chore: pin GitHub Actions to immutable SHAs

[KooshaPari]

Pin GitHub Actions to immutable SHA references for supply chain security.

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk workflow-only change; it just pins actions/checkout to a specific commit for supply-chain hardening with no effect on application runtime behavior.

Overview
Pins actions/checkout from @v4 to an immutable commit SHA (v4.1.1) in the fr-coverage and quality-gate GitHub Actions workflows to improve CI supply-chain security.

^{Reviewed by Cursor Bugbot for commit 8eb9f5f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 52 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a59cca8b-55c6-421e-8aa7-cb263649ede0

📥 Commits

Reviewing files that changed from the base of the PR and between 89f94c3 and 8eb9f5f.

📒 Files selected for processing (2)

• .github/workflows/fr-coverage.yml
• .github/workflows/quality-gate.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/20260430-pin-actions-v2

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/20260430-pin-actions-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 5 minutes and 52 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 8eb9f5f. Configure here.}

[cursor]

Pinned SHA references outdated v4.1.1 instead of latest v4

Medium Severity

The SHA b4ffde65f46336ab88eb53be808477a3936bae11 corresponds to actions/checkout v4.1.1 (October 2023), but the latest v4 release is v4.3.1 (November 2025). Pinning to a version that's over two years old for "supply chain security" is counterproductive, as it misses subsequent security and bug fixes in the v4 line. The pinned SHA needs to reference the most recent v4.x release.

Additional Locations (1)

• .github/workflows/quality-gate.yml#L7-L8

 

^{Reviewed by Cursor Bugbot for commit 8eb9f5f. Configure here.}