ci: pin all GitHub Actions to commit SHAs

[isuttell]

Summary

Supply-chain hardening ahead of the public-repo flip. Every external action across all 8 workflows is now pinned to a full-length commit SHA, with the human-readable version kept in a trailing comment. The local composite action (./.github/actions/setup-security-attestation-tools) is exempt, as are local paths.

This is the prerequisite for turning on the repo's "require actions to be pinned to a SHA" policy (sha_pinning_required), which will be enabled once this merges so a moving tag can't swap action code out from under CI.

Changes

Pinned to SHA (12 actions):

Action	Pinned version
actions/checkout	v6.0.3
actions/setup-node	v6.4.0
actions/setup-python	v5.6.0
actions/cache	v5.0.5
actions/upload-artifact	v7.0.1
actions/download-artifact	v7.0.0
actions/github-script	v8.0.0
actions/attest-build-provenance	v4.1.0
pnpm/action-setup	v6.0.8
oven-sh/setup-bun	v2.2.0
anchore/scan-action	v7.4.0
neondatabase/create-branch-action	v6.4.0

Diff is a 1:1 line swap (51 insertions / 51 deletions) — only the ref on each uses: line changed; no structural workflow edits.

Risk

Low. Each SHA was resolved live from the major tag it was already tracking, so behavior is unchanged at merge time. Trade-off: future updates require bumping the pinned SHA (the scheduled dependency-update agent / Dependabot can do this and keep the version comment in sync).

Test plan

• CI Validate green (parses + runs all workflows on this PR)
• After merge: enable sha_pinning_required and confirm a tag-pinned uses: is rejected

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated multiple CI/CD workflows to pin third‑party action versions to fixed commit references, improving build reproducibility and supply‑chain stability across preview, deploy, release, security, and housekeeping pipelines. No functional workflow logic or runtime behavior was changed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 8e0fcc98-4d71-4370-9130-55b85584b602

📥 Commits

Reviewing files that changed from the base of the PR and between e756acb and 53e8529.

📒 Files selected for processing (1)

• .github/workflows/pr-preview.yml

---

📝 Walkthrough

Walkthrough

All GitHub Actions uses: references in eight workflow files are changed from floating major-version tags to pinned commit SHAs; no other job logic, inputs, or environment configurations were modified.

Changes

GitHub Actions version pinning

Layer / File(s)	Summary
Core CI and validation workflow action pinning .github/workflows/ci.yml, .github/workflows/cli-advertise.yml	Pin actions/checkout, pnpm/action-setup, actions/setup-node, actions/cache, actions/setup-python, and actions/upload-artifact to specific commit SHAs across CI jobs (changes, secrets, validate).
Release and build process action pinning .github/workflows/cli-release.yml	Pin actions/checkout, pnpm/action-setup, actions/setup-node, oven-sh/setup-bun, actions/attest-build-provenance, actions/upload-artifact, actions/download-artifact, and anchore/scan-action to commit SHAs in build and release jobs.
Production deployment and security workflow action pinning .github/workflows/deploy-production.yml, .github/workflows/security.yml	Pin actions/checkout, pnpm/action-setup, actions/setup-node, and actions/upload-artifact to specific commit SHAs for deploy and security attestation/vulnerability scan jobs.
Preview and PR cleanup workflow action pinning .github/workflows/deploy-preview.yml, .github/workflows/pr-preview.yml, .github/workflows/pr-preview-cleanup.yml	Pin actions/checkout, pnpm/action-setup, actions/setup-node, neondatabase/create-branch-action, and actions/github-script to specific commit SHAs across preview, PR preview, cleanup, and reconcile jobs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• zaks-io/agent-paste#226: Modifies cli-release.yml around SBOM/provenance scanning and pins attest/scan actions.
• zaks-io/agent-paste#195: Pins uses: action revisions in cli-release.yml, overlapping with this PR's edits.

Poem

🐰 I pinned each action, neat and small,
No floating tags to make builds stall.
Commits lined up, all snug and tight,
Workflows hop along just right.
🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: pin all GitHub Actions to commit SHAs' clearly and concisely summarizes the main change across all 8 workflow files in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden/actions-sha-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-436.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-436.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-436.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-436.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-436.isaac-a46.workers.dev
Web (login): https://pr-436.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-mute-voice-apx6cgv3

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-preview.yml:
- Line 39: The workflow pins the wrong commit SHAs for some actions: update the
checkout pin currently set as
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 to the correct SHA for
the v6.0.3 tag (9f698171ed81b15d1823a05fc7211befd50c8ae0), and update
pnpm/action-setup which is pinned to 0e279bb959325dab635dd2c09392533439d90093 to
the correct SHA for v6.0.8 (d15e628ca66d93ee5f352c71671a7bc6a97af5c9); leave
actions/setup-node@v6.4.0 (48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e) as-is.
Ensure the action strings actions/checkout@v6.0.3 and pnpm/action-setup@v6.0.8
are paired with their matching commit SHAs in the workflow.

In @.github/workflows/pr-preview-cleanup.yml:
- Line 46: The workflow references neondatabase/create-branch-action@v6.4.0 but
the pinned SHA fb620d43d4c565abaf088b848a4e28e5c4ea4d9c does not resolve to that
tag; update the action reference in the workflow to a valid tag or commit SHA by
verifying the correct tag for neondatabase/create-branch-action (replace
neondatabase/create-branch-action@v6.4.0 with the correct `@tag` or the exact
commit SHA), or adjust the pinned SHA to match the actual git ref so the tag
verification passes; ensure any other action pins (e.g., actions/checkout,
pnpm/action-setup, actions/setup-node, actions/github-script) remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5a61ff63-16ab-4ddf-a9b6-0ba8e405e4dd

📥 Commits

Reviewing files that changed from the base of the PR and between 92f6287 and e756acb.

📒 Files selected for processing (8)

• .github/workflows/ci.yml
• .github/workflows/cli-advertise.yml
• .github/workflows/cli-release.yml
• .github/workflows/deploy-preview.yml
• .github/workflows/deploy-production.yml
• .github/workflows/pr-preview-cleanup.yml
• .github/workflows/pr-preview.yml
• .github/workflows/security.yml

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-436.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-436.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-436.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-436.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-436.isaac-a46.workers.dev
Web (login): https://pr-436.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-mute-voice-apx6cgv3

[github-actions]

agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys.