Proposal: Pin GitHub Actions to commit SHAs for supply-chain security

[ysknsid25]

resolves: #116

---

Summary by cubic

Pin GitHub Actions to commit SHAs and adopt pnpm v11 supply-chain hardening to reduce risk from compromised releases. Adds Dependabot for Actions so pins stay current.

• Dependencies

  • Pin actions/checkout, pnpm/action-setup, and actions/setup-node to commit SHAs in all workflows.
  • Add .github/dependabot.yml to check github-actions weekly (grouped updates).
  • Upgrade package manager to pnpm@11.3.0 and refresh lockfile.
  • Configure pnpm-workspace.yaml for v11 defaults with allowBuilds (e.g., @parcel/watcher, esbuild, sharp, vercel) and minimumReleaseAgeExclude: [valibot].

• Migration

  • Requires pnpm v11 locally and in CI.
  • If installs fail due to blocked postinstall scripts, add the audited package to allowBuilds.

^{Written for commit 2dc8cbe. Summary will update on new commits. Review in cubic}

[vercel]

@ysknsid25 is attempting to deploy a commit to the Open Circle Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f665744-789a-4228-ad0c-7f87063dca21

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}