ci: apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @tolgaozen. Please merge the Pull Request to incorporate the requested changes. Please tag @tolgaozen on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

• Official Pre-commit documentation
• Getting Started guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

• Chores
  • Updated Codecov integration to use a specific commit reference for improved stability.
  • Added shellcheck tool to development environment for enhanced shell script validation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Two configuration files are updated: the GitHub Actions Codecov workflow action is pinned to a specific commit SHA (with v5.5.1 noted), and a new shellcheck pre-commit hook is added from the jumanjihouse repository at version 3.0.0.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow .github/workflows/coverage.yml	Pins Codecov action from generic v5 tag to specific commit reference (5a1091511ad55cbe89839c7260b706298ca349f7) with inline v5.5.1 notation
Pre-commit Configuration .pre-commit-config.yaml	Adds new shellcheck hook from jumanjihouse/pre-commit-hooks repository at revision 3.0.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Simple configuration updates with no logic changes or control flow modifications
• Straightforward pinning of action version and addition of single pre-commit hook entry

Possibly related PRs

• ci: harden GitHub Actions #1658: Pins multiple GitHub Action usages to specific commit SHAs in workflow files for reproducibility and security
• ci(coverage): replace goveralls with Codecov for coverage reports #2644: Modifies .github/workflows/coverage.yml and updates the Codecov upload step in the same workflow
• ci: harden github actions #2551: Pins GitHub Actions workflow action versions to specific commit SHAs instead of floating tags

Poem

🐰 A pinned action stands so tall,
With hashes keeping CI on call,
Shellcheck joins the pre-commit crew,
Dependencies locked in, tried and true! ✨

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a999206 and 2707b14.

📒 Files selected for processing (2)

• .github/workflows/coverage.yml (1 hunks)
• .pre-commit-config.yaml (1 hunks)

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.51%. Comparing base (a999206) to head (2707b14).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2650   +/-   ##
=======================================
  Coverage   82.51%   82.51%           
=======================================
  Files          74       74           
  Lines        8132     8132           
=======================================
  Hits         6710     6710           
  Misses        906      906           
  Partials      516      516           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.