Secure CI/CD pipelines - Awesome Reviewers

Implement strict security controls in continuous integration and deployment workflows:

Pin external GitHub Actions to immutable commit hashes rather than mutable tags: ```yaml
Instead of this (vulnerable to supply chain attacks):
- uses: codespell-project/codespell-problem-matcher@v1
Use this (pinned to specific commit):
- uses: codespell-project/codespell-problem-matcher@e8fc5c5c5e6c5c5c5c5c5c5c5c5c5c5c5c5c5c5c ```

Isolate workflows requiring elevated permissions into separate files for clearer security boundaries:

# Separate high-privilege workflows (e.g., update-nix-hash.yml) from regular CI workflows
permissions:
  contents: write  # Clearly visible elevated permission

Apply the principle of least privilege by:
- Only granting write permissions where strictly necessary
- Using conditional execution to limit when privileged jobs run (e.g., if: github.event_name == 'push' && github.ref == 'refs/heads/main')
Thoroughly review scripts running with elevated permissions to protect against:
- Secret leakage
- Unintended commits or changes
- Input injection vulnerabilities

Implementing these practices prevents supply chain attacks and reduces the risk of compromised workflows affecting your repository.