ci: pin actions to SHAs and add dependabot config

[nicktrn]

Most actions in this repo were several major versions behind, which is why every CI run has been emitting Node 20 deprecation warnings.

Pinning every action to a commit SHA (with the version as a trailing comment) means each CI run uses the exact code that was reviewed when the bump landed, instead of whatever a maintainer last pointed the major tag at. Dependabot is configured to group all action bumps into one weekly PR with a 7-day cooldown.

Worth flagging:

• The Claude Code action ships ~daily but the model is set separately via --model in claude_args, so SHA-pinning the action gives reproducibility without locking the model.
• The kubeconform container is digest-pinned (docker://image:tag@sha256:...). Dependabot's github-actions ecosystem doesn't track docker:// references (explicit TODO in dependabot-core), so it needs manual bumps either way - but the digest pin protects against tag repointing for free.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4414471

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d76f068c-b5cc-4bf0-9779-aad7d8634725

📥 Commits

Reviewing files that changed from the base of the PR and between 7c7d785 and 4414471.

📒 Files selected for processing (18)

• .github/dependabot.yml
• .github/workflows/changesets-pr.yml
• .github/workflows/claude-md-audit.yml
• .github/workflows/claude.yml
• .github/workflows/docs.yml
• .github/workflows/e2e-webapp.yml
• .github/workflows/e2e.yml
• .github/workflows/helm-prerelease.yml
• .github/workflows/publish-webapp.yml
• .github/workflows/publish-worker-v4.yml
• .github/workflows/publish-worker.yml
• .github/workflows/release-helm.yml
• .github/workflows/release.yml
• .github/workflows/sdk-compat.yml
• .github/workflows/typecheck.yml
• .github/workflows/unit-tests-internal.yml
• .github/workflows/unit-tests-packages.yml
• .github/workflows/unit-tests-webapp.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: typecheck / typecheck
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

🧠 Learnings (12)

📚 Learning: 2026-01-15T10:48:02.687Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-15T10:48:02.687Z
Learning: Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0

Applied to files:

• .github/workflows/e2e.yml
• .github/workflows/typecheck.yml
• .github/workflows/release.yml
• .github/workflows/changesets-pr.yml
• .github/workflows/unit-tests-webapp.yml
• .github/workflows/unit-tests-packages.yml
• .github/workflows/sdk-compat.yml
• .github/workflows/unit-tests-internal.yml

📚 Learning: 2026-04-15T15:39:06.868Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T15:39:06.868Z
Learning: Use `pnpm run typecheck` to verify changes in apps and internal packages (`apps/*`, `internal-packages/*`). Never use `build` for these — building proves almost nothing about correctness.

Applied to files:

• .github/workflows/typecheck.yml

📚 Learning: 2026-04-16T14:19:16.330Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: apps/webapp/CLAUDE.md:0-0
Timestamp: 2026-04-16T14:19:16.330Z
Learning: Never run `pnpm run build --filter webapp` to verify changes. Use typecheck from the repo root instead (`pnpm run typecheck --filter webapp`). Building proves almost nothing about correctness; only run typecheck after major changes (new files, significant refactors, schema changes)

Applied to files:

• .github/workflows/typecheck.yml

📚 Learning: 2024-09-23T12:51:42.019Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-09-23T12:51:42.019Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.

Applied to files:

• .github/workflows/docs.yml
• .github/workflows/publish-webapp.yml
• .github/workflows/publish-worker-v4.yml
• .github/workflows/publish-worker.yml
• .github/workflows/claude.yml

📚 Learning: 2026-03-02T12:43:34.140Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/cli-v3/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:34.140Z
Learning: Applies to packages/cli-v3/src/deploy/buildImage.ts : Build Docker images using `src/deploy/buildImage.ts` for local Docker/Depot or remote builds

Applied to files:

• .github/workflows/publish-webapp.yml
• .github/workflows/publish-worker-v4.yml
• .github/workflows/publish-worker.yml

📚 Learning: 2026-03-02T12:43:34.140Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/cli-v3/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:34.140Z
Learning: Applies to packages/cli-v3/.claude/skills/trigger-dev-tasks/**/* : Update `.claude/skills/trigger-dev-tasks/` in parallel with `rules/` when SDK features change

Applied to files:

• .github/workflows/claude.yml

📚 Learning: 2026-04-15T15:39:06.868Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T15:39:06.868Z
Learning: Use `pnpm run build` to verify changes in public packages (`packages/*`). Build proves correctness for these published packages.

