STAC-24685: pin vexhub-index-check action sha

.github/workflows/index-check.yml

@@ -1,30 +1,22 @@
 # Asserts that index.json is in sync with the contents of pkg/.
 #
-# index.json is the lookup map Trivy consults via `--vex repo` to find
-# OpenVEX statement files for a given PURL. It is generated from the
-# pkg/ tree by tools/build_index.py and must never be edited by hand.
-#
-# This workflow runs `tools/build_index.py --check`, which regenerates
-# the index in memory and exits non-zero if the on-disk index.json
-# differs. When that happens, the contributor must run
-# `python3 tools/build_index.py` locally and commit the regenerated
-# file.
+# When this check fails, the contributor must regenerate index.json
+# locally (see CONTRIBUTING.md) and commit the result.
+
 name: index-check
 
 on:
   pull_request:
     paths:
       - "pkg/**"
       - "index.json"
-      - "tools/build_index.py"
       - ".github/workflows/index-check.yml"
   push:
     branches:
       - main
     paths:
       - "pkg/**"
       - "index.json"
-      - "tools/build_index.py"
 
 permissions:
   contents: read
@@ -37,10 +29,5 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
 
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.14"
-
-      - name: Verify index.json matches pkg/ tree
-        run: python3 tools/build_index.py --check
+      - name: Verify index.json matches pkg/
+        uses: StackVista/scan-pipeline/.github/actions/vexhub-index-check@fcb8a5f78e1527116ee573ce538ddc884c635987