ci: pin GitHub Actions to commit SHAs for supply chain security

Pin 3rd party actions to specific commit SHAs to mitigate supply chain
attacks (CWE-829). If a bad actor compromises an action's repository,
they cannot affect our workflows since we reference immutable commits.

Actions pinned:
- actions/setup-go@7a3fe6c (v6.2.0)
- golangci/golangci-lint-action@1e7e51e (v9.0.0)

SHA verification:
  gh api repos/actions/setup-go/git/ref/tags/v6 --jq '.object.sha'
  gh api repos/golangci/golangci-lint-action/git/ref/tags/v9 --jq '.object.sha'

Resolves code scanning alert #11

Author: dlevy-msft-sql

.github/copilot-instructions.md

@@ -155,57 +155,6 @@ The project supports creating SQL Server instances using Docker or Podman:
 - Use the `internal/localizer` package for localized messages
 - Supported languages: Chinese (Simplified/Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, Spanish
 
-### Adding Localizable Strings
-
-When adding user-facing strings to the code, use the `localizer` package:
-
-```go
-import "github.com/microsoft/go-sqlcmd/internal/localizer"
-
-// Use localizer.Sprintf for formatted strings
-message := localizer.Sprintf("This is a localizable message with %s", value)
-
-// Use localizer.Errorf for localized errors
-err := localizer.Errorf("Error: %s failed", operation)
-```
-
-Constants that are not user-facing (like environment variable names, command names) should be placed in `internal/localizer/constants.go` and do not need localization.
-
-### Generating Localization Files
-
-After adding new localizable strings, you **must** regenerate the translation catalog files before committing. The build scripts handle this automatically.
-
-#### On Windows
-
-```cmd
-build\build.cmd
-```
-
-This script:
-- Installs `gotext` if not already installed
-- Runs `go generate` which executes the gotext command defined in `internal/translations/translations.go`
-- Generates/updates the translation catalog in `internal/translations/catalog.go`
-- Reports any conflicting localizable strings that need to be fixed
-
-#### On Linux/macOS
-
-Run the following commands manually:
-
-```bash
-# Install gotext if not already installed
-go install golang.org/x/text/cmd/gotext@latest
-
-# Generate translation files
-go generate ./...
-```
-
-### Important Notes
-
-- Always run the build script after adding new user-facing strings
-- Check the build output for "conflicting localizable strings" warnings and resolve them
-- The `SQLCMD_LANG` environment variable controls the runtime language (e.g., `de-de`, `fr-fr`)
-- Test your changes with different language settings to ensure proper localization
-
 ## Azure Authentication
 
 - Azure AD authentication is supported via the `azidentity` package

.github/workflows/golangci-lint.yml

@@ -9,12 +9,12 @@ jobs:
     name: lint-pr-changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version: '1.24'
       - uses: actions/checkout@v6
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
           version: latest
           only-new-issues: true

NOTICE.md

@@ -5056,61 +5056,6 @@ SUBDIRECTORIES
 
 ```
 
-## github.com/shopspring/decimal
-
-* Name: github.com/shopspring/decimal
-* Version: v1.4.0
-* License: [MIT](https://github.com/shopspring/decimal/blob/v1.4.0/LICENSE)
-
-```
-The MIT License (MIT)
-
-Copyright (c) 2015 Spring, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-- Based on https://github.com/oguzbilgic/fpd, which has the following license:
-"""
-The MIT License (MIT)
-
-Copyright (c) 2013 Oguz Bilgic
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-"""
-
-```
-
 ## github.com/spf13/afero
 
 * Name: github.com/spf13/afero