chore: pin all github actions to commit SHAs

[thewrz]

Every uses: reference pinned to 40-char SHA. Tag preserved as trailing comment.

WrzDJ has 6 workflows (ci, codeql, dependency-health, docker-publish, release, winget-scripts-test).

Why

Tags (@v6, @v4) are mutable. A compromised maintainer or hijacked org can re-point a tag to malicious code, silently affecting every workflow run. SHAs are immutable — pinning to a SHA freezes the action contents.

What pinact did

• Resolved every @vX / @vX.Y tag to its current commit SHA.
• Refined existing partial-version comments (e.g. # v4 -> # v4.2.2) to the precise published semver.
• Touched only uses: lines. No script changes (verified on winget-scripts-test.yml which has PowerShell Invoke-WebRequest calls — those are untouched).

Pinned action count

16 unique uses: references, spanning:

• actions/{checkout,setup-python,setup-node,upload-artifact,download-artifact}
• codecov/codecov-action
• docker/{setup-qemu,setup-buildx,login,metadata,build-push}-action
• github/codeql-action/{init,autobuild,analyze}
• softprops/action-gh-release

Maintenance

Renovate pinDigests: true is already configured, so future tag bumps will keep digests in sync automatically.

Test plan

• CI passes on this PR (every pinned action still resolvable & functional)
• CodeQL workflow runs successfully
• Docker publish workflow builds successfully when run

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to use pinned action versions for improved build reproducibility and security across CI/CD pipelines, including checkout, setup, artifact handling, and publishing actions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Six GitHub Actions CI/CD workflow files replace floating major or minor version tags with pinned commit SHAs, securing the release and test pipeline against unexpected action updates.

Changes

GitHub Actions version pinning across CI/CD workflows

Layer / File(s)	Summary
CI workflow action pins .github/workflows/ci.yml	Pins actions/checkout, actions/setup-python, actions/setup-node, and codecov/codecov-action to specific commit SHAs in backend, frontend, bridge, bridge-app, and kiosk jobs.
CodeQL workflow action pins .github/workflows/codeql.yml	Pins actions/checkout (v6.0.2) and github/codeql-action steps (v4.35.5) to specific commit SHAs.
Dependency health workflow action pins .github/workflows/dependency-health.yml	Pins actions/checkout and actions/setup-node to specific commit SHAs across contract-tests-pinned, contract-tests-latest, upstream-monitor, and create-issues jobs.
Docker publish workflow action pins .github/workflows/docker-publish.yml	Pins actions/checkout, Docker setup-qemu-action, setup-buildx-action, docker/login-action, docker/metadata-action, and docker/build-push-action to specific versions across publish-api and publish-web jobs.
Release workflow action pins .github/workflows/release.yml	Pins actions/checkout, actions/setup-node, actions/upload-artifact, and actions/download-artifact to specific commit SHAs across validate-tag, build-bridge-app, bundle-deploy-scripts, create-release, and update-winget jobs.
Winget scripts test workflow action pins .github/workflows/winget-scripts-test.yml	Pins actions/checkout (v6.0.2) to a specific commit SHA in both bats and pester test jobs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 The rabbit hops through CI with glee,
SHAs locked down for security!
No floating tags to cause surprise,
Each action pinned, a careful prize. 🔒✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: pin all github actions to commit SHAs' directly and clearly describes the main change across all modified workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-github-actions-shas-2026-05

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 zizmor (1.25.2)

.github/workflows/ci.yml

INFO zizmor: 🌈 zizmor v1.25.2
INFO audit: zizmor: 🌈 completed .github/workflows/ci.yml
[
{
"ident": "artipacked",
"desc": "credential persistence through GitHub Actions artifacts",
"url": "https://docs.zizmor.sh/audits/#artipacked",
"determinations": {
"confidence": "Low",
"severity": "Medium",
"persona": "Regular"
},
"locations": [
{
"symbolic": {
"key": {
"Local": {
"prefix": null,
"given_path": ".github/workflows/ci.yml"
}
},
"annotation": "does not set persist-credentials: false",
"route": {
"route": [
{
"Key": "jobs"
},
{
"Key": "backend"
},
{
"Key": "steps"
},
{
"Index": 0
}
]
},
"feature_kind": "Normal",

... [truncated 39118 characters] ...

