chore: pin GitHub Actions to immutable SHAs

[KooshaPari]

Pin GitHub Actions to immutable SHA references for supply chain security.

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: only CI workflow references and documentation/badges are updated, with no runtime or build logic changes beyond using a pinned actions/checkout revision.

Overview
Pins actions/checkout to an immutable commit SHA (v4.1.1) across all GitHub Actions workflows to improve supply-chain integrity.

Adds a Sladge badge to README.md and introduces docs/worklogs/GOVERNANCE.md documenting the governance decision for the badge rollout.

^{Reviewed by Cursor Bugbot for commit 1d967d5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 30 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 96e040ae-5ced-47c7-957c-b0ebbdb0f546

📥 Commits

Reviewing files that changed from the base of the PR and between 57430bc and 1d967d5.

📒 Files selected for processing (9)

• .github/workflows/codeql.yml
• .github/workflows/doc-links.yml
• .github/workflows/fr-coverage.yml
• .github/workflows/quality-gate.yml
• .github/workflows/release.yml
• .github/workflows/scorecard.yml
• .github/workflows/secrets-scan.yml
• README.md
• docs/worklogs/GOVERNANCE.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/20260430-pin-actions-v2

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/20260430-pin-actions-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 9 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 1d967d5. Configure here.}

[cursor]

SHA pin downgrades checkout from v4.3.0 to v4.1.1

Medium Severity

The pinned SHA b4ffde65f46336ab88eb53be808477a3936bae11 corresponds to actions/checkout v4.1.1 (October 2023). The previous @v4 floating tag resolved to v4.3.0 (August 2025), so this change is effectively a ~2-year downgrade across all seven workflow files, missing dependency security updates (e.g., tough-cookie, @babel/traverse) and bug fixes. For a PR aimed at improving supply chain security, the SHA to pin needs to be the latest v4.x release, not an outdated one.

Additional Locations (2)

• .github/workflows/scorecard.yml#L21-L22
• .github/workflows/release.yml#L18-L19

 

^{Reviewed by Cursor Bugbot for commit 1d967d5. Configure here.}