ci: improve pin actions

[pi0]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nitro.build	Ready	Preview, Comment	May 22, 2026 1:16pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2ff9908c-fc2b-4663-b27f-0068b7b35346

📥 Commits

Reviewing files that changed from the base of the PR and between 8abb2f2 and 43b1f0e.

📒 Files selected for processing (4)

• .github/workflows/autofix.yml
• .github/workflows/ci.yml
• .github/workflows/copilot-setup-steps.yml
• .github/workflows/npm-publish.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows are updated to pin actions to commit SHAs, add top-level workflow permissions, adjust publish commands/flags, set persist-credentials:false for publishing, and switch the autofix formatting step to run pnpm fmt.

Changes

CI/CD Workflow Configuration Updates

Layer / File(s)	Summary
Workflow permissions configuration .github/workflows/ci.yml, .github/workflows/copilot-setup-steps.yml	Top-level permissions is set in ci.yml as an empty object, and workflow-level read-only permissions: contents: read is added in copilot-setup-steps.yml.
GitHub Actions security pinning in test workflows .github/workflows/ci.yml, .github/workflows/copilot-setup-steps.yml	In tests-checks, tests-rollup, and tests-rolldown jobs, actions/checkout and actions/setup-node are pinned to specific commit SHAs. Third-party actions oven-sh/setup-bun and denoland/setup-deno are updated to newer versions in non-Windows test runs; copilot setup steps also pin checkout/setup-node.
Package publishing workflow updates .github/workflows/ci.yml, .github/workflows/npm-publish.yml	In publish-pkg-pr-new, checkout and setup-node are pinned while preserving fetch-depth: 0. In publish-nitro-nightly, the job condition is restricted to main branch push events and npm publish adds --provenance --access public. The npm publish workflow also sets persist-credentials: false in the checkout step.
Autofix workflow security and tooling .github/workflows/autofix.yml	actions/checkout and actions/setup-node are pinned to commit SHAs, and the autofix lint command is changed from npm run fmt to pnpm fmt.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No description was provided by the author, making it impossible to evaluate relevance to the changeset.	Add a description explaining the purpose and benefits of pinning actions to specific commit SHAs for security and consistency.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commits format with 'ci:' prefix and clearly describes the main change of pinning GitHub Actions to specific versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/autofix.yml:
- Line 17: The workflow is using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6) which defaults to
persisting Git credentials; update the checkout step that references
actions/checkout (the line with uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to explicitly set
persist-credentials: false so the runner does not store the auth token in git
config.

In @.github/workflows/ci.yml:
- Line 18: Update every actions/checkout@... step to disable credential
persistence by adding persist-credentials: false; specifically modify all
checkout invocations referenced (the one at
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the additional
checkouts at the other workflow locations including those that set fetch-depth:
0) to include persist-credentials: false so token-backed git credentials are not
written to the repo config across steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed09f209-ba4f-4c21-9453-99059d3fa673

📥 Commits

Reviewing files that changed from the base of the PR and between 14f2fed and 8abb2f2.

📒 Files selected for processing (3)

• .github/workflows/autofix.yml
• .github/workflows/ci.yml
• .github/workflows/copilot-setup-steps.yml

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/nitro@4278

commit: 8abb2f2