Summary

Harden the CLI release pipeline against the three validated supply-chain findings: mutable release actions, unsafe backfill tag interpolation, and unchecked SEA runtime downloads.

Changed

• Replace voidzero-dev/setup-vp@v1 in release-impacting workflows with pinned actions/setup-node, corepack enable, and pnpm install --frozen-lockfile
• Pin all GitHub Actions used by release, upload, and Homebrew jobs to full commit SHAs
• Validate manual backfill release tags, use actions/checkout ref, and pass TAG_NAME to PowerShell through env
• Rename scripts/build-sea.mjs to scripts/build-sea.mts and verify Node runtime archive checksums via SHASUMS256.txt before extraction

Risks

• Action SHA pins require deliberate future update maintenance
• The SEA build now depends on Node release checksum availability before extracting runtime archives
• Workflow behavior should be confirmed by GitHub Actions on Linux, macOS, and Windows runners

Verification

• pnpm run verify
• pnpm run build:sea && pnpm run verify:sea
• node --check scripts/build-sea.mts
• targeted security checks for no setup-vp, no unsafe tag_name shell/PowerShell interpolation, full-SHA action pins, and SEA checksum controls
• YAML parse check for both workflow files
• pre-push vp gate passed

Complexity

Neutral. The workflow setup is more explicit, but the release trust boundary is clearer and the SEA checksum check is localized to the runtime download path.