Applied to files:

• .github/workflows/release.yml

📚 Learning: 2026-04-15T15:39:06.868Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-15T15:39:06.868Z
Learning: When modifying any public package (`packages/*` or `integrations/*`), add a changeset using `pnpm run changeset:add`.

Applied to files:

• .github/workflows/release.yml
• .github/workflows/changesets-pr.yml

📚 Learning: 2025-06-25T13:24:23.836Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 2195
File: .github/workflows/release-helm.yml:42-46
Timestamp: 2025-06-25T13:24:23.836Z
Learning: In .github/workflows/release-helm.yml, the user nicktrn confirmed that using 'entrypoint' with 'docker://' steps works fine, contrary to previous analysis suggesting it's unsupported.

Applied to files:

• .github/workflows/release-helm.yml

📚 Learning: 2026-03-25T15:29:25.889Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/writing-tasks.mdc:0-0
Timestamp: 2026-03-25T15:29:25.889Z
Learning: Run `npx trigger.devlatest init` to initialize a new Trigger.dev project

Applied to files:

• .github/workflows/changesets-pr.yml

📚 Learning: 2025-11-27T16:26:37.432Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-27T16:26:37.432Z
Learning: Applies to **/*.{test,spec}.{ts,tsx} : Use vitest for all tests in the Trigger.dev repository

Applied to files:

• .github/workflows/changesets-pr.yml

📚 Learning: 2026-02-03T18:27:05.229Z

Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 2994
File: apps/webapp/app/presenters/v3/BranchesPresenter.server.ts:45-45
Timestamp: 2026-02-03T18:27:05.229Z
Learning: In the Vercel integration feature, the GitHub app is responsible for builds and provides git metadata (using source: "trigger_github_app"). The Vercel integration is only for linking deployments between platforms, not for triggering builds or providing git metadata.

Applied to files:

• .github/workflows/changesets-pr.yml

🔇 Additional comments (18)

.github/workflows/claude-md-audit.yml (1)

30-30: Good hardening update on action immutability.

Both updated uses: references are commit-pinned and keep the workflow behavior intact.

Also applies to: 36-36

.github/workflows/publish-worker-v4.yml (1)

40-40: Looks good — SHA pinning is consistent across publish steps.

This keeps the existing publish flow while improving supply-chain determinism.

Also applies to: 43-43, 77-77, 84-84

.github/workflows/unit-tests-internal.yml (1)

49-49: Nice consistency pass across test and report-merge jobs.

All changed action references are pinned without altering test orchestration.

Also applies to: 54-54, 59-59, 67-67, 104-104, 118-118, 123-123, 128-128, 134-134

.github/dependabot.yml (1)

1-12: Dependabot config is clean and aligned with the pinning strategy.

Weekly grouped updates with cooldown should reduce update noise while keeping pinned actions current.

.github/workflows/e2e.yml (1)

27-27: LGTM for the E2E workflow pin updates.

Action immutability is improved with no functional changes to the E2E job flow.

Also applies to: 32-32, 37-37

.github/workflows/publish-webapp.yml (1)

27-27: Solid security/reproducibility improvement here.

The publish pipeline keeps the same behavior while moving to immutable action refs.

Also applies to: 30-30, 71-71, 78-78

.github/workflows/changesets-pr.yml (1)

28-28: Great consistency across release-pr, lockfile, and chart bump jobs.

