chore: pin GitHub Actions to SHAs

[mynameistito]

Summary

• Pin external GitHub Actions to full commit SHAs.
• Keep tracking comments for the latest resolved tag or branch refs.
• Refresh stale action pins to the latest tracked refs where needed.

Verification

• Verified all scanned external action refs are SHA-pinned.
• Verified tracking comments resolve to the pinned SHA.

---

Summary by cubic

Pin all external GitHub Actions in CI, release, and Dependabot workflows to exact commit SHAs for reproducible and secure runs. Added exact version comments next to each SHA for easier updates.

• Dependencies
  • Pinned actions/checkout, actions/setup-node, and oven-sh/setup-bun across workflows, tracking v4.3.1, v4.4.0, and v1.2.2.
  • In release, pinned changesets/action and actions/github-script, tracking v1.9.0 and v7.1.0.
  • Replaced tag refs with SHAs in ci.yml, dependabot-changeset.yml, and release.yml.

^{Written for commit 29737fe. Summary will update on new commits.}

Note

Pin GitHub Actions to specific commit SHAs across CI workflows

Replaces mutable version tags with full commit SHAs for all third-party actions (actions/checkout, actions/setup-node, oven-sh/setup-bun, changesets/action, actions/github-script) in ci.yml, dependabot-changeset.yml, and release.yml. SHA comments retain the human-readable version for reference.

^{Macroscope summarized 29737fe.}

[coderabbitai]

Warning

Review limit reached

@mynameistito, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 967c79c1-812e-4a64-8b4d-fa5a0f3a5764

📥 Commits

Reviewing files that changed from the base of the PR and between e1835e9 and 29737fe.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/dependabot-changeset.yml
• .github/workflows/release.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-actions-to-shas-20260604

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud