ci: pin all actions by full-length commit SHA

[nh13]

Summary

• The fg-labs org enforces a policy that all GitHub Actions must be pinned to a full-length commit SHA. The most recent publish.yml run (on the chore: release v0.1.0 merge) failed at Set up job with:

  The actions actions/checkout@v4, dtolnay/rust-toolchain@stable, and release-plz/action@v0.5 are not allowed in fg-labs/fg-sra because all actions must be pinned to a full-length commit SHA.

• Pins every action used by ci.yml and publish.yml to a full-length SHA with an inline version comment, matching the pattern used by other fg-labs crates (refget-rs, rust-yara).
• Adapts taiki-e/install-action from the tool-as-ref form (@nextest, @cargo-llvm-cov) to a pinned @<sha> + with: tool: … form, which is the only way to pin that action by SHA.

Unblocks the v0.1.0 release: once this lands, the next push to main will let publish.yml successfully create the v0.1.0 tag and GitHub release.

Test plan

• CI (Check and Test) passes on this PR with all newly pinned actions
• After merge, publish.yml runs successfully on main and creates the v0.1.0 tag and GitHub release

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to pin GitHub Actions to specific commit SHAs for improved build reproducibility and stability.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a543663b-12bd-4fa8-906c-0b4b830feef7

📥 Commits

Reviewing files that changed from the base of the PR and between 08fa017 and 27fb771.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/publish.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions dependencies in CI and publish workflows are pinned to specific commit SHAs instead of tag-based versions for improved reproducibility and supply chain security. The CI workflow additionally refactors the taiki-e/install-action usage to employ explicit tool inputs.

Changes

Cohort / File(s)	Summary
CI Workflow Actions Pinning .github/workflows/ci.yml	Pinned actions/checkout, dtolnay/rust-toolchain, mozilla-actions/sccache-action, and codecov/codecov-action to commit SHAs. Refactored taiki-e/install-action from implicit tool selection (@nextest, @cargo-llvm-cov) to single action with explicit tool inputs.
Publish Workflow Actions Pinning .github/workflows/publish.yml	Pinned actions/checkout, dtolnay/rust-toolchain, and release-plz/action to specific commit SHAs across release-pr and publish jobs, with version comments preserved.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰✨ Actions pinned to hashes so secure,
No floating versions causing detours,
Each commit locked in place with care,
Supply chains safer everywhere! 🔒

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nh/pin-action-shas

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!