Pin all GitHub Actions to exact commit hashes

[N2D4]

Pin all GitHub Actions to exact commit hashes for supply chain security. Version tags are preserved as inline comments.

Link to Devin session: https://app.devin.ai/sessions/7ab88b0a615946caa4c8f10563680ead
Requested by: @N2D4

---

Note

Low Risk
Low risk since this only updates GitHub Actions workflow references to pinned commit SHAs, without changing application code or workflow logic; primary risk is accidental breakage if a pinned SHA is incorrect or later removed.

Overview
Pins all GitHub Actions used across CI workflows to exact commit SHAs (e.g., actions/checkout, actions/setup-node, pnpm/action-setup, Docker build/push actions, actions/cache, artifact upload/download, actions/github-script, and technote-space/toc-generator) while keeping the human-readable version tags as comments.

This hardens the workflows against supply-chain tampering by eliminating floating version tags, with no intended changes to job behavior beyond the action resolution source.

^{Reviewed by Cursor Bugbot for commit fd061e6. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated automated build and testing workflows to ensure consistent and reliable execution across CI/CD pipelines.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-auth-mcp	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-auth-skills	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-backend	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-dashboard	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-demo	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-docs	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-preview-backend	Ready	Preview, Comment	May 20, 2026 5:41pm
stack-preview-dashboard	Ready	Preview, Comment	May 20, 2026 5:41pm

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f8ac459-c637-45e6-a424-a24c51bd3cec

📥 Commits

Reviewing files that changed from the base of the PR and between 512099e and fd061e6.

📒 Files selected for processing (18)

• .github/workflows/check-prisma-migrations.yaml
• .github/workflows/db-migration-backwards-compatibility.yaml
• .github/workflows/docker-server-build-push.yaml
• .github/workflows/docker-server-build-run.yaml
• .github/workflows/e2e-api-tests-local-emulator.yaml
• .github/workflows/e2e-api-tests.yaml
• .github/workflows/e2e-custom-base-port-api-tests.yaml
• .github/workflows/e2e-fallback-tests.yaml
• .github/workflows/lint-and-build.yaml
• .github/workflows/mirror-to-wdb.yaml
• .github/workflows/npm-publish.yaml
• .github/workflows/qemu-emulator-build.yaml
• .github/workflows/reviewers-assignees.yml
• .github/workflows/setup-tests-with-custom-base-port.yaml
• .github/workflows/setup-tests.yaml
• .github/workflows/swift-sdk-publish.yaml
• .github/workflows/sync-main-to-dev.yml
• .github/workflows/table-of-contents.yaml

---

📝 Walkthrough

Walkthrough

This PR pins GitHub Actions to specific commit SHAs across 16 workflow files to improve CI reproducibility and security. Every action reference from version tags (e.g., @v6, @v4, @v1.0.7) is updated to a deterministic commit SHA while preserving the same major versions and configurations. No functional behavior changes.

Changes

GitHub Actions pinning to commit SHAs

Layer / File(s)	Summary
Core setup actions pinning .github/workflows/check-prisma-migrations.yaml, db-migration-backwards-compatibility.yaml, docker-server-build-run.yaml, e2e-api-tests.yaml, e2e-api-tests-local-emulator.yaml, e2e-custom-base-port-api-tests.yaml, e2e-fallback-tests.yaml, lint-and-build.yaml, mirror-to-wdb.yaml, npm-publish.yaml, qemu-emulator-build.yaml, setup-tests.yaml, setup-tests-with-custom-base-port.yaml, swift-sdk-publish.yaml, sync-main-to-dev.yml	Checkout, Node.js setup, and pnpm package manager actions are pinned from floating version tags to deterministic commit SHAs across 14 workflow files, ensuring reproducible repository setup and dependency installation.
Background service orchestration actions .github/workflows/check-prisma-migrations.yaml, db-migration-backwards-compatibility.yaml, e2e-api-tests.yaml, e2e-api-tests-local-emulator.yaml, e2e-custom-base-port-api-tests.yaml, e2e-fallback-tests.yaml, setup-tests.yaml, setup-tests-with-custom-base-port.yaml	JarvusInnovations/background-action references used to orchestrate Docker Compose service startup (stack-backend, stack-mcp, stack-dashboard, mock-oauth-server, email queue, and cron jobs) are pinned from version tags to specific commit SHAs across 8 workflows supporting migration testing and E2E test execution.
Docker build and infrastructure actions .github/workflows/docker-server-build-push.yaml, qemu-emulator-build.yaml	Docker-related actions including metadata-action, setup-qemu-action, setup-buildx-action, login-action, and build-push-action are pinned from major version tags to specific commit SHAs in Docker server and QEMU emulator build pipelines, ensuring deterministic container builds.
Artifact and cache management actions .github/workflows/qemu-emulator-build.yaml	Cache, upload-artifact, and download-artifact actions used for QEMU build caching and artifact handling are pinned from major version tags to specific commit SHAs, ensuring consistent artifact management across build and test jobs.
Specialized workflow actions .github/workflows/reviewers-assignees.yml, table-of-contents.yaml	GitHub-script action for automated reviewer/assignee assignment and toc-generator action for documentation are pinned from version tags to specific commit SHAs, ensuring deterministic automation and documentation generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit's delight, so steady and true,
Each action now pinned to a SHA, shiny and new!
No floating tags here, just concrete and bright,
Reproducible workflows, locked down just right! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1779298274-pin-github-actions-to-commit-hashes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Pins third-party GitHub Actions across this repository’s CI/workflow definitions to exact commit SHAs to improve supply-chain security, while retaining the original version tags as inline comments for readability/auditing.

Changes:

• Replaced all uses: owner/action@vX references with uses: owner/action@<full_sha>.
• Preserved the prior tag (e.g. v4, v6, v7) as an inline comment next to each pinned SHA.
• Updated workflows spanning CI, e2e tests, Docker/QEMU builds, publishing, and automation jobs.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/table-of-contents.yaml	Pins technote-space/toc-generator to a commit SHA.
.github/workflows/sync-main-to-dev.yml	Pins actions/checkout to a commit SHA.
.github/workflows/swift-sdk-publish.yaml	Pins actions/checkout to a commit SHA for Swift SDK publish workflow.
.github/workflows/setup-tests.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/setup-tests-with-custom-base-port.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/reviewers-assignees.yml	Pins actions/github-script steps to a commit SHA.
.github/workflows/qemu-emulator-build.yaml	Pins checkout/docker actions/pnpm/setup-node/cache/artifact actions to SHAs.
.github/workflows/npm-publish.yaml	Pins checkout/setup-node/pnpm to SHAs.
.github/workflows/mirror-to-wdb.yaml	Pins actions/checkout to a commit SHA.
.github/workflows/lint-and-build.yaml	Pins checkout/setup-node/pnpm to SHAs.
.github/workflows/e2e-fallback-tests.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/e2e-custom-base-port-api-tests.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/e2e-api-tests.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/e2e-api-tests-local-emulator.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.
.github/workflows/docker-server-build-run.yaml	Pins actions/checkout to a commit SHA.
.github/workflows/docker-server-build-push.yaml	Pins checkout and docker build/login/metadata actions to SHAs.
.github/workflows/db-migration-backwards-compatibility.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs throughout the workflow.
.github/workflows/check-prisma-migrations.yaml	Pins checkout/setup-node/pnpm/background-action to SHAs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR pins all GitHub Actions across 18 workflow files to exact commit SHAs for supply chain security hardening, preserving the original version tags as inline comments (e.g., # v6). No workflow logic was changed.

• 18 workflow files updated: every uses: directive referencing a version tag is replaced with its corresponding full commit SHA, covering first-party actions (actions/checkout, actions/setup-node, actions/cache, actions/upload-artifact, actions/download-artifact, actions/github-script) and third-party actions (pnpm/action-setup, JarvusInnovations/background-action, docker/*, technote-space/toc-generator).
• 3 workflows left unchanged: all-good.yaml has no uses: directives; auto-assign.yaml and auto-update.yaml were already pinned to SHAs prior to this PR.
• Version divergence preserved correctly: qemu-emulator-build.yaml and swift-sdk-publish.yaml reference actions/setup-node@v4 and actions/checkout@v4 respectively, pinned to distinct v4 hashes rather than the v6 hashes used by other workflows.

Confidence Score: 5/5

Safe to merge — purely mechanical replacement of mutable version tags with immutable commit SHAs, with no workflow logic touched.

Every changed line is a one-to-one substitution of a version tag for a commit hash, with the original tag preserved as a comment. The same SHA is used consistently across all files that shared the same action+version. Files that were already SHA-pinned or had no external actions were correctly left out. No behaviour changes, no logic edits, no new permissions.

No files require special attention. The two pre-existing SHA-pinned files (auto-assign.yaml, auto-update.yaml) are missing # vX version comments for readability, but this is cosmetic and outside the scope of this PR.

Important Files Changed

Filename	Overview
.github/workflows/docker-server-build-push.yaml	Pinned 6 Docker-related actions (checkout, metadata-action, setup-qemu, setup-buildx, login-action, build-push-action) to SHAs with version comments; no logic changes.
.github/workflows/qemu-emulator-build.yaml	Correctly pinned actions preserving pre-existing version diversity — setup-node and checkout use v4 hashes here while most other workflows use v6; upload/download-artifact and cache also pinned.
.github/workflows/e2e-api-tests.yaml	Pinned all JarvusInnovations/background-action, checkout, setup-node, and pnpm actions to SHAs; no logic changes.
.github/workflows/db-migration-backwards-compatibility.yaml	Pinned multiple checkout@v6, setup-node@v6, pnpm, and background-action usages to SHAs; no logic changes.
.github/workflows/swift-sdk-publish.yaml	Pinned actions/checkout@v4 (34e114876…) — distinct from the v6 hash used elsewhere, correctly matching the pre-existing version tag; no logic changes.
.github/workflows/check-prisma-migrations.yaml	Pinned 4 actions (checkout v6, setup-node v6, pnpm/action-setup v4, JarvusInnovations/background-action v1.0.7) to exact commit SHAs; no logic changes.
.github/workflows/table-of-contents.yaml	Pinned technote-space/toc-generator@v4 to 9e238e79…; no logic changes.
.github/workflows/reviewers-assignees.yml	Pinned actions/github-script@v7 to f28e40c7…; no logic changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Actions Workflow] --> B{Action Reference}
    B -->|Before PR: version tag| C["uses: actions/checkout@v6"]
    B -->|After PR: commit SHA| D["uses: actions/checkout@de0fac2e… #v6"]
    C --> E[GitHub resolves tag to commit]
    E --> F{Tag mutable?}
    F -->|Yes - tag can be moved| G["⚠️ Resolves to attacker-controlled commit"]
    D --> H[GitHub loads exact pinned commit]
    H --> I["✅ Immutable - supply chain safe"]
    subgraph Unchanged [Already-pinned / no external actions]
        J["auto-assign.yaml (already SHA-pinned)"]
        K["auto-update.yaml (already SHA-pinned)"]
        L["all-good.yaml (no uses: directives)"]
    end

Loading

_{Reviews (1): Last reviewed commit: "Pin all GitHub Actions to exact commit h..." | Re-trigger Greptile}