chore: pin all GitHub Actions to commit SHAs

[KooshaPari]

User description

Pinned all GitHub Actions to specific commit SHAs for improved security and reproducibility. Actions pinned: checkout, setup-python, upload-artifact, github-script, cache, setup-node, deploy-pages, configure-pages, upload-pages-artifact, setup-java, download-artifact.

Note

Low Risk
Low risk: workflow-only changes that pin third-party actions to immutable commit SHAs for supply-chain hardening; behavior should remain the same aside from using the pinned revisions.

Overview
Pins GitHub Actions used across CI, security scanning, releases, and docs deploy workflows from version tags (e.g., @v4, @v5, @v6) to specific commit SHAs for improved reproducibility and supply-chain security.

This updates usages of actions/checkout, actions/setup-python, actions/upload-artifact, actions/download-artifact, actions/github-script, actions/cache, actions/setup-node, actions/setup-java, and GitHub Pages actions (configure-pages, upload-pages-artifact, deploy-pages) without changing the workflows’ steps/logic otherwise.

^{Reviewed by Cursor Bugbot for commit 4eca096. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Pin GitHub Actions to fixed revisions across workflows

What Changed

• GitHub Actions used in CI, security checks, releases, docs deployment, and validation now run from fixed commit revisions instead of moving version tags
• Checkout, Python, Node, Java, cache, artifact upload/download, GitHub script, and Pages deployment steps were updated where they are used
• Workflow steps and results stay the same, but runs now use the same action versions every time

Impact

✅ More consistent CI runs
✅ Lower supply-chain risk in workflows
✅ Fewer unexpected workflow changes

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 55 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 29e9916d-6d69-492a-9240-54e5c38ccfd2

📥 Commits

Reviewing files that changed from the base of the PR and between 8a54b27 and 4eca096.

📒 Files selected for processing (21)

• .github/workflows/audit.yml
• .github/workflows/benchmark.yml
• .github/workflows/cargo-deny.yml
• .github/workflows/changelog.yml
• .github/workflows/ci.yml
• .github/workflows/deploy.yml
• .github/workflows/evidence-capture.yml
• .github/workflows/gate-check.yml
• .github/workflows/policy-gate.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .github/workflows/rust-release.yml
• .github/workflows/sbom.yml
• .github/workflows/scorecard.yml
• .github/workflows/security-guard.yml
• .github/workflows/security.yml
• .github/workflows/snyk-scan.yml
• .github/workflows/sonarcloud.yml
• .github/workflows/spec-validation.yml
• .github/workflows/sync-canary.yml
• .github/workflows/traceability-gate.yml

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)

unknown escape sequence in ".coderabbit.yaml" (41:11)

 38 |       - "async_await_patterns"
 39 |     patterns_to_watch:
 40 |       - "^unsafe "
 41 |       - "\.unwrap\(\)"
----------------^
 42 |       - "\.expect\("
 43 |       - "std::panic"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-github-actions-20260430

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/pin-github-actions-20260430

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 56 minutes and 55 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Legacy Tooling Scan Report

Total violations: 100

Severity	Count
critical	0
high	0
medium	100
low	0

Top findings:

• MEDIUM LT-GEN-005: src/thegent/planning/remediation_planner.py:1
• MEDIUM LT-GEN-005: tests/test_phench_runtime.py:1
• MEDIUM LT-GEN-005: tests/bdd/main.rs:1
• MEDIUM LT-GEN-005: python/src/agileplus_mcp/grpc_client.py:1
• MEDIUM LT-GEN-005: python/src/agileplus_proto/gen/agileplus/v1/integrations_pb2_grpc.py:1

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[github-actions]

🔒 Snyk Security Scan Results

Snyk vulnerability scan completed. View results in GitHub Code Scanning dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

Pins commonly used GitHub Actions in CI/security/release workflows to immutable commit SHAs to improve supply-chain security and make runs more reproducible across time.

Changes:

