ci: pin GitHub Actions to full-length commit SHAs

[maxandersen]

Pin all action references to full-length commit SHAs for supply chain security.

This is required for enabling the org-level policy:
Require actions to be pinned to a full-length commit SHA

Original version tags are preserved as comments for readability.
Consider adding Dependabot for GitHub Actions to keep pins updated:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to pin GitHub Action versions (checkout and Java setup) for more stable builds.
  • Pinned artifact upload action in the release workflow to ensure consistent release output handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e59b4231-1737-4540-89ff-32e406721d2b

📥 Commits

Reviewing files that changed from the base of the PR and between b77fe1f and 2705895.

📒 Files selected for processing (2)

• .github/workflows/ci-build.yml
• .github/workflows/tag-and-release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci-build.yml

---

📝 Walkthrough

Walkthrough

This PR replaces floating @v5 GitHub Actions tags with specific pinned commit SHAs in two workflows: .github/workflows/ci-build.yml (build and dependency-submission jobs) and .github/workflows/tag-and-release.yml (release-output step).

Changes

Workflow Action Pinning

Layer / File(s)	Summary
CI build workflow action pins .github/workflows/ci-build.yml	actions/checkout and actions/setup-java are updated from @v5 to specific pinned commit SHAs in the build and dependency-submission jobs.
Release workflow action pins .github/workflows/tag-and-release.yml	actions/upload-artifact is updated from @v5 to a specific pinned commit SHA in the release job's release-output step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped through YAML lines with care,
Replaced the floats with pins so fair.
Commits stand steady, versions tight,
CI sleeps peaceful through the night.
~The Code Rabbit

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: pin GitHub Actions to full-length commit SHAs' directly and accurately summarizes the main change across all files, which is pinning GitHub Actions to specific commit SHAs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin-actions-to-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}