ci: pin action versions

[rzzf]

Given the recent supply chain attacks, I think we should pin all actions we use.

https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials

It is a good manner to pin GitHub Actions versions by commit hash. GitHub tags are mutable so they have a substantial security and reliability risk.
See also Security hardening for GitHub Actions - GitHub Docs

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload

Updated via pinact.

brew install pinact
pinact run

Summary by CodeRabbit

• Chores
  • CI/CD workflows updated to pin third‑party workflow steps to fixed revisions across build, verification, and release pipelines, improving reproducibility, stability, and security of automated builds and releases.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR pins GitHub Actions to specific commit SHAs across three CI/CD workflow files (build.yml, prcheck.yml, release.yml), replacing floating version tags with deterministic commit references. Build steps, artifact names/paths, and Node.js versions remain unchanged.

Changes

GitHub Actions Workflow Pinning

Layer / File(s)	Summary
Release workflow action pins .github/workflows/release.yml	actions/github-script, actions/checkout, actions/setup-node, pnpm/action-setup, actions/upload-artifact, actions/download-artifact, and softprops/action-gh-release are pinned to specific commit SHAs across validate-main-ancestor, build-windows, build-linux, build-mac, and release jobs.
Build workflow action pins .github/workflows/build.yml	actions/checkout, actions/setup-node, pnpm/action-setup, and actions/upload-artifact are pinned to commit SHAs across Windows, Linux, and macOS build jobs while keeping Node.js 24.14.1 and existing build/install/verify steps and artifact paths.
PR check workflow action pins .github/workflows/prcheck.yml	actions/checkout, actions/setup-node, and pnpm/action-setup in main-release-guard and build-check jobs are pinned from floating tags to specific commit SHAs, preserving persist-credentials and node-version settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• ThinkInAIXYZ/deepchat#1363: Modifies action step references in the same workflow files (.github/workflows/*), related to action versioning/pinning.
• ThinkInAIXYZ/deepchat#1528: Also touches pnpm/action-setup usage and workflow action versions across CI workflows.

Poem

🐰 Pins snug in rows, actions stand tall,
SHAs whisper steady, no drifting at all.
Windows, Linux, macOS hum in one song,
Builds march in rhythm, steady and strong,
Carrots of release dance all day long.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: pin action versions' accurately and concisely summarizes the main change of pinning GitHub Actions to specific commit SHAs across multiple workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 39: Add the missing persist-credentials setting to each checkout step
using the actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd invocation:
update those steps to include a with: block specifying persist-credentials:
false so credentials are not written to git config; apply the same change to the
other workflow files that have checkout steps (the same actions/checkout SHA) to
ensure consistency across build, prcheck, and release workflows.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91da25fa-73a5-488f-9181-9595b5a7c03b

📥 Commits

Reviewing files that changed from the base of the PR and between f8769c6 and f7eb9ba.

📒 Files selected for processing (3)

• .github/workflows/build.yml
• .github/workflows/prcheck.yml
• .github/workflows/release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)

39-50: ⚠️ Potential issue | 🟠 Major

Fix pnpm/action-setup version-tag SHA mismatch in build.yml

• In .github/workflows/build.yml (lines 39-50), pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 is labeled # v6.0.8, but tag v6.0.8 resolves to d15e628ca66d93ee5f352c71671a7bc6a97af5c9; update the pinned SHA or the version comment.
• GitHub vulnerabilityAlerts returned no alerts for actions/checkout, actions/setup-node, pnpm/action-setup, and actions/upload-artifact.
• Re-check the other workflow occurrences (lines 114-125 and 178-189) for the same tag/commit mismatch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 39 - 50, The pinned SHA for
pnpm/action-setup (pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093)
does not match the comment “# v6.0.8”; update the workflow to either pin the
correct commit for v6.0.8 (replace the SHA with
d15e628ca66d93ee5f352c71671a7bc6a97af5c9) or change the comment to reflect the
actual SHA being used; apply the same fix to any other occurrences of
pnpm/action-setup in this file to keep tags and SHAs consistent and run a quick
check that actions/checkout and actions/setup-node comments match their pinned
SHAs too.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 39-50: The pinned SHA for pnpm/action-setup
(pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093) does not match the
comment “# v6.0.8”; update the workflow to either pin the correct commit for
v6.0.8 (replace the SHA with d15e628ca66d93ee5f352c71671a7bc6a97af5c9) or change
the comment to reflect the actual SHA being used; apply the same fix to any
other occurrences of pnpm/action-setup in this file to keep tags and SHAs
consistent and run a quick check that actions/checkout and actions/setup-node
comments match their pinned SHAs too.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7197925c-6fa7-450d-80c6-6660fe7d815f

📥 Commits

Reviewing files that changed from the base of the PR and between f359aff and d0dfb8d.

📒 Files selected for processing (3)

• .github/workflows/build.yml
• .github/workflows/prcheck.yml
• .github/workflows/release.yml

[rzzf]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)> 39-50: ⚠️ Potential issue | 🟠 Major

Fix pnpm/action-setup version-tag SHA mismatch in build.yml

• In .github/workflows/build.yml (lines 39-50), pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 is labeled # v6.0.8, but tag v6.0.8 resolves to d15e628ca66d93ee5f352c71671a7bc6a97af5c9; update the pinned SHA or the version comment.
• GitHub vulnerabilityAlerts returned no alerts for actions/checkout, actions/setup-node, pnpm/action-setup, and actions/upload-artifact.
• Re-check the other workflow occurrences (lines 114-125 and 178-189) for the same tag/commit mismatch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 39 - 50, The pinned SHA for
pnpm/action-setup (pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093)
does not match the comment “# v6.0.8”; update the workflow to either pin the
correct commit for v6.0.8 (replace the SHA with
d15e628ca66d93ee5f352c71671a7bc6a97af5c9) or change the comment to reflect the
actual SHA being used; apply the same fix to any other occurrences of
pnpm/action-setup in this file to keep tags and SHAs consistent and run a quick
check that actions/checkout and actions/setup-node comments match their pinned
SHAs too.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 39-50: The pinned SHA for pnpm/action-setup
(pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093) does not match the
comment “# v6.0.8”; update the workflow to either pin the correct commit for
v6.0.8 (replace the SHA with d15e628ca66d93ee5f352c71671a7bc6a97af5c9) or change
the comment to reflect the actual SHA being used; apply the same fix to any
other occurrences of pnpm/action-setup in this file to keep tags and SHAs
consistent and run a quick check that actions/checkout and actions/setup-node
comments match their pinned SHAs too.

ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7197925c-6fa7-450d-80c6-6660fe7d815f

📥 Commits
Reviewing files that changed from the base of the PR and between f359aff and d0dfb8d.

📒 Files selected for processing (3)

See:

• tag https://github.com/pnpm/action-setup/releases/tag/v6.0.8
• commit SHA pnpm/action-setup@0e279bb