ci: sha pin github actions

[chawyehsu]

ref:

• https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/find-and-customize-actions#using-shas

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions workflows to specific commit SHAs for improved build reproducibility and security consistency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request pins GitHub Actions references to specific commit SHAs in the CI workflow. Actions/checkout transitions from main to commit 8e8c483db84b4bee98b60c0593521ed34d9990e8, and psmodulecache transitions from v5.1 to commit ee5e9494714abf56f6efbfa51527b2aec5c761b8. No functional or control flow changes occur.

Changes

Cohort / File(s)	Summary
GitHub Actions pinning .github/workflows/ci.yml	Replaced dynamic action references with pinned commit SHAs: actions/checkout main → 8e8c483db84b4bee98b60c0593521ed34d9990e8, psmodulecache v5.1 → ee5e9494714abf56f6efbfa51527b2aec5c761b8

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Pin those actions down, so strong and true,
Commit hashes locked, the workflow stays through,
No surprises now, just steady, sure ground—
Safety and clarity, forever bound! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: sha pin github actions' directly and accurately describes the main change: SHA-pinning GitHub Actions in CI configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff4eedd and 909ce18.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

🔇 Additional comments (2)

.github/workflows/ci.yml (2)

14-14: SHA pinning to v6.0.1 is correct and improves supply chain security.

Pinning actions to specific commit SHAs is a security best practice that prevents potential supply chain attacks where tags could be moved to malicious code. The SHA 8e8c483db84b4bee98b60c0593521ed34d9990e8 correctly corresponds to the v6.0.1 tag of actions/checkout.

Also applies to: 38-38, 62-62

---

18-18: Verify the SHA and review action.yml changes before merging the major version upgrade.

The SHA ee5e9494714abf56f6efbfa51527b2aec5c761b8 could not be verified against a published release for v6.2.1. Before upgrading from v5.1 to v6.2.1 (a major version bump), verify:

1. The commit SHA matches the v6.2.1 tag in the potatoqualitee/psmodulecache repository
2. Compare the action.yml inputs and outputs between v5.1 and v6.2.1 to identify any breaking changes
3. Test the workflow in a branch to ensure compatibility

No formal breaking changes documentation is available for this upgrade path.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}