feat: pin GitHub Actions to SHA digests and add pin-check workflow

[rebEllieous]

What

Pin all GitHub Actions workflows to SHA digests and enforce pinning via CI.
Closes #33

Why

Unpinned actions (@v4, @main) are a supply-chain risk. Pinning to a commit SHA makes workflows reproducible and tamper-evident. Renovate with pinDigests: true keeps the SHAs current automatically.

Testing

• Ran update-action-pins .github/workflows/ locally to pin all actions
• Verified pin-check script detects - uses: action@tag
• Ran RENOVATE_TOKEN=... GITHUB_COM_TOKEN=... npx renovate --platform=local --dry-run=full and confirmed pinDigests: true produces updateType: pinDigest updates for all workflow files

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions usages to fixed commit SHAs across workflows.
  • Added a CI validation workflow that fails when actions are not pinned to SHAs.
  • Added an example validation workflow for workflow pin checks.
  • Enabled digest-based pinning in dependency automation configuration.
  • Added a make target and pre-check to manage the action-pin updater.

[coderabbitai]

Warning

Rate limit exceeded

@rebEllieous has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 49 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d7201664-674a-4f7f-868d-0eb0f060b511

📥 Commits

Reviewing files that changed from the base of the PR and between fd88321 and 86289cd.

📒 Files selected for processing (2)

• .github/workflows/update-action-pins.yml
• common.mk

📝 Walkthrough

Walkthrough

Adds an enforcement workflow and example that fail PRs with unpinned GitHub Actions, installs and runs that workflow from common.mk, pins several existing workflows to commit SHAs, and enables Renovate digest pinning.

Changes

GitHub Actions SHA Pinning Enforcement and Application

Layer / File(s)	Summary
Enforcement workflow and example .github/workflows/update-action-pins.yml, examples/.github/workflows/update-action-pins.yml	Adds a workflow that scans .github/workflows/** on PRs for uses: entries not pinned to 40-hex SHAs (excluding local ./ usages) and fails with an ::error:: and suggested gh command when violations are found.
Makefile installation and auth guards common.mk	repo-settings now runs gh auth status early and installs/overwrites .github/workflows/update-action-pins.yml from the dev-kit; adds a .PHONY: update-action-pins target that runs the updater with GITHUB_TOKEN=$(gh auth token).
Existing workflow action pinning .github/workflows/conventional-commits.yml, .github/workflows/issues-add-to-project.yml, .github/workflows/release-drafter.yaml	Replaces floating action tags with specific commit SHAs for amannn/action-semantic-pull-request, actions/checkout, wagoid/commitlint-github-action, actions/add-to-project, and release-drafter/release-drafter.
Renovate digest pinning configuration example/renovate.json	Adds "pinDigests": true to enable digest-based pinning for Renovate.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 We pin each Action, SHA by tiny SHA,
A hop, a scan, a tidy CI ballet,
Checks that bark if tags try to stray,
Renovate learns to fetch the hash and stay,
Nightly carrots for our secure buffet.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: pinning GitHub Actions to SHA digests and adding enforcement via a pin-check workflow.
Description check	✅ Passed	The description covers all required sections: What (pinning with enforcement), Why (supply-chain security), and Testing (local validation). The linked issue (#33) is referenced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/33-pin-gh-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common.mk`:
- Around line 167-170: The update-action-pins make target incorrectly uses
make-style $(...) which gets expanded by make and yields an empty GITHUB_TOKEN;
in the recipe for the update-action-pins target change the command substitution
to be evaluated by the shell by escaping the $ (use $$(gh auth token) instead of
$(gh auth token)), mirroring the escaping used in the repo-settings target so
GITHUB_TOKEN is set to the actual gh auth token at runtime.
- Around line 152-155: The grep pipeline that assigns to variable unpinned can
return a non-zero exit (causing the job to fail under pipefail) when there are
no matches; update the pipeline used to set the variable named unpinned (the
multi-grep sequence that filters .github/workflows/ and excludes './' and
SHA-pinned uses) to append "|| true" so the command always exits 0 and the
subsequent if [[ -n "$unpinned" ]] check can run reliably.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d21259f-1120-471d-84cf-bb85aa45d77d

📥 Commits

Reviewing files that changed from the base of the PR and between 3111815 and ed1fabb.

📒 Files selected for processing (6)

• .github/workflows/conventional-commits.yml
• .github/workflows/issues-add-to-project.yml
• .github/workflows/release-drafter.yaml
• .github/workflows/update-action-pins.yml
• common.mk
• example/renovate.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-action-pins.yml:
- Line 13: The checkout step currently uses the actions/checkout action but does
not disable credential persistence; update the checkout step (the
actions/checkout@... usage) to include persist-credentials: false so the job
runs read-only and does not persist the GITHUB_TOKEN; ensure the new key is
added directly under the checkout action configuration in the same step.

In `@examples/.github/workflows/update-action-pins.yml`:
- Line 13: Update the GitHub Actions checkout usage to disable credential
persistence and escape the shell interpolation in the guidance string: modify
the actions/checkout@... step (the line containing "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") to include a with:
persist-credentials: false entry so the action does not store the token in local
git config, and in the guidance message that currently contains "$(gh auth
token)" escape the dollar sign (e.g., "\$(gh auth token)") so the string is
printed literally instead of being executed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3950fb72-0d11-460e-8592-fc803524a155

📥 Commits

Reviewing files that changed from the base of the PR and between ed1fabb and fd88321.

📒 Files selected for processing (7)

• .github/workflows/conventional-commits.yml
• .github/workflows/issues-add-to-project.yml
• .github/workflows/release-drafter.yaml
• .github/workflows/update-action-pins.yml
• common.mk
• example/renovate.json
• examples/.github/workflows/update-action-pins.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/release-drafter.yaml
• example/renovate.json