Pin GitHub Actions to commit SHAs

[jesserockz]

Summary

Pin all GitHub Action and reusable workflow references to their full commit SHAs
instead of mutable tags or branch names.

Closes #1577

Why?

Referencing actions by tag (e.g., actions/checkout@v4) is convenient but
carries a supply-chain risk: tags are mutable and can be force-pushed to point
at arbitrary commits. If an action's tag is compromised, every workflow that
references it by tag will silently run the attacker's code.

Pinning to a full 40-character commit SHA (e.g.,
actions/checkout@11bd719...) makes the reference immutable. Even if a tag is
tampered with, workflows pinned to a SHA will continue to use the exact code
that was reviewed and trusted.

A version comment is included next to each SHA for readability
(e.g., actions/checkout@11bd719... # v4.2.2).

References

• GitHub Blog: Four tips to keep your GitHub Actions workflows secure
• GitHub Docs: Security hardening for GitHub Actions
• GitHub Docs: Enforcing SHA pinning for actions

[codspeed-hq]

Merging this PR will not alter performance

✅ 11 untouched benchmarks

---

_{Comparing pin-action-shas (8f1b352) with main (31e0920)¹}

Footnotes

1. No successful run was found on main (f89a1d0) during the generation of this report, so 31e0920 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (31e0920) to head (8f1b352).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #1580   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           25        25           
  Lines         3988      3988           
=========================================
  Hits          3988      3988           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Walkthrough

Five GitHub Actions workflow files have been updated to pin third-party action references to specific commit SHAs instead of mutable version tags. The changes maintain all existing workflow logic, inputs, and conditional behavior while hardening against supply-chain attacks.

Changes

Cohort / File(s)	Summary
GitHub Actions security hardening .github/workflows/ci.yml, .github/workflows/docker.yml, .github/workflows/labeler.yml, .github/workflows/release-drafter.yml, .github/workflows/release.yml	Pinned GitHub Actions references (actions/checkout, actions/setup-python, actions/cache, actions/upload-artifact, codecov/codecov-action, docker/\, pypa/\, release-drafter/release-drafter, etc.) to specific commit SHAs with version comment annotations. No workflow logic or conditional behavior changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• #920 — Also updates docker workflow action references (different version bump strategy but related to same workflow file).

Suggested labels

github_actions, dependencies

Suggested reviewers

• bdraco

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main objective: pinning GitHub Actions to commit SHAs, which directly matches all changes across the five workflow files.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for pinning actions to commit SHAs and referencing issue #1577, which this PR closes.
Linked Issues check	✅ Passed	The PR successfully addresses all 15 unpinned action references from issue #1577 across ci.yml, docker.yml, labeler.yml, release-drafter.yml, and release.yml, each pinned to a commit SHA with version comments.
Out of Scope Changes check	✅ Passed	All changes are in scope: only GitHub Actions references are updated to commit SHAs in workflow files, with no unrelated modifications to application code or other systems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin-action-shas

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 150: The workflow is pinning CodSpeedHQ/action to a non-existent release
SHA (CodSpeedHQ/action@db35df748deb45fdef0960669f57d627c1956c30); update the
action reference in the uses line (CodSpeedHQ/action@...) to a valid tag such as
v4.13.0 (or another released tag/commit SHA) so the runner can fetch the correct
release.
- Line 129: The workflow currently pins the Codecov action to the wrong commit
SHA (uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2);
update that pinned SHA to the commit that matches the v6.0.0 tag
(cfcde7842b7f5a94a06364a1737f123c56eace94) so the action reference reflects the
actual v6.0.0 release.

In @.github/workflows/release-drafter.yml:
- Line 17: Update the pinned release-drafter action to a real released tag:
replace the non-existent commit SHA/label for release-drafter/release-drafter
(currently referencing v7.2.0) with an actual released version such as v7.1.1;
locate the uses: release-drafter/release-drafter@... entry in the workflow and
change it to use the released tag (e.g.,
release-drafter/release-drafter@v7.1.1).

In @.github/workflows/release.yml:
- Line 67: Replace the incorrect commit SHA pinned in the cibuildwheel action
reference (pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084) with the
correct commit SHA that actually corresponds to the v3.4.1 tag, or simply pin to
the tag itself (pypa/cibuildwheel@v3.4.1); update the uses line so the action
commit/tag matches v3.4.1.
- Line 34: The actions/checkout pin is incorrect: update both occurrences of the
actions/checkout@v6.0.2 entry to use the correct commit SHA
(0c366fd6a839edf440554fa01a7085ccba70ac98) or remove the SHA and use the tag
reference (actions/checkout@v6.0.2) instead; locate the two entries of
actions/checkout@v6.0.2 in the workflow and replace the wrong hash
(de0fac2e4500dabe0009e67214ff5f5447ce83dd) with the correct one or switch them
to the tag-only form.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d034a025-55dd-4e73-9ac4-eff2d5ad14ad

📥 Commits

Reviewing files that changed from the base of the PR and between f89a1d0 and 8f1b352.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/docker.yml
• .github/workflows/labeler.yml
• .github/workflows/release-drafter.yml
• .github/workflows/release.yml