chore(security): uses pinned versions of actions

[jcchavezs]

This pull request updates the GitHub Actions workflow files to use pinned commit SHAs for all third-party actions, improving security and reproducibility.

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions to specific commits across CI/CD workflows (release, documentation publishing, and npm release pipelines) to improve build reproducibility and security.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three CI/CD workflow files pin GitHub Actions to specific commit SHAs: npm-release.yml updates actions/checkout; publish-docs.yml updates checkout, upload-artifact, download-artifact, and peaceiris/actions-gh-pages; and release.yml updates checkout and the RL scanner action from floating version tags to pinned commits.

Changes

Pinned GitHub Actions

Layer / File(s)	Summary
Pin checkout and deployment actions to commit SHAs .github/workflows/npm-release.yml, .github/workflows/publish-docs.yml, .github/workflows/release.yml	actions/checkout is pinned to v6.0.3 commit SHA across npm-release, publish-docs, and release workflows. In publish-docs, actions/upload-artifact (v7), actions/download-artifact (v8), and peaceiris/actions-gh-pages (v4) are also pinned. In release, auth0/devsecops-tooling/.../rl-scan is pinned to main as of 2026-06-09 instead of using @main tag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Actions pinned so tight,
SHAs locked in day and night,
No more floating tags to roam—
Workflows find their stable home!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(security): uses pinned versions of actions' directly and clearly summarizes the main change: pinning GitHub Actions to specific commit SHAs for security and reproducibility across three workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/release.yml (1)

27-28: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Local setup action introduces unpinned third-party actions.

At Line 28, ./.github/actions/setup still references floating tags (actions/setup-node@v4, actions/cache/*@v4`` from provided context), which undercuts the workflow-level pinning guarantees.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 27 - 28, The local composite
action referenced by "uses: ./.github/actions/setup" still contains floating
third-party action references (e.g., actions/setup-node@v4 and
actions/cache/*`@v4`); open the composite action file under .github/actions/setup
and replace those floating tags with pinned references (commit SHAs or exact,
audited tags) so the workflow-level pinning is preserved, then commit the
updated composite action so the call to uses: ./.github/actions/setup no longer
indirectly pulls unpinned actions.

.github/workflows/npm-release.yml (1)

59-63: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pinning is bypassed by nested composite action checkout.

At Line 59, ./.github/actions/npm-publish currently uses actions/checkout@v4 in .github/actions/npm-publish/action.yml (Lines 9-15 from provided context), which reintroduces a floating third-party action and weakens this PR’s pinning goal.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yml around lines 59 - 63, The composite action
./.github/actions/npm-publish reintroduces an unpinned third-party action by
calling actions/checkout@v4; open the npm-publish action manifest (action.yml)
and either remove the nested checkout step so the composite re-uses the workflow
workspace, or replace the floating tag with a pinned commit SHA (uses:
actions/checkout@<commit-sha>) to preserve pinning; update any dependent steps
in the npm-publish composite (the step that references actions/checkout)
accordingly and run tests to ensure the workflow still finds the repository
files.

.github/workflows/publish-docs.yml (1)

53-54: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

./.github/actions/setup still uses floating third-party action tags.

At Line 54, this workflow calls a composite action that uses actions/setup-node@v4 and actions/cache/*@v4`` (per provided snippet), so pinning is not yet end-to-end.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-docs.yml around lines 53 - 54, The composite
action referenced by the "Setup" step (./.github/actions/setup) still uses
floating tags for third-party actions (e.g., actions/setup-node and
actions/cache); open that composite action's action.yml and replace floating
tags like actions/setup-node@v4 and actions/cache/*`@v4` with pinned refs (full
commit SHAs or exact release tags) for each third-party action used, commit
those changes, and then ensure the workflow continues to call
./.github/actions/setup so the workflow will now use the pinned, immutable
third-party action versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm-release.yml:
- Around line 24-26: The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 should explicitly
disable credential persistence to avoid leaving the default GITHUB_TOKEN in the
repo git config; update the checkout step (the block containing "uses:
actions/checkout@df4cb1c0..." and its "with:" settings) to add
persist-credentials: false alongside fetch-depth: 0 so subsequent steps cannot
use the persisted token.

