chore: pin GitHub Actions to full commit SHAs

[serhalp]

Summary

Pin all GHA action references to their full 40-character commit SHAs for supply chain security, with inline comments noting the version tag.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal infrastructure configurations for improved stability and security.

Walkthrough

This pull request pins GitHub Actions to specific commit SHAs across seven workflow files (benchmark, conventional-commit, fossa, pre-release, stalebot, typescript-nudge, and workflow) instead of using floating major-version tags. The changes affect core setup actions (checkout, setup-node, setup-go), specialized integrations (codecov, netlify delta, denoland/setup-deno), and PR automation tools (name-linter, changed-files detection, labeling, commenting). Functional workflow logic and execution conditions remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is minimal but provides the key motivation (supply chain security). However, it significantly deviates from the required template structure with missing sections like issue reference, contribution checklist, and testing/documentation updates.	Expand the description to follow the template more closely: add issue reference, include the contribution checklist, and clarify testing/documentation impact for the workflow changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Actions to full commit SHAs across multiple workflow files for improved security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/slack-session-0xCmV

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a8ff489516

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin action-add-labels to an existing commit

For PRs that add or modify JavaScript files, this step is executed, but the pinned ref is not resolvable in actions-ecosystem/action-add-labels (the GitHub commit URL for c96b68... returns 404, while the v1.1.3 release points at a different commit). GitHub Actions will fail before adding the label, so this workflow regresses for exactly the cases it is meant to handle.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Pin action-remove-labels to an existing commit

When a PR already has the JavaScript-file label and no longer has added/modified JS files, this step is executed, but the pinned ref is not resolvable in actions-ecosystem/action-remove-labels (the GitHub commit URL for f5dcc... returns 404, while the v1.3.0 release points at a different commit). That makes the cleanup path fail instead of removing the label.

Useful? React with 👍 / 👎.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/typescript-nudge.yml (1)

21-78: ⚠️ Potential issue | 🔴 Critical

Incorrect SHA pinning detected for two actions — pin commit SHAs instead of tag object SHAs.

Two of the four actions pin tag object SHAs rather than commit SHAs, which is non-standard and may cause reproducibility and security issues:

• actions-ecosystem/action-add-labels should pin 18f1af5e3544586314bbe15c0273249c770b2daf (commit SHA for v1.1.3), not c96b68fec76a0987cd93957189e9abd0b9a72ff1 (tag object SHA)
• actions-ecosystem/action-remove-labels should pin 2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 (commit SHA for v1.3.0), not f5dccab59b9ed79c1a5ddd2ab6d8771449b0250f (tag object SHA)

The other two actions (tj-actions/changed-files and thollander/actions-comment-pull-request) correctly pin commit SHAs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/typescript-nudge.yml around lines 21 - 78, Two action
usages pin tag object SHAs instead of the commit SHAs; update the pins for
actions-ecosystem/action-add-labels and actions-ecosystem/action-remove-labels
to the correct commit SHAs: replace the tag-object SHA currently used with
18f1af5e3544586314bbe15c0273249c770b2daf for action-add-labels and
2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 for action-remove-labels so the
workflow uses commit-pinned references (look for the uses entries that mention
actions-ecosystem/action-add-labels@c96b68... and
actions-ecosystem/action-remove-labels@f5dccab... and swap those suffixes to the
corresponding commit SHAs).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/typescript-nudge.yml:
- Around line 21-78: Two action usages pin tag object SHAs instead of the commit
SHAs; update the pins for actions-ecosystem/action-add-labels and
actions-ecosystem/action-remove-labels to the correct commit SHAs: replace the
tag-object SHA currently used with 18f1af5e3544586314bbe15c0273249c770b2daf for
action-add-labels and 2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 for
action-remove-labels so the workflow uses commit-pinned references (look for the
uses entries that mention actions-ecosystem/action-add-labels@c96b68... and
actions-ecosystem/action-remove-labels@f5dccab... and swap those suffixes to the
corresponding commit SHAs).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 400b5635-3588-4eb4-adc0-fc5caccdf1c3

📥 Commits

Reviewing files that changed from the base of the PR and between 0f6098d and a8ff489.

📒 Files selected for processing (7)

• .github/workflows/benchmark.yml
• .github/workflows/conventional-commit.yml
• .github/workflows/fossa.yml
• .github/workflows/pre-release.yml
• .github/workflows/stalebot.yml
• .github/workflows/typescript-nudge.yml
• .github/workflows/workflow.yml