     "start": 5340,
          "end": 5879
        }
      },
      "feature": "  kiosk:\n    name: Kiosk WiFi Portal Tests\n    runs-on: ubuntu-latest\n    defaults:\n      run:\n        working-directory: kiosk/wifi-portal\n\n    steps:\n      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n      - name: Set up Python\n        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0\n        with:\n          python-version: \"3.11\"\n\n      - name: Install test dependencies\n        run: pip install pytest\n\n      - name: Run tests\n        run: python -m pytest test_portal.py -q\n\n",
      "comments": [
        "# v6.0.2",
        "# v6.2.0"
      ]
    }
  }
],
"ignored": false

}
]

.github/workflows/codeql.yml

INFO zizmor: 🌈 zizmor v1.25.2
INFO audit: zizmor: 🌈 completed .github/workflows/codeql.yml
[
{
"ident": "artipacked",
"desc": "credential persistence through GitHub Actions artifacts",
"url": "https://docs.zizmor.sh/audits/#artipacked",
"determinations": {
"confidence": "Low",
"severity": "Medium",
"persona": "Regular"
},
"locations": [
{
"symbolic": {
"key": {
"Local": {
"prefix": null,
"given_path": ".github/workflows/codeql.yml"
}
},
"annotation": "does not set persist-credentials: false",
"route": {
"route": [
{
"Key": "jobs"
},
{
"Key": "analyze"
},
{
"Key": "steps"
},
{
"Index": 0
}
]
},
"feature_kind": "Normal",
"kind": "Primary"
},
"concrete": {
"location": {
"start_point": {
"row": 24,
"column": 8
},
"end_point": {
"row": 24,
"column": 80
},
"offset_span": {
"start": 427,
"end": 499
}
},
"feature": "uses: actions/checkout@de0fac2 # v6.0.2",
"comments": [
"# v6.0.2"
]
}
}
],
"ignored": false
}
]

.github/workflows/docker-publish.yml

INFO zizmor: 🌈 zizmor v1.25.2
INFO audit: zizmor: 🌈 completed .github/workflows/docker-publish.yml
[
{
"ident": "artipacked",
"desc": "credential persistence through GitHub Actions artifacts",
"url": "https://docs.zizmor.sh/audits/#artipacked",
"determinations": {
"confidence": "Low",
"severity": "Medium",
"persona": "Regular"
},
"locations": [
{
"symbolic": {
"key": {
"Local": {
"prefix": null,
"given_path": ".github/workflows/docker-publish.yml"
}
},
"annotation": "does not set persist-credentials: false",
"route": {
"route": [
{
"Key": "jobs"
},
{
"Key": "publish-api"
},
{
"Key": "steps"
},
{
"Index": 0
}
]
},
"feat

... [truncated 1319 characters] ...

web"
},
{
"Key": "steps"
},
{
"Index": 0
}
]
},
"feature_kind": "Normal",
"kind": "Primary"
},
"concrete": {
"location": {
"start_point": {
"row": 67,
"column": 8
},
"end_point": {
"row": 67,
"column": 80
},
"offset_span": {
"start": 2020,
"end": 2092
}
},
"feature": "uses: actions/checkout@11bd719 # v4.2.2",
"comments": [
"# v4.2.2"
]
}
}
],
"ignored": false
}
]

• 1 others

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Line 25: The workflow uses github/codeql-action pinned to the wrong commit:
replace the incorrect SHA 9e0d7b8d25671d64c341c19c0152d693099fb5ba with the
correct SHA f25eda876ebb741d872b63b9f2c6dfdd77f14b83 for all three occurrences
of github/codeql-action (the steps referencing the v4.35.5 release);
alternatively ensure the tag and its pinned SHA match by updating the action
version to the tag that corresponds to the existing SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 169086cb-dbb1-4002-9432-9a838ef305ff

📥 Commits

Reviewing files that changed from the base of the PR and between a3cae19 and 27775bd.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-health.yml
• .github/workflows/docker-publish.yml
• .github/workflows/release.yml
• .github/workflows/winget-scripts-test.yml