkout, actions/setup-node, github/codeql-action, and others) to use explicit commit SHAs instead of version tags, improving build reproducibility and mitigating the risk of compromised upstream actions. [1] [2] [3] [4] [5] [6] [7] [8] [9]

Configuration updates:

• Added "ossf" to the spellchecker dictionary in .cspell.json to prevent false positives on this term.

[cloudflare-workers-and-pages]

Deploying htmlhint with    Cloudflare Pages

Latest commit:	872c3e7
Status:	✅  Deploy successful!
Preview URL:	https://e099b98d.htmlhint.pages.dev
Branch Preview URL:	https://dev-coliff-update-github-act.htmlhint.pages.dev

View logs

[Copilot]

Pull Request Overview

Updates GitHub Actions workflows to use commit SHAs for enhanced security and adds OSSF Scorecard analysis for supply-chain security monitoring. The changes improve build reproducibility by pinning all GitHub Actions to specific commit hashes instead of version tags, and introduce automated security scoring through OSSF Scorecard.

• Added OSSF Scorecard workflow for supply-chain security analysis
• Updated all GitHub Actions to use commit SHAs instead of version tags
• Updated spellchecker configuration to recognize "ossf" as valid

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/ossf-scorecard.yml	New workflow for OSSF Scorecard supply-chain security analysis
.github/workflows/website.yml	Updated actions to use commit SHAs (checkout, setup-node, codeql upload-sarif)
.github/workflows/test.yml	Updated actions to use commit SHAs (checkout, setup-node)
.github/workflows/sync-labels.yml	Updated checkout action to use commit SHA
.github/workflows/super-linter.yml	Updated checkout action to use commit SHA
.github/workflows/spellcheck.yml	Updated checkout and cspell-action to use commit SHAs
.github/workflows/publish.yml	Updated actions to use commit SHAs (checkout, setup-node)
.github/workflows/codeql-analysis.yml	Updated CodeQL actions to use commit SHAs
.cspell.json	Added "ossf" to spellchecker dictionary

[gemini-code-assist]

Code Review

This pull request introduces a new GitHub Actions workflow for OSSF Scorecard analysis, pins existing workflow dependencies to specific commit SHAs for improved security, and updates the spellchecker configuration. The visible change to .cspell.json to add 'ossf' to the dictionary is correct. The other changes described, particularly pinning actions to commit SHAs, are excellent security best practices that improve the supply-chain security of the project. Overall, these are great improvements.