Splitting ref and sha into two fields correctly for the intake form (#1788)

* Splitting ref and sha into two fields correctly for the intake form

* Enforce 40-character commit SHA in validateImmutableRef

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Add backward compatibility for legacy checklist text and field title

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

* Avoid unnecessary array spread when iterating checklist equivalents

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

CONTRIBUTING.md

@@ -202,7 +202,8 @@ The external plugin issue form will collect these fields:
 - Short description
 - GitHub repository in `owner/repo` format
 - Plugin path inside the repository (optional when the plugin is at the repository root)
-- Immutable ref to review (`ref`), using a release tag or full commit SHA rather than a branch
+- Ref to review (`ref`), using a release tag or tag ref rather than a branch
+- Commit SHA to review (`sha`), using a full 40-character commit SHA
 - Plugin version
 - License identifier
 - Author name
@@ -210,7 +211,7 @@ The external plugin issue form will collect these fields:
 - Homepage URL (optional)
 - Keywords/tags
 - Additional notes for reviewers (optional)
-- Confirmation checkboxes that the repository is public, the ref is immutable, the submission follows this repository's policies, and the plugin is not a duplicate listing
+- Confirmation checkboxes that the repository is public, the submitted ref and/or sha is immutable, the submission follows this repository's policies, and the plugin is not a duplicate listing
 
 The repository's canonical validation rules live in `eng/external-plugin-validation.mjs`. Build scripts reuse the `marketplace` policy from that module, and the issue intake automation uses the stricter `publicSubmission` policy so the JSON contract and workflow checks stay aligned.
 
@@ -223,7 +224,7 @@ For entries committed to `plugins/external.json`, the current marketplace valida
 - `source.source: "github"` plus `source.repo` in `owner/repo` format
 - optional `source.path` values of `/` for repository root, or a repository-relative folder where the plugin structure starts (do not point to `plugin.json` directly)
 
-The public-submission policy builds on those rules and also requires `license` plus an immutable `source.ref`.
+The public-submission policy builds on those rules and also requires `license` plus at least one immutable source locator: `source.ref`, `source.sha`, or both.
 
 ##### Review workflow
 
@@ -240,7 +241,7 @@ The public-submission policy builds on those rules and also requires `license` p
 Maintainers are responsible for confirming that the submission:
 
 - Clearly fits the Awesome Copilot collection and adds value beyond existing listings
-- Uses a public GitHub repository and an immutable ref that can be reviewed reliably
+- Uses a public GitHub repository and an immutable ref and/or SHA that can be reviewed reliably
 - Includes the required metadata for `plugins/external.json` (`name`, `description`, `version`, `author.name`, `repository`, `keywords`, and `source`), plus any supplied homepage/license fields
 - Does not obviously duplicate an existing marketplace entry
 - Continues to meet this repository's content, security, and responsible AI policies
@@ -284,7 +285,8 @@ Approved submissions are converted into `plugins/external.json` entries followin
       "source": "github",
       "repo": "owner/plugin-repo",
       "path": ".github/plugins/my-external-plugin",
-      "ref": "v1.0.0"
+      "ref": "v1.0.0",
+      "sha": "0123456789abcdef0123456789abcdef01234567"
     }
   }
 ]