Pin versions to sha commit

[emnul]

Enhances supply chain security of Github workflows by pinning action versions to specific SHA commit

Summary by CodeRabbit

• Chores
  • Updated build system dependencies to pinned versions for improved reliability and consistency across builds.
  • Enhanced caching mechanism with fallback options to optimize build performance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR pins external GitHub Actions to specific commit hashes across CI/CD workflows and the setup action configuration, replacing generic version tags with fixed commit references. The setup action also adds cache restore-keys for broader fallback restoration.

Changes

Cohort / File(s)	Summary
Setup Action Configuration ​.github/actions/setup/action.yml	Pins cache action (turbo-cache and compact-cache) and setup-node action to specific commit SHAs; adds restore-keys to Turbo cache step for improved cache restoration fallback.
GitHub Actions Pinning in Workflows ​.github/workflows/checks.yml, ​.github/workflows/codeql.yml, ​.github/workflows/release.yml, ​.github/workflows/test.yml	Pins actions/checkout to commit 8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1) across all workflows; codeql.yml additionally pins github/codeql-action/init and github/codeql-action/analyze to commit fe4161a26a8629af62121b670040955b330f9af2; release.yml additionally pins actions/setup-node to commit 395ad3262231945c25e8478fd5baf05154b1d79f.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify commit SHA references are correct and correspond to intended action versions
• Confirm restore-keys configuration in setup action follows expected cache restoration patterns
• Spot-check consistency of pinned versions across workflow files

Possibly related PRs

• fix(gh-actions): release PR requisted changes #284: Related CI/CD infrastructure updates modifying .github/actions/setup/action.yml and workflow configurations to support extended build pipelines and compiler support.

Poem

🐇 A rabbit pins down the actions so tight,
Each commit hash locked in place, secure and right,
No drifting upstream, no surprises to fear,
The pipelines now stable throughout the whole year! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pin versions to sha commit' directly and concisely describes the main change: replacing generic action version references with pinned commit SHAs across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pin-actions-deps

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b564b24 and 41de1c6.

📒 Files selected for processing (5)

• .github/actions/setup/action.yml (2 hunks)
• .github/workflows/checks.yml (1 hunks)
• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/release.yml (2 hunks)
• .github/workflows/test.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (javascript)
• GitHub Check: Run Test Suite
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (8)

.github/workflows/checks.yml (1)

22-22: Consistent checkout SHA across workflows.

Reusing the same pinned SHA as other workflows (8e8c483...) is consistent and maintainable.

.github/actions/setup/action.yml (3)

32-32: Cache actions consistently pinned across turbo and compact steps.

Both cache steps use the same pinned SHA (0057852...) for actions/cache@v4.3.0, which is appropriate for identical action versions.

Also applies to: 41-41

---

36-37: Cache restore-keys added for improved fallback matching.

The new restore-keys pattern allows the Turbo cache to restore from a broader set of keys if the exact key is not found, improving cache hit rates without compromising reproducibility. This is a sensible performance optimization.

---

49-49: Setup-node SHA pinning consistent with release workflow.

The pinned SHA (395ad...) matches the one used in release.yml, ensuring uniform action versions across the CI/CD pipeline.

.github/workflows/codeql.yml (2)

30-30: Checkout pinning consistent across all workflows.

Reuses the same checkout SHA (8e8c483...) for consistency.

---

38-38: CodeQL actions properly pinned to the same SHA for coordinated v4 release.

Both init and analyze steps use the same pinned SHA (fe4161a26a8629af62121b670040955b330f9af2), which corresponds to v4.31.6, confirming they are versioned together in a single release.

.github/workflows/test.yml (1)

25-25: Checkout action pinned to specific SHA for supply chain security.

The checkout action is pinned to the full 40-character commit SHA 8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1), which is the most secure approach and helps mitigate supply chain attacks. This is a best practice per GitHub's security recommendations for GitHub Actions workflows.

.github/workflows/release.yml (1)

19-19: Both release workflow actions correctly pinned to commit SHAs.

actions/checkout (line 19) and actions/setup-node (line 38) are properly pinned to their full commit SHAs with version comments. The SHAs are verified: 8e8c483db84b4bee98b60c0593521ed34d9990e8 for v6.0.1 and 395ad3262231945c25e8478fd5baf05154b1d79f for v6.1.0.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andrew-fleming]

LGTM!