fix: pin 4 Docker actions to commit SHA in publish workflow

[dagecko]

Re-submission of #1106. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins the 4 Docker actions in the publish workflow to immutable commit SHAs instead of mutable version tags.

• Pin docker/setup-buildx-action, docker/login-action, docker/metadata-action, docker/build-push-action to full 40-character SHAs
• Add version comments for readability

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• No workflow logic, triggers, or permissions are modified

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow dependencies to pinned versions for improved stability and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8527fb6a-a72c-4b7e-977a-c0aef44b62a9

📥 Commits

Reviewing files that changed from the base of the PR and between 4e6928e and 64ca258.

📒 Files selected for processing (1)

• .github/workflows/docker-publish.yml

---

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow to pin Docker-related action references to specific commit SHAs instead of version tags (@v3, @v5, @v6). This applies to four actions: docker/setup-buildx-action, docker/login-action, docker/metadata-action, and docker/build-push-action. No workflow logic or behavior changes.

Changes

Cohort / File(s)	Summary
Docker Workflow Action Pinning .github/workflows/docker-publish.yml	Pinned four Docker GitHub Actions to specific commit SHAs within their respective major versions (v3, v5, v6) instead of floating version tags, enhancing reproducibility and supply chain security.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Four actions locked, committed secure,
No more floating tags—just hashes pure!
Docker workflow's now pinned and tight,
Reproducible builds, done right! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: pin 4 Docker actions to commit SHA in publish workflow' directly and clearly summarizes the main change: pinning Docker actions to commit SHAs in the publish workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}