ci: pin mutable action tags to full commit SHAs in release.yaml

[ivaresarthak-cloud]

What

Pins two mutable action tags in .github/workflows/release.yaml to full commit SHAs:

Action	Before	After
actions/checkout	@v3	@f43a0e5... (v3.6.0)
peter-evans/create-pull-request	@v4	@5f6978f... (v8.1.1)

softprops/action-gh-release on line 44 was already pinned — no change needed there.

Why

Git tags are mutable. A compromised account can silently rewrite a tag
to point at malicious code. The March 2025 tj-actions/changed-files
incident exploited this exact vector across ~23,000 repos.

Pinning to a full commit SHA is the only immutable reference.

README example snippets are intentionally left with tag references —
pinning SHAs in user-facing docs would make them unreadable and stale.

Related

• ci: add Dependabot config for github-actions ecosystem + pin remaining mutable action tag kubescape#2219 — same fix applied to the main repo

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow dependencies to pinned versions for enhanced stability and reproducibility.

[coderabbitai]

Warning

Rate limit exceeded

@ivaresarthak-cloud has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 49 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10e55929-6368-4e5d-81a6-ba571b5b0674

📥 Commits

Reviewing files that changed from the base of the PR and between 614ad3e and f31cf3f.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

📝 Walkthrough

Walkthrough

The pull request pins two GitHub Actions dependencies in the release workflow from floating version tags to specific commit SHAs, strengthening supply chain security and ensuring reproducible workflow execution across runs.

Changes

GitHub Actions Dependency Pinning

Layer / File(s)	Summary
Pin GitHub Actions to commit SHAs .github/workflows/release.yaml	actions/checkout and peter-evans/create-pull-request are pinned from floating version tags (@v3 and @v4) to specific commit SHAs, replacing tag-based references with immutable commit hashes for reproducible and secure releases.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 With commits now locked in place,
No floating tags to drift or race,
Security's stitched, thread by thread—
Each workflow runs exactly as said! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: pinning mutable GitHub Actions tags to commit SHAs in release.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release.yaml (2)

45-45: ⚡ Quick win

Add a version comment for consistency.

For consistency with the newly pinned actions on lines 19 and 29, consider adding a version comment to this already-pinned action reference. This improves maintainability by making it clear which version the SHA corresponds to.

Run the following script to identify the version:

#!/bin/bash
# Identify which version/tag corresponds to the pinned SHA

echo "=== Finding tag for softprops/action-gh-release SHA ==="
curl -s "https://api.github.com/repos/softprops/action-gh-release/tags" | \
  jq -r '.[] | select(.commit.sha == "c9b46fe7aad9f02afd89b12450b780f52dacfb2d") | .name'

📝 Suggested enhancement

Once you've identified the version, update the line:

-      uses: softprops/action-gh-release@c9b46fe7aad9f02afd89b12450b780f52dacfb2d
+      uses: softprops/action-gh-release@c9b46fe7aad9f02afd89b12450b780f52dacfb2d # vX.Y.Z

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 45, The pinned GitHub Action
reference uses:
softprops/action-gh-release@c9b46fe7aad9f02afd89b12450b780f52dacfb2d lacks a
version comment for clarity and consistency with other pinned actions; run the
provided script to map that SHA to its tag/version, then update the uses line to
keep the same pinned SHA but add an inline comment with the resolved version
(e.g., append a comment like "# vX.Y.Z") so readers can quickly see which
release the SHA corresponds to while preserving the existing pin.

---

19-19: 🏗️ Heavy lift

Consider upgrading to actions/checkout@v4 for latest improvements.

The SHA is correctly pinned to v3.6.0 and has no known vulnerabilities. However, v4.3.1 is available (released November 2025) with potential improvements. If upgrading, ensure the v4 SHA is also pinned according to this PR's security practices.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 19, Replace the pinned checkout
action revision currently specified as "uses:
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744" (v3.6.0) with the v4
release; either update to the stable tag "actions/checkout@v4" or pin to the
exact v4 commit SHA (for example v4.3.1's SHA) to gain the improvements while
keeping the repository's security practice of SHA pinning—update the workflow
step that contains the "uses: actions/checkout@..." line accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yaml:
- Line 29: Update the GitHub Action reference on the line containing "uses:
peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04" to the
latest stable tag and its corresponding commit SHA (change the tag to v8.1.1 and
replace the existing SHA with the commit SHA that corresponds to v8.1.1 in the
peter-evans/create-pull-request repo); ensure the line remains pinned to a full
commit SHA (not just the tag) and keep the same "uses:
peter-evans/create-pull-request@..." format so the workflow stays deterministic.

---

Nitpick comments:
In @.github/workflows/release.yaml:
- Line 45: The pinned GitHub Action reference uses:
softprops/action-gh-release@c9b46fe7aad9f02afd89b12450b780f52dacfb2d lacks a
version comment for clarity and consistency with other pinned actions; run the
provided script to map that SHA to its tag/version, then update the uses line to
keep the same pinned SHA but add an inline comment with the resolved version
(e.g., append a comment like "# vX.Y.Z") so readers can quickly see which
release the SHA corresponds to while preserving the existing pin.
- Line 19: Replace the pinned checkout action revision currently specified as
"uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744" (v3.6.0) with
the v4 release; either update to the stable tag "actions/checkout@v4" or pin to
the exact v4 commit SHA (for example v4.3.1's SHA) to gain the improvements
while keeping the repository's security practice of SHA pinning—update the
workflow step that contains the "uses: actions/checkout@..." line accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b3d7a87-9859-4cc4-81a8-603f47f12413

📥 Commits

Reviewing files that changed from the base of the PR and between 47d8e45 and 614ad3e.

📒 Files selected for processing (1)

• .github/workflows/release.yaml