ci(workflows): pin GitHub Actions dependencies to commit SHAs

[gkorland]

Summary

Pin all third-party GitHub Actions to their full commit SHA for supply-chain security.

Changes

• Pin 15 action references across 6 workflow files to commit SHAs
• Version tags preserved in comments for readability

Changed Files

• .github/workflows/dependency-review.yml
• .github/workflows/frontend.yml
• .github/workflows/lint.yml
• .github/workflows/publish-docker.yml
• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml

Testing

• Workflow syntax is unchanged; only the @ref portion of uses: directives is modified
• All pinned SHAs correspond to the exact same code as the original version tags

Memory / Performance Impact

N/A - CI configuration only.

Related Issues

Closes #20

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow dependencies to use pinned commit references for improved security and build reproducibility.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 8ba8219.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/rojopolis/spellcheck-github-actions	e3cd8e9aec4587ec73bc0e60745aafd45c37aa2e	🟢 4.8	Details Check Score Reason Code-Review ⚠️ 1 Found 1/9 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	53b83947a5a98c8d113130e565377fae1a50d02f	🟢 6	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9149bcde-3a66-4edf-9e87-b036e3d86c4f

📥 Commits

Reviewing files that changed from the base of the PR and between 46569b8 and 8ba8219.

📒 Files selected for processing (6)

• .github/workflows/dependency-review.yml
• .github/workflows/frontend.yml
• .github/workflows/lint.yml
• .github/workflows/publish-docker.yml
• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions across six workflow files were pinned to specific commit SHAs instead of mutable version tags for supply-chain security, with version information preserved in comments.

Changes

Cohort / File(s)	Summary
GitHub Actions Pinning .github/workflows/dependency-review.yml, .github/workflows/frontend.yml, .github/workflows/lint.yml, .github/workflows/publish-docker.yml, .github/workflows/spellcheck.yml, .github/workflows/tests.yml	Pinned 15 GitHub Actions to commit SHAs across all workflows: actions/checkout, actions/setup-python, actions/setup-node, actions/dependency-review-action, docker/login-action, docker/metadata-action, docker/build-push-action, and rojopolis/spellcheck-github-actions. All changes preserve version tags as comments for readability.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Whiskers twitched—the tags are gone,
SHAs pinned, all night till dawn,
No more tricks in supply-chain locks,
Just commit hashes, solid as rocks! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the primary change: pinning GitHub Actions dependencies to commit SHAs across CI workflows.
Linked Issues check	✅ Passed	All objectives from issue #20 are met: 15 action references pinned across six workflow files with commit SHAs, version tags preserved in comments for readability, and supply-chain security improved as required.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only GitHub Actions uses: directives were updated to pin commit SHAs, with no unrelated modifications to workflow logic, configuration, or other aspects.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pin-workflow-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}