chore: pin actions to commit SHAs and add Skills section to CLAUDE.md

[AndriyKalashnykov]

Summary

• Pin all remaining GitHub Actions to commit SHAs instead of mutable version tags across 6 workflow files (ci.yml, release.yml, maintenance.yml, reusable-release.yml, reusable-test.yml, reusable-validate.yml). Actions already pinned (pnpm/action-setup, oven-sh/setup-bun, softprops/action-gh-release) are preserved as-is. This prevents supply-chain attacks via tag hijacking.
• Add the required ## Skills section to CLAUDE.md mapping project files (README.md, .github/workflows/*.yml) to their respective review skills, with the subagent convention instruction.

Actions Pinned

Action	SHA	Version
actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	v4
actions/setup-node	49933ea5288caeca8642d1e84afbd3f7d6820020	v4
actions/cache	0057852bfaa89a56745cba8c7296529d2fc39830	v4
actions/upload-artifact	ea165f8d65b6e75b540449e92b4886f43607fa02	v4
actions/stale	5bef64f19d7facfb25b37b414482c7164d639639	v9

Test plan

• CI workflow runs successfully with SHA-pinned actions
• All action versions resolve to the correct commits
• CLAUDE.md Skills section maps correct files to correct skills

---

Summary by cubic

Pin all GitHub Actions to immutable commit SHAs across CI and release workflows to harden the pipeline. Add a ## Skills section to CLAUDE.md mapping workflows and README to their review skills for subagents.

• Dependencies

  • Pinned actions/checkout, actions/setup-node, actions/cache, actions/upload-artifact, actions/stale to SHAs in all workflows.
  • Kept existing pinned actions (pnpm/action-setup, oven-sh/setup-bun, softprops/action-gh-release) as-is.

• New Features

  • Added skills mapping in CLAUDE.md: README.md → /readme, .github/workflows/*.yml → /ci-workflow; instruct subagents to carry conventions.

^{Written for commit 46f37ae. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Improved CI/CD pipeline stability and security by pinning all GitHub Actions to specific commit versions across build, release, testing, and validation workflows, reducing vulnerability to unexpected dependency updates and supply-chain risks.
  • Enhanced internal development practices by updating documentation with standardized code organization conventions and skill-mapping guidelines for improved team consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated multiple GitHub Actions workflow files to pin action references to specific commit SHAs instead of floating version tags (e.g., v4, v9). Added skills mapping documentation to CLAUDE.md.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/ci.yml, .github/workflows/maintenance.yml, .github/workflows/release.yml, .github/workflows/reusable-release.yml, .github/workflows/reusable-test.yml, .github/workflows/reusable-validate.yml	Pinned GitHub Actions to specific commit SHAs instead of floating version tags: actions/checkout@v4, actions/setup-node@v4, actions/cache@v4, actions/upload-artifact@v4, and actions/stale@v9 replaced with corresponding commit SHA references. No workflow logic or inputs changed.
Documentation CLAUDE.md	Added new "Skills" section mapping file patterns to skill IDs (e.g., README.md → /readme, .github/workflows/*.yml → /ci-workflow) and instruction for including skill conventions in subagent prompts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: pin 6 actions to commit SHA, extract 1 expression to env var #987: Performs the same action pinning pattern across GitHub workflows, replacing floating version tags with specific commit SHAs.

Poem

🐰 With paws I pin each action tight,
To SHAs locked in workflow's night,
No floating tags shall drift astray—
Our pipelines safe and sure today! 📌✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes both major changes: pinning GitHub Actions to commit SHAs across six workflow files and adding a Skills section to CLAUDE.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="CLAUDE.md">

<violation number="1" location="CLAUDE.md:69">
P2: CLAUDE.md references `/readme` as a skill, but no corresponding skill definition exists in `skills/`, creating a broken guidance contract.</violation>

<violation number="2" location="CLAUDE.md:70">
P2: CLAUDE.md references `/ci-workflow` as a skill, but no corresponding skill definition exists in `skills/`, so subagent instructions may reference a nonexistent skill.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: CLAUDE.md references /readme as a skill, but no corresponding skill definition exists in skills/, creating a broken guidance contract.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At CLAUDE.md, line 69:

<comment>CLAUDE.md references `/readme` as a skill, but no corresponding skill definition exists in `skills/`, creating a broken guidance contract.</comment>

<file context>
@@ -59,3 +59,14 @@ Follow the formats in CONTRIBUTING.md:
+
+| File(s) | Skill |
+|---------|-------|
+| `README.md` | `/readme` |
+| `.github/workflows/*.yml` | `/ci-workflow` |
+
</file context>

