From a1fa4086be42850a741f825f2b8c5d9f5f390a10 Mon Sep 17 00:00:00 2001
From: anupsv <6407789+anupsv@users.noreply.github.com>
Date: Thu, 14 May 2026 11:16:23 -0700
Subject: [PATCH] fix(ci): add version comments to SHA-pinned GitHub Actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All workflow actions were already correctly SHA-pinned, but
pnpm/action-setup and actions/setup-node were missing the version
comment that makes the pinned SHA auditable at a glance.

- pnpm/action-setup@fc06bc1...  → # v4.4.0
- actions/setup-node@49933ea... → # v4.4.0
- actions/checkout@11bd719...   → # v4.2.2 (already present)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-dev.yml  | 4 ++--
 .github/workflows/release-prod.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml
index dce918b..390e2fd 100644
--- a/.github/workflows/release-dev.yml
+++ b/.github/workflows/release-dev.yml
@@ -41,10 +41,10 @@ jobs:
           echo "Building dev version: $PACKAGE_VERSION"
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
 
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           registry-url: "https://registry.npmjs.org"
diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml
index 5e90bc1..20143ab 100644
--- a/.github/workflows/release-prod.yml
+++ b/.github/workflows/release-prod.yml
@@ -48,10 +48,10 @@ jobs:
           echo "Building production version: $PACKAGE_VERSION"
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
 
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           registry-url: "https://registry.npmjs.org"