In @.github/workflows/publish-docs.yml:
- Around line 14-17: The checkout steps using actions/checkout (the steps with
"uses: actions/checkout@...") leave credentials persisted by default; add the
key persist-credentials: false under the with: block for both checkout steps
(the initial checkout with ref: gh-pages and the later checkout step around
lines 40-43) so each checkout step explicitly disables credential persistence.

In @.github/workflows/release.yml:
- Around line 23-25: Add the persist-credentials: false option to the
actions/checkout step to avoid persisting the GITHUB_TOKEN to later steps; in
the checkout block where you use
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3) alongside
fetch-depth: 0, add the key persist-credentials: false so credentials are not
carried forward to subsequent build/scanner steps.

---

Outside diff comments:
In @.github/workflows/npm-release.yml:
- Around line 59-63: The composite action ./.github/actions/npm-publish
reintroduces an unpinned third-party action by calling actions/checkout@v4; open
the npm-publish action manifest (action.yml) and either remove the nested
checkout step so the composite re-uses the workflow workspace, or replace the
floating tag with a pinned commit SHA (uses: actions/checkout@<commit-sha>) to
preserve pinning; update any dependent steps in the npm-publish composite (the
step that references actions/checkout) accordingly and run tests to ensure the
workflow still finds the repository files.

In @.github/workflows/publish-docs.yml:
- Around line 53-54: The composite action referenced by the "Setup" step
(./.github/actions/setup) still uses floating tags for third-party actions
(e.g., actions/setup-node and actions/cache); open that composite action's
action.yml and replace floating tags like actions/setup-node@v4 and
actions/cache/*`@v4` with pinned refs (full commit SHAs or exact release tags) for
each third-party action used, commit those changes, and then ensure the workflow
continues to call ./.github/actions/setup so the workflow will now use the
pinned, immutable third-party action versions.

In @.github/workflows/release.yml:
- Around line 27-28: The local composite action referenced by "uses:
./.github/actions/setup" still contains floating third-party action references
(e.g., actions/setup-node@v4 and actions/cache/*`@v4`); open the composite action
file under .github/actions/setup and replace those floating tags with pinned
references (commit SHAs or exact, audited tags) so the workflow-level pinning is
preserved, then commit the updated composite action so the call to uses:
./.github/actions/setup no longer indirectly pulls unpinned actions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8ba59d69-fd22-4b38-970d-057810146aba

📥 Commits

Reviewing files that changed from the base of the PR and between e0d4a6a and 198057d.

📒 Files selected for processing (3)

• .github/workflows/npm-release.yml
• .github/workflows/publish-docs.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable credential persistence on checkout.

At Line 24, add persist-credentials: false so the default token is not left in git config for subsequent steps.

Suggested patch

       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
	with:
	fetch-depth: 0
	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
	with:
	fetch-depth: 0
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 24-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yml around lines 24 - 26, The checkout step
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 should
explicitly disable credential persistence to avoid leaving the default
GITHUB_TOKEN in the repo git config; update the checkout step (the block
containing "uses: actions/checkout@df4cb1c0..." and its "with:" settings) to add
persist-credentials: false alongside fetch-depth: 0 so subsequent steps cannot
use the persisted token.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden both checkout steps with persist-credentials: false.

At Line 14 and Line 40, checkout leaves credentials persisted by default. Explicitly disable it in both steps.

Also applies to: 40-43

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-docs.yml around lines 14 - 17, The checkout steps
using actions/checkout (the steps with "uses: actions/checkout@...") leave
credentials persisted by default; add the key persist-credentials: false under
the with: block for both checkout steps (the initial checkout with ref: gh-pages
and the later checkout step around lines 40-43) so each checkout step explicitly
disables credential persistence.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout.

At Line 23, checkout currently persists credentials; disabling this reduces token exposure across later build/scanner steps.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 23-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 23 - 25, Add the
persist-credentials: false option to the actions/checkout step to avoid
persisting the GITHUB_TOKEN to later steps; in the checkout block where you use
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3) alongside
fetch-depth: 0, add the key persist-credentials: false so credentials are not
carried forward to subsequent build/scanner steps.

Source: Linters/SAST tools