[cubic-dev-ai]

P2: CLAUDE.md references /ci-workflow as a skill, but no corresponding skill definition exists in skills/, so subagent instructions may reference a nonexistent skill.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At CLAUDE.md, line 70:

<comment>CLAUDE.md references `/ci-workflow` as a skill, but no corresponding skill definition exists in `skills/`, so subagent instructions may reference a nonexistent skill.</comment>

<file context>
@@ -59,3 +59,14 @@ Follow the formats in CONTRIBUTING.md:
+| File(s) | Skill |
+|---------|-------|
+| `README.md` | `/readme` |
+| `.github/workflows/*.yml` | `/ci-workflow` |
+
+When spawning subagents, always pass conventions from the respective skill into the agent's prompt.
</file context>

[greptile-apps]

Greptile Summary

This PR hardens the CI supply chain by replacing all mutable @v4 / @v9 GitHub Actions tags with pinned commit SHAs across six workflow files, and adds a new ## Skills section to CLAUDE.md mapping project files to Claude Code skills.

Key findings:

• CLAUDE.md — Skills section references non-existent skills: /readme and /ci-workflow are listed in the new table but neither exists in the repository's skills/ directory (exhaustively checked) or commands/ directory. Any attempt to invoke these skills will fail silently or with an error.
• Version comment annotations are imprecise: All SHA comments use the major version only (e.g. # v4) rather than the exact release (e.g. # v4.4.0 for actions/setup-node, # v4.3.0 for actions/cache). The comment exists precisely so maintainers can tell at a glance which release was pinned; using only the major version undermines this and makes automated tooling (Renovate/Dependabot) less reliable for update detection.
• The SHA pinning itself across all six workflow files is consistent and correct — the same SHA is used for the same action everywhere it appears.

Confidence Score: 4/5

Workflow SHA pinning is safe to merge; the CLAUDE.md Skills section should be fixed before merging as the referenced skills don't exist

The P1 finding (non-existent skills referenced in CLAUDE.md) means the documentation is actively broken for the new feature being added — following the instructions will lead to failed skill invocations. The SHA pinning changes themselves are correct and consistent. Score 4 reflects one P1 that should be resolved.

CLAUDE.md requires attention — the /readme and /ci-workflow skills referenced in the new Skills section do not exist in the repository

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	All mutable @v4 action tags replaced with pinned SHAs; version comments use major version only (# v4) rather than the exact release (e.g. # v4.4.0)
.github/workflows/maintenance.yml	Actions pinned to SHAs consistently; same # v4/# v9 annotation imprecision as in ci.yml
.github/workflows/release.yml	actions/checkout@v4 pinned to SHA; single change, correctly done
.github/workflows/reusable-release.yml	actions/checkout@v4 pinned to SHA; single change, correctly done
.github/workflows/reusable-test.yml	Checkout, setup-node, cache (×4), and upload-artifact all pinned; same # v4 annotation imprecision applies
.github/workflows/reusable-validate.yml	Checkout and setup-node pinned to SHAs; # v4 annotation imprecision applies
CLAUDE.md	New ## Skills section added, but both referenced skills (/readme, /ci-workflow) do not exist in the repository's skills/ or commands/ directories — invocations will fail

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Trigger push/PR/schedule] --> B{Workflow}
    B --> C[ci.yml]
    B --> D[release.yml]
    B --> E[maintenance.yml]
    C --> F[reusable-test.yml]
    C --> G[reusable-validate.yml]
    D --> H[reusable-release.yml]
    F --> I["actions/checkout\n@34e114... #v4"]
    F --> J["actions/setup-node\n@49933e... #v4"]
    F --> K["actions/cache\n@0057852... #v4"]
    F --> L["actions/upload-artifact\n@ea165f... #v4"]
    G --> I
    G --> J
    H --> I
    E --> M["actions/stale\n@5bef64... #v9"]
    style I fill:#c8e6c9
    style J fill:#c8e6c9
    style K fill:#c8e6c9
    style L fill:#c8e6c9
    style M fill:#c8e6c9

Loading

_{Reviews (1): Last reviewed commit: "chore: pin actions to commit SHAs and ad..." | Re-trigger Greptile}

[greptile-apps]

Referenced skills /readme and /ci-workflow do not exist in the repository

The Skills table maps README.md → /readme and .github/workflows/*.yml → /ci-workflow, but neither of these skills exists anywhere in the project's skills/ directory (confirmed by searching the full skills/** tree) or in the commands/ directory.

