chore: update ci action pins

[mynameistito]

Summary

• Update GitHub Actions to the latest release SHAs.
• Pin the Bun runtime version in CI/CD instead of using latest.
• Keep release comments beside each pinned SHA for traceability.

Validation

• Verified each pinned SHA against the upstream release tag refs.
• Ran git diff --check.

---

Summary by cubic

Pins GitHub Actions to the latest release SHAs and sets Bun 1.3.14 across all workflows for reproducible, safer builds. Adds release comments next to each SHA and a patch changeset for publishing.

• Dependencies
  • actions/checkout → v6.0.3 (SHA pinned)
  • actions/setup-node → v6.4.0 (SHA pinned)
  • oven-sh/setup-bun → v2.2.0; Bun pinned to 1.3.14
  • changesets/action → v1.9.0 (new SHA)
  • actions/github-script → v9.0.0 (SHA pinned)

^{Written for commit 49898a5. Summary will update on new commits.}

Note

Update CI action pins and pin Bun runtime to version 1.3.14

Updates pinned SHAs for actions/checkout, actions/setup-node, oven-sh/setup-bun, changesets/action, and actions/github-script across ci.yml, release.yml, and dependabot-changeset.yml. Bun version is changed from latest to 1.3.14 in all workflows to ensure reproducible builds.

^{Macroscope summarized 49898a5.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions workflow files to pin newer versions of core setup and automation actions across the CI, dependabot changeset, and release pipelines. Bun is explicitly pinned to version 1.3.14 instead of using latest in all workflows.

Changes

Workflow Action Version Updates

Layer / File(s)	Summary
CI workflow test and security job setup actions .github/workflows/ci.yml	The test job (lines 22–31) and security job (lines 55–64) now pin newer versions of actions/checkout, actions/setup-node (v6.4.0), and oven-sh/setup-bun with explicit bun-version: 1.3.14.
Dependabot changeset workflow setup actions .github/workflows/dependabot-changeset.yml	Lines 20–34 update pinned action versions for checkout (v6.0.3), setup-node (v6.4.0), and setup-bun (v2.2.0) with Bun pinned to 1.3.14.
Release workflow action versions .github/workflows/release.yml	Lines 23–35 pin checkout, setup-node, and setup-bun to newer SHAs with Bun 1.3.14. Lines 54 and 151 upgrade changesets/action and actions/github-script to new pinned commit SHAs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 Actions renewed with pinned care,
Bun locked at 1.3.14 everywhere!
Workflows now steady, no drift in sight,
CI/CD pipelines shining bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating CI action pins to specific versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly and accurately describes the changeset: updating GitHub Actions to pinned release SHAs and pinning Bun to version 1.3.14 across CI/CD workflows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-ci-action-pins

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud