chore: pin reusable release workflows

[SoulPancake]

…84c73efc5b79318f700f

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated automated workflow references to use fixed revisions instead of tracking the latest branch.
  • Improved consistency and predictability of release-related checks and publishing steps.

[coderabbitai]

Walkthrough

Three GitHub Actions workflow files update their reusable workflow uses references from the @main branch pointer to a pinned commit SHA (835baf31562809ad9eb884c73efc5b79318f700f).

Changes

Pin reusable workflow references

Layer / File(s)	Summary
Pin all reusable workflow refs to commit SHA .github/workflows/main.yaml, .github/workflows/pr-title-conventional-commit.yml, .github/workflows/release-please.yml	undraft-release, pr-title-check, and release-please jobs each switch their uses: reference from @main to a fixed commit SHA.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: pinning reusable release workflows to a specific version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-reusable-workflow-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[Copilot]

Pull request overview

Pins the repository’s reusable GitHub Actions workflow callers to an exact commit SHA from openfga/.github to improve supply-chain integrity and ensure workflow behavior is stable over time.

Changes:

• Pin release-please reusable workflow reference from @main to commit 835baf31562809ad9eb884c73efc5b79318f700f.
• Pin PR title conventional-commit check reusable workflow reference from @main to the same commit.
• Pin the undraft-release reusable workflow reference from @main to the same commit.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/release-please.yml	Pins the called reusable release-please workflow to a specific commit SHA.
.github/workflows/pr-title-conventional-commit.yml	Pins the called reusable PR title check workflow to a specific commit SHA.
.github/workflows/main.yaml	Pins the called reusable undraft-release workflow to a specific commit SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/main.yaml (1)

289-289: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Clarify the pinning comment.

The comment # pin@main is misleading—it reads as though main itself is being pinned, whereas the point of pinning is to replace the mutable branch reference with an immutable commit SHA. The precedent at Line 212 uses # pin@v2.1.0 to denote the semantic version being pinned. Consider # pin or # pin@835baf3 (or a version tag if one exists for this commit) to avoid ambiguity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yaml at line 289, The workflow pin comment on the
`uses` entry for `openfga/.github/.github/workflows/undraft-release.yml` is
misleading because it suggests pinning `main` rather than the immutable commit
SHA. Update the trailing comment to a neutral pin note like `# pin` or a
specific tag/SHA reference consistent with the existing convention used
elsewhere in the workflow, so the `uses` line clearly indicates what is actually
pinned.

.github/workflows/pr-title-conventional-commit.yml (1)

16-16: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Clarify the pinning comment.

Same issue as in main.yaml—# pin@main is semantically confusing because it suggests pinning to a mutable branch rather than an immutable SHA. Align with the convention used elsewhere (e.g., # pin@v2.1.1) or use a neutral # pin to indicate the SHA is fixed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-title-conventional-commit.yml at line 16, The reusable
workflow reference in pr-title-conventional-commit.yml has a misleading pinning
comment: `# pin@main` implies a mutable branch instead of a fixed SHA. Update
the comment on the `uses:
openfga/.github/.github/workflows/pr-title-check.yml@...` entry to match the
established convention in the repo, either using a version-style tag like `#
pin@v2.1.1` or a neutral `# pin` so it clearly indicates the reference is
immutable.

.github/workflows/release-please.yml (1)

39-39: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Clarify the pinning comment.

# pin@main is misleading—pinning replaces the mutable @main reference with an immutable SHA, so the comment should not imply main is the pinned target. Use # pin or a version tag comment consistent with other pinned actions in this repository (e.g., # pin@v2.1.0 style). Given this workflow passes sensitive secrets (RELEASER_APP_PRIVATE_KEY, GPG_PRIVATE_KEY) to the reusable workflow, an accurate pin comment also helps future auditors quickly confirm the SHA is intentional.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-please.yml at line 39, The reusable workflow
reference in the release-please job is already pinned to a commit SHA, but the
trailing comment `# pin@main` is misleading. Update the comment on the `uses`
line in the release-please workflow to reflect that it is an immutable pin,
using the repository’s usual pinned-comment style such as `# pin` or a versioned
pin comment, so the `release-please` workflow and its secret-bearing inputs are
clearly documented.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/main.yaml:
- Line 289: The workflow pin comment on the `uses` entry for
`openfga/.github/.github/workflows/undraft-release.yml` is misleading because it
suggests pinning `main` rather than the immutable commit SHA. Update the
trailing comment to a neutral pin note like `# pin` or a specific tag/SHA
reference consistent with the existing convention used elsewhere in the
workflow, so the `uses` line clearly indicates what is actually pinned.

In @.github/workflows/pr-title-conventional-commit.yml:
- Line 16: The reusable workflow reference in pr-title-conventional-commit.yml
has a misleading pinning comment: `# pin@main` implies a mutable branch instead
of a fixed SHA. Update the comment on the `uses:
openfga/.github/.github/workflows/pr-title-check.yml@...` entry to match the
established convention in the repo, either using a version-style tag like `#
pin@v2.1.1` or a neutral `# pin` so it clearly indicates the reference is
immutable.

In @.github/workflows/release-please.yml:
- Line 39: The reusable workflow reference in the release-please job is already
pinned to a commit SHA, but the trailing comment `# pin@main` is misleading.
Update the comment on the `uses` line in the release-please workflow to reflect
that it is an immutable pin, using the repository’s usual pinned-comment style
such as `# pin` or a versioned pin comment, so the `release-please` workflow and
its secret-bearing inputs are clearly documented.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0cb126b4-0a84-413e-abaf-8297c2acf68e

📥 Commits

Reviewing files that changed from the base of the PR and between 861efd9 and 0df11a1.

📒 Files selected for processing (3)

• .github/workflows/main.yaml
• .github/workflows/pr-title-conventional-commit.yml
• .github/workflows/release-please.yml