• Replaced version tags (e.g., @v4, @v5, @v6, @v7) with full commit SHAs for several actions/* steps across workflows.
• Pinned artifact-related steps (upload-artifact, download-artifact, Pages artifact steps) and runtime setup steps (setup-python, setup-node, setup-java).
• Pinned caching and Pages deployment/configuration actions to commit SHAs.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/traceability-gate.yml	Pins actions/checkout and actions/setup-python to SHAs for traceability gate runs.
.github/workflows/sync-canary.yml	Pins actions/checkout to a SHA for canary sync workflow.
.github/workflows/spec-validation.yml	Pins actions/setup-python and actions/github-script to SHAs in spec validation workflow.
.github/workflows/sonarcloud.yml	Pins actions/setup-java to a SHA for SonarCloud workflow.
.github/workflows/snyk-scan.yml	Pins actions/setup-node, actions/github-script, and actions/upload-artifact to SHAs for Snyk workflows.
.github/workflows/security.yml	Pins actions/checkout and actions/setup-python to SHAs across multiple security jobs.
.github/workflows/security-guard.yml	Pins actions/checkout to a SHA for security guard workflow.
.github/workflows/scorecard.yml	Pins actions/upload-artifact to a SHA for scorecard artifact upload.
.github/workflows/sbom.yml	Pins actions/upload-artifact to a SHA for SBOM artifact upload.
.github/workflows/rust-release.yml	Pins actions/download-artifact to a SHA for release artifact retrieval.
.github/workflows/release.yml	Pins actions/checkout, actions/upload-artifact, and actions/download-artifact to SHAs for release pipeline.
.github/workflows/publish.yml	Pins actions/checkout to a SHA for publish workflow.
.github/workflows/policy-gate.yml	Pins actions/checkout to a SHA for policy gate workflow.
.github/workflows/gate-check.yml	Pins actions/checkout to a SHA for gate check workflow.
.github/workflows/evidence-capture.yml	Pins actions/cache and actions/upload-artifact to SHAs for evidence capture.
.github/workflows/deploy.yml	Pins Pages-related actions (configure-pages, upload-pages-artifact, deploy-pages) to SHAs.
.github/workflows/ci.yml	Pins actions/checkout and actions/setup-python to SHAs across CI jobs.
.github/workflows/changelog.yml	Pins actions/checkout to a SHA for changelog automation.
.github/workflows/cargo-deny.yml	Pins actions/checkout to a SHA for cargo-deny workflow.
.github/workflows/benchmark.yml	Pins actions/checkout to a SHA for benchmark workflow.
.github/workflows/audit.yml	Pins actions/checkout and actions/upload-artifact to SHAs for audit workflow.

Comments suppressed due to low confidence (1)

.github/workflows/security.yml:75

• This PR aims to pin GitHub Actions to immutable SHAs, but the CodeQL steps still use moving refs (github/codeql-action/*@v3). For supply-chain security and reproducibility, please pin these github/codeql-action references to commit SHAs as well (including init, analyze, and the upload-sarif step later in this workflow).

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/analyze@v3

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

^{Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4eca096. Configure here.}

[KooshaPari]

Resolving comments for merge

[KooshaPari]

Acknowledged - will address in follow-up PR

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates all GitHub workflows to call specific commit SHAs for core GitHub Actions so that builds, tests, security scans, and releases run with immutable action versions while keeping the overall behavior the same.

sequenceDiagram
    participant Developer
    participant GitHub
    participant CIWorkflow
    participant PinnedActions
    participant ProjectPipelines

    Developer->>GitHub: Push code or open pull request
    GitHub->>CIWorkflow: Trigger CI, security, release, and docs workflows
    CIWorkflow->>PinnedActions: Run checkout, setup tools, cache, pages and artifact actions
    PinnedActions-->>CIWorkflow: Provide deterministic action behavior
    CIWorkflow->>ProjectPipelines: Execute builds, tests, scans, and releases
    ProjectPipelines-->>CIWorkflow: Return job results and artifacts
    CIWorkflow-->>Developer: Report workflow status and outputs

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates GitHub workflows so that all core actions (checkout, language setup, artifacts, Pages, security scans) run from pinned commit SHAs, improving supply chain security and reproducibility without changing overall CI behavior.

sequenceDiagram
    participant Developer
    participant GithubActions
    participant PinnedActions
    participant ExternalServices

    Developer->>GithubActions: Push code or open pull request
    GithubActions->>PinnedActions: Invoke checkout and language setup with pinned SHAs
    PinnedActions-->>GithubActions: Return prepared repo and runtime environment
    GithubActions->>PinnedActions: Run build, test, and scan steps via pinned actions
    PinnedActions-->>ExternalServices: Upload artifacts, pages, and security reports
    ExternalServices-->>Developer: Expose build, release, and scan results

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates all GitHub workflows to use GitHub Actions pinned to specific commit SHAs, hardening the supply chain while preserving the existing CI, security, release, and docs deployment behavior.

sequenceDiagram
    participant Developer
    participant GitHubActions
    participant PinnedActions
    participant Repo
    participant Artifacts

    Developer->>GitHubActions: Push or open pull request
    GitHubActions->>PinnedActions: Invoke checkout and setup actions
    PinnedActions->>Repo: Fetch code and prepare environment
    GitHubActions->>GitHubActions: Run existing build, test, and scan jobs
    GitHubActions->>PinnedActions: Upload artifacts and deploy pages
    PinnedActions-->>Artifacts: Store build outputs and published docs

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates CI, security, release, and docs deployment workflows so that core GitHub Actions (checkout, language setup, artifacts, pages, and scripts) run from fixed commit SHAs, ensuring reproducible and more secure automation while keeping the overall job flow the same.

sequenceDiagram
    participant Developer
    participant GitHubActions
    participant CIJobs
    participant SecurityJobs
    participant ArtifactStorage
    participant PagesDeployment

    Developer->>GitHubActions: Push code or open pull request
    GitHubActions->>GitHubActions: Start workflows with pinned actions
    GitHubActions->>CIJobs: Run build, test, and quality checks
    GitHubActions->>SecurityJobs: Run security and audit scans
    GitHubActions->>ArtifactStorage: Upload build and scan artifacts
    GitHubActions->>PagesDeployment: Build and deploy documentation site

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn