chore: update actions/checkout to v7 and auto-maintain README SHA

.github/workflows/update-readme-sha.yml

@@ -0,0 +1,41 @@
+name: Update README SHA reference
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - '**.md'
+      - 'LICENSE'
+      - '.github/FUNDING.yml'
+
+jobs:
+  update-sha:
+    name: Update pinned SHA in README
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          ref: main
+          fetch-depth: 2
+
+      - name: Update SHA in README.md
+        run: |
+          NEW_SHA="${{ github.sha }}"
+          sed -i "s|ref: [0-9a-f]\{40\}|ref: ${NEW_SHA}|g" README.md
+
+      - name: Commit updated README.md
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if git diff --quiet README.md; then
+            echo "No SHA change detected, skipping commit."
+          else
+            git add README.md
+            git commit -m "chore: update pinned SHA in README to ${{ github.sha }}"
+            git push
+          fi

CHANGELOG.md

@@ -7,15 +7,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## [Unreleased]
 
 ### Added
-- `AGENTS.md` — AI agent guide with project overview, directory map, build/run, key patterns, and adding-a-new-script walkthrough
-- `.github/workflows/ci.yml` — shellcheck CI on all `.sh` files for every PR
-- `.github/workflows/copilot-setup-steps.yml` — pre-installs jq, shellcheck, and gitleaks for Copilot cloud agent
-- `.github/ISSUE_TEMPLATE/bug_report.yml` — structured bug report form
-- `.github/ISSUE_TEMPLATE/feature_request.yml` — structured feature request form
-- `.github/PULL_REQUEST_TEMPLATE.md` — PR checklist derived from script conventions
-- `.github/dependabot.yml` — monthly GitHub Actions version updates
-- `.mcp.json` — GitHub MCP server configuration for Copilot CLI
-- Maintenance matrix section in `.github/copilot-instructions.md`
+- `github-copilot-report`: NDJSON usage-metrics endpoints, Entra ID enrichment via `az rest`, auto-detection of credits per seat with promo/standard table, `--no-entra` flag
+- README: GitHub Actions integration examples (workflow_dispatch, artifact upload, environment protection)
+- `.github/workflows/update-readme-sha.yml` — automatically updates the pinned commit SHA in README.md on every push to `main`
+
+### Changed
+- README: updated all `actions/checkout` references from `v4` to `v7.0.0` (pinned SHA `9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0`)
+- README: replaced `ref: main` in the GitHub Actions usage example with a pinned commit SHA, and updated the accompanying note to recommend SHA pinning
 
 ---
 

README.md

@@ -853,15 +853,15 @@ You can use these scripts in your own repository's workflows without copying or
 
 ```yaml
 - name: Checkout github-api-scripts
-  uses: actions/checkout@v4
+  uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
   with:
     repository: locus313/github-api-scripts
-    ref: main         # Pin to a specific tag or SHA in production
+    ref: 1325656e2dad4f6b16b183cdd3676e05f00cb2b4
     path: github-api-scripts
 ```
 
 > [!NOTE]
-> For production workflows, pin `ref` to a specific tag (e.g., `v1.0.0`) or commit SHA rather than a branch name to ensure reproducibility and prevent unexpected changes.
+> For production workflows, pin `ref` to a specific commit SHA rather than a branch name to ensure reproducibility and prevent unexpected changes.
 
 ---
 
@@ -882,7 +882,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout github-api-scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           repository: locus313/github-api-scripts
           ref: main
@@ -914,7 +914,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout github-api-scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           repository: locus313/github-api-scripts
           ref: main
@@ -960,7 +960,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout github-api-scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           repository: locus313/github-api-scripts
           ref: main
@@ -1000,10 +1000,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout your repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Checkout github-api-scripts
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           repository: locus313/github-api-scripts
           ref: main