chore: pin all github actions to commit SHAs

[thewrz]

Every `uses:` reference pinned to 40-char SHA. Tag preserved as trailing comment. release.yml calls Anthropic API for release notes (legitimate; pinact only touches uses:).

Files

• `.github/workflows/ci.yml` — 10 pins
• `.github/workflows/codeql.yml` — 5 pins
• `.github/workflows/release.yml` — 3 pins

Total: 18 pinned references across 5 unique actions (actions/checkout, actions/setup-node, pnpm/action-setup, github/codeql-action/init, github/codeql-action/analyze).

Summary by CodeRabbit

• Chores
  • CI, CodeQL, and release workflows updated to pin action versions to specific commit SHAs for more reproducible runs.
  • Release workflow: checkout no longer persists credentials; Node setup cache option removed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c2f1e6f6-0b72-488a-aab7-6b2dff387130

📥 Commits

Reviewing files that changed from the base of the PR and between 908173a and 4586999.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions are pinned to explicit commit SHAs across three workflows (CI, CodeQL, release), replacing floating major-version tags while preserving existing environment inputs and step sequences; release checkout adds persist-credentials: false and release Node setup removes cache: "pnpm".

Changes

GitHub Actions Dependency Pinning

Layer / File(s)	Summary
CI workflow action pinning .github/workflows/ci.yml	lint, test, build, and loc-check jobs switch actions/checkout, pnpm/action-setup, and actions/setup-node from @v6/un-pinned tags to pinned commit SHAs while preserving NODE_VERSION and PNPM_VERSION wiring.
CodeQL workflow action pinning .github/workflows/codeql.yml	CodeQL init and analysis steps pin actions/checkout, github/codeql-action/init, pnpm/action-setup, actions/setup-node, and github/codeql-action/analyze to commit SHAs instead of floating tags.
Release workflow action pinning .github/workflows/release.yml	Release job pins actions/checkout, pnpm/action-setup, and actions/setup-node to commit SHAs; adds persist-credentials: false to checkout and removes cache: "pnpm" from Node setup while keeping node-version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through .github with a careful paw,
Pinning SHAs so workflows follow the law,
No drifting tags across lint, test, and release,
Repro builds hum, and the rabbit finds peace. 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: pin all github actions to commit SHAs' directly and accurately describes the main change: pinning all GitHub Actions across three workflow files to specific commit SHAs instead of floating tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-github-actions-shas-2026-05

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 40-42: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should disable
persisted credentials to reduce token exposure; update the checkout invocation
(the actions/checkout step) to include persist-credentials: false while keeping
fetch-depth: 0 so downstream git read-only operations still work.
- Around line 50-53: The release workflow is using actions/setup-node with
cache: "pnpm" which enables package-manager caching in a privileged job that has
contents: write and accesses secrets; remove the cache option (or set it to a
non-caching value) in the actions/setup-node step so the release job performs a
fresh dependency install—update the step that references actions/setup-node and
the node-version input (the block containing node-version: ${{ env.NODE_VERSION
}} and cache: "pnpm") to omit or disable the cache setting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2257b67b-2488-4d37-aa8d-4645a669e222

📥 Commits

Reviewing files that changed from the base of the PR and between d2ebea8 and 908173a.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/release.yml