Pinned SHAs are applied uniformly and preserve the existing release flow.

Also applies to: 33-33, 36-36, 46-46, 84-84, 89-89, 94-94, 133-133

.github/workflows/claude.yml (1)

29-29: LGTM on the Claude workflow pinning changes.

The updated references are immutable and keep the current trigger/behavior unchanged.

Also applies to: 34-34, 39-39, 52-52

.github/workflows/sdk-compat.yml (1)

21-21: Good hardening change with no behavior drift.

All updated uses: entries are commit-pinned, and the surrounding workflow inputs/commands are preserved.

Also applies to: 26-26, 31-31, 59-59, 64-64, 69-69, 75-75, 100-100, 105-105, 110-110, 116-116, 145-145, 150-150, 155-155

.github/workflows/typecheck.yml (1)

15-15: Looks good.

Action SHA pinning is applied cleanly and keeps the existing typecheck workflow behavior intact.

Also applies to: 20-20, 25-25

.github/workflows/e2e-webapp.yml (1)

44-44: Clean pin-only update.

The SHA pins are consistent and do not alter workflow control flow or test execution behavior.

Also applies to: 49-49, 54-54, 62-62

.github/workflows/publish-worker.yml (1)

31-31: LGTM on the pin migration.

Pinned action SHAs are applied consistently for checkout/buildx/login without changing publish logic.

Also applies to: 50-50, 54-54, 65-65

.github/workflows/release-helm.yml (1)

31-31: Great update for release workflow integrity.

Action references are SHA/digest pinned consistently, including the containerized kubeconform step.

Also applies to: 34-34, 57-57, 70-70, 73-73, 86-86, 130-130

.github/workflows/release.yml (1)

68-68: Solid pinning pass across release paths.

The workflow keeps existing release/prerelease behavior while removing floating action references.

Also applies to: 82-82, 87-87, 111-111, 227-227, 245-245, 251-251, 256-256

.github/workflows/docs.yml (1)

29-29: Nice, straightforward security improvement.

Pinning checkout/cache to SHAs is clean here and keeps the docs check behavior unchanged.

Also applies to: 32-32

.github/workflows/unit-tests-packages.yml (1)

49-49: Comprehensive and consistent action pinning.

Both test and report-merge jobs retain existing behavior while improving dependency immutability.

Also applies to: 54-54, 59-59, 67-67, 104-104, 118-118, 123-123, 128-128, 134-134

.github/workflows/helm-prerelease.yml (1)

36-36: Looks good — action and container references are correctly pinned.

Nice hardening pass: these updates improve CI reproducibility and reduce supply-chain drift without changing workflow behavior.

Also applies to: 39-39, 62-62, 80-80, 83-83, 96-96, 164-164, 173-173

.github/workflows/unit-tests-webapp.yml (1)

49-49: LGTM — SHA pinning is consistent across setup/auth/artifact steps.

This is a clean reproducibility/security improvement, and the runtime toolchain versions remain aligned in both jobs.
Based on learnings: "Use pnpm as the package manager (version 10.23.0 or later) and Node.js 20.20.0".

Also applies to: 54-54, 59-59, 67-67, 112-112, 126-126, 131-131, 136-136, 142-142

---

Walkthrough

This pull request adds Dependabot configuration for GitHub Actions dependency updates and systematically pins GitHub Actions across 17 CI/CD workflow files to specific commit SHAs. The changes replace floating major-version tags (@v4, @v3, etc.) with pinned commit references for actions including actions/checkout, pnpm/action-setup, buildjet/setup-node, docker/login-action, and numerous others. No functional logic or workflow behavior is altered.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete; it lacks required sections from the template including Testing, Changelog, and a Closes statement, though it does provide substantial technical context.	Add Testing section describing verification steps, add Changelog section summarizing changes, include issue reference (Closes #), and confirm following the contributing guide.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: pinning actions to SHAs and adding Dependabot configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/bump-actions-and-add-dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nicktrn]

ready