fix: pin 6 actions to commit SHA, extract 1 expression to env var

[dagecko]

Re-submission of #949. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 6 unpinned actions to full 40-character SHAs
• Add version comments for readability
• Extract 1 expression from run block to env var

Changes by file

File	Changes
release.yml	Pinned softprops/action-gh-release (x2), extracted github.ref_name to env var
ci.yml	Pinned pnpm/action-setup, oven-sh/setup-bun
reusable-test.yml	Pinned pnpm/action-setup, oven-sh/setup-bun

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as "${ENV_VAR}" in the script
• No workflow logic, triggers, or permissions are modified

I wrote a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. Also put up a link to my research on Twitter if you're interested.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)

---

Summary by cubic

Hardened CI by pinning six GitHub Actions to immutable SHAs and moving one inline tag expression to an env var. This removes mutable tags and keeps builds and releases reproducible with no behavior changes.

• Dependencies

  • Pinned pnpm/action-setup, oven-sh/setup-bun, and softprops/action-gh-release to SHAs in ci.yml, reusable-test.yml, release.yml, and reusable-release.yml.
  • Added version comments next to SHAs for readability.

• Refactors

  • Moved ${{ github.ref_name }} into REF_NAME env in release.yml for tag validation.

^{Written for commit 28a1fbc. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated continuous integration and release workflows to use pinned dependency versions for improved stability and security.
  • Refactored release validation to use environment variables for better workflow maintainability.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79905250-e50e-43fe-859c-228c32912b72

📥 Commits

Reviewing files that changed from the base of the PR and between f077975 and 28a1fbc.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .github/workflows/reusable-release.yml
• .github/workflows/reusable-test.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions dependencies across CI/CD workflows are pinned to specific commit SHAs for reproducibility and security. Affected actions include pnpm/action-setup, oven-sh/setup-bun, and softprops/action-gh-release. Release workflow tag validation is refactored to use an environment variable.

Changes

Cohort / File(s)	Summary
Package Manager Actions Pinning .github/workflows/ci.yml, .github/workflows/reusable-test.yml	pnpm/action-setup and oven-sh/setup-bun GitHub Actions pinned from version tags (@v4, @v2) to specific commit SHAs for consistent package manager setup across workflows.
Release Action Pinning .github/workflows/release.yml, .github/workflows/reusable-release.yml	softprops/action-gh-release pinned from @v2 tag to specific commit SHA for deterministic release creation across release workflows.
Release Workflow Configuration .github/workflows/release.yml	Version tag validation refactored to read GitHub tag name from an explicit REF_NAME environment variable instead of inline github.ref_name reference.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• affaan-m

Poem

🐰 With SHAs pinned true and steady,
Our Actions stay exact and ready,
No floating tags will drift away,
Each workflow locked for every day,
Reproducibility, hooray! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: pinning 6 GitHub Actions to commit SHAs and extracting 1 expression to an environment variable, which matches the changeset exactly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 4 files