When a developer (or Claude Code) encounters these instructions and tries to invoke /readme or /ci-workflow, the skill invocation will fail — there is no backing implementation to load. This makes the added section non-functional.

Either:

1. The corresponding skill files (skills/readme/SKILL.md and skills/ci-workflow/SKILL.md) need to be created and included in this PR, or
2. The table should point to existing skills that cover README and CI workflow conventions (e.g. skills/coding-standards/SKILL.md or similar).

[greptile-apps]

SHA comment annotations use major version only, not exact version

The SHA-pinned comments consistently use # v4 instead of the specific minor/patch version the SHA actually resolves to. Based on published release data:

• actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 → # v4.2.2 (not # v4)
• actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 → # v4.4.0 (not # v4)
• actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 → # v4.3.0 (not # v4)
• actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 → # v4.6.2 (not # v4)
• actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 → # v9.1.0 (not # v9)

The purpose of the comment is to let a human reviewer quickly understand exactly which release is pinned when auditing or updating pins via tools like Dependabot/Renovate. Using only the major version (# v4) is ambiguous — it looks identical to an unpinned @v4 reference and hides which minor/patch version was intended.

The same issue applies in maintenance.yml, release.yml, reusable-release.yml, reusable-test.yml, and reusable-validate.yml.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CLAUDE.md`:
- Around line 63-72: The Skills table in CLAUDE.md references non-existent
skills `/readme` and `/ci-workflow`; either create skill definitions matching
those names (e.g., add skill files that implement `/readme` for
README.md-related actions and `/ci-workflow` for .github/workflows/*.yml) or
remove/update the table entries to point to actual existing skills; locate the
Skills table in CLAUDE.md and ensure the referenced symbols `/readme` and
`/ci-workflow` are implemented under the repository's skills/ or commands/
directories (or replace them with the correct skill names) so subagents won't
fail at runtime.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e350fa9b-7b85-4cab-ba16-13599f8f3ab0

📥 Commits

Reviewing files that changed from the base of the PR and between 527c793 and 46f37ae.

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .github/workflows/maintenance.yml
• .github/workflows/release.yml
• .github/workflows/reusable-release.yml
• .github/workflows/reusable-test.yml
• .github/workflows/reusable-validate.yml
• CLAUDE.md

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the referenced skills exist in the repository

echo "=== Searching for readme skill ==="
fd -i readme skills/ commands/ || echo "Not found in skills/ or commands/"

echo "=== Searching for ci-workflow skill ==="
fd -i ci-workflow skills/ commands/ || echo "Not found in skills/ or commands/"

echo "=== Listing all skill definitions ==="
fd -e md . skills/ 2>/dev/null | head -20 || echo "No skills directory found"

echo "=== Listing all commands ==="
fd -e md . commands/ 2>/dev/null | head -20 || echo "No commands directory found"

Repository: affaan-m/everything-claude-code

Length of output: 1341

---

🏁 Script executed:

#!/bin/bash
# Get complete list of all skill directories and files
echo "=== All skill directories ==="
find skills/ -name "SKILL.md" -type f 2>/dev/null | sort

echo "=== All command files ==="
find commands/ -type f -name "*.md" 2>/dev/null | sort

echo "=== Checking for any reference to 'readme' in skill names ==="
find skills/ -iname "*readme*" -type f 2>/dev/null

echo "=== Checking for any reference to 'ci-workflow' in skill/command names ==="
find skills/ commands/ -iname "*ci*" -o -iname "*workflow*" 2>/dev/null | grep -iE "(ci|workflow)"

Repository: affaan-m/everything-claude-code

Length of output: 6396

---

Both referenced skills do not exist in the repository.

The /readme and /ci-workflow skills referenced in the Skills table (lines 65–68) do not exist. A complete search of the skills/ and commands/ directories confirms neither skill is defined. Subagents attempting to use these skills will fail. Define these skills or remove the references.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~70-~70: The official name of this software platform is spelled with a capital “H”.
Context: ...|-------| | README.md | /readme | | .github/workflows/*.yml | /ci-workflow | Wh...

(GITHUB)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CLAUDE.md` around lines 63 - 72, The Skills table in CLAUDE.md references
non-existent skills `/readme` and `/ci-workflow`; either create skill
definitions matching those names (e.g., add skill files that implement `/readme`
for README.md-related actions and `/ci-workflow` for .github/workflows/*.yml) or
remove/update the table entries to point to actual existing skills; locate the
Skills table in CLAUDE.md and ensure the referenced symbols `/readme` and
`/ci-workflow` are implemented under the repository's skills/ or commands/
directories (or replace them with the correct skill names) so subagents won't
fail at runtime.