change to use pinned version for trusted actions

[ofek1weiss]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations to use major-version tags instead of pinned commit SHAs for improved consistency and maintainability in CI/CD pipelines.

[linear]

APP-1011 pin buildin actions to version instead of hash

[github-actions]

👋 @ofek1weiss
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files are updated to replace pinned commit SHA versions with floating major-version tags for dependencies including actions/checkout, actions/setup-python, docker/build-push-action, and others. Script logic and workflow steps remain functionally unchanged.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Updates .github/workflows/bump-version.yml, .github/workflows/release.yml, .github/workflows/triage-labels.yml	Replaced pinned commit SHA versions with floating major-version tags across checkout, setup-python, github-script, upload-artifact, and Docker-related actions (qemu, buildx, login, metadata, build-push).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 From SHA pins to floating tags so free,
Actions dance in versions three,
No logic changed, just cleaner flow,
Rabbit approves this tidy show! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing pinned commit SHAs with major-version tags for GitHub Actions across three workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch app-1011-pin-buildin-actions-to-version-instead-of-hash

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 48-53: Replace floating action tags with the provided immutable
commit SHAs to make the release workflow reproducible: update
actions/checkout@v6 to de0fac2e4500dabe0009e67214ff5f5447ce83dd,
actions/setup-python@v6 to a309ff8b426b58ec0e2a45f0f869d46889d02405,
actions/upload-artifact@v6 to b7c566a772e6b6bfb58ed0dc250532a479d7789f,
docker/setup-qemu-action@v4 to ce360397dd3f832beb865e1373c09c0e9f86d70a,
docker/setup-buildx-action@v4 to 4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd,
docker/login-action@v4 to 4907a6ddec9925e35a0a9e82d7399ccc52663121,
docker/metadata-action@v6 to 030e881283bb7a6894de51c315a6bfe6a94e05cf, and
docker/build-push-action@v7 to bcafcacb16a39f128d818304e6c9c0c18556b85f; you may
keep the original `@vX` tag as an inline comment for clarity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 854b4d1d-c7a7-4d52-ba62-7b99473de80c

📥 Commits

Reviewing files that changed from the base of the PR and between 1c117e5 and 6ba1362.

📒 Files selected for processing (3)

• .github/workflows/bump-version.yml
• .github/workflows/release.yml
• .github/workflows/triage-labels.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Non-SHA workflow action refs:"
rg -nP '^\s*uses:\s*[^@]+@(?![0-9a-f]{40}$)\S+' .github/workflows

echo
echo "Current tag -> commit SHA resolution:"
rg -nP '^\s*uses:\s*([^@]+)@([^\s]+)' .github/workflows \
| sed -E 's/.*uses:\s*([^@]+)@([^[:space:]]+).*/\1@\2/' \
| sort -u \
| while IFS='@' read -r repo ref; do
  [[ "$ref" =~ ^[0-9a-f]{40}$ ]] && continue
  sha="$(git ls-remote "https://github.com/${repo}.git" "refs/tags/${ref}" | awk 'NR==1{print $1}')"
  printf "%-45s -> %s\n" "${repo}@${ref}" "${sha:-<tag not found>}"
done

Repository: elementary-data/elementary

Length of output: 4394

---

🏁 Script executed:

wc -l .github/workflows/release.yml

Repository: elementary-data/elementary

Length of output: 104

---

🏁 Script executed:

cat -n .github/workflows/release.yml | head -200

Repository: elementary-data/elementary

Length of output: 7254

---

Pin release workflow actions to immutable commit SHAs, not floating version tags.

Lines 48, 53, 105, 110, 121, 142, 147, 150, 153, 161, 169, and 186 use floating major version tags (e.g., @v6, @v4, @v7) instead of commit SHAs. In release workflows that publish to PyPI and GHCR, this creates non-reproducible and mutable execution behavior—the workflow can behave differently across different release runs if action maintainers update the tag. This weakens supply-chain integrity and auditability.

Replace each action reference with its corresponding commit SHA (you can preserve the version as an inline comment for clarity):

• actions/checkout@v6 → de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/setup-python@v6 → a309ff8b426b58ec0e2a45f0f869d46889d02405
• actions/upload-artifact@v6 → b7c566a772e6b6bfb58ed0dc250532a479d7789f
• docker/setup-qemu-action@v4 → ce360397dd3f832beb865e1373c09c0e9f86d70a
• docker/setup-buildx-action@v4 → 4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
• docker/login-action@v4 → 4907a6ddec9925e35a0a9e82d7399ccc52663121
• docker/metadata-action@v6 → 030e881283bb7a6894de51c315a6bfe6a94e05cf
• docker/build-push-action@v7 → bcafcacb16a39f128d818304e6c9c0c18556b85f

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 48 - 53, Replace floating action
tags with the provided immutable commit SHAs to make the release workflow
reproducible: update actions/checkout@v6 to
de0fac2e4500dabe0009e67214ff5f5447ce83dd, actions/setup-python@v6 to
a309ff8b426b58ec0e2a45f0f869d46889d02405, actions/upload-artifact@v6 to
b7c566a772e6b6bfb58ed0dc250532a479d7789f, docker/setup-qemu-action@v4 to
ce360397dd3f832beb865e1373c09c0e9f86d70a, docker/setup-buildx-action@v4 to
4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd, docker/login-action@v4 to
4907a6ddec9925e35a0a9e82d7399ccc52663121, docker/metadata-action@v6 to
030e881283bb7a6894de51c315a6bfe6a94e05cf, and docker/build-push-action@v7 to
bcafcacb16a39f128d818304e6c9c0c18556b85f; you may keep the original `@vX` tag as
an inline comment for clarity.

[ofek1weiss]

since these are trusted vendors, we choose to trust their version tags

[coderabbitai]

@ofek1weiss, understood — using major version tags for trusted vendors like actions/* and docker/* is a reasonable tradeoff, and I'll respect that decision going forward.

---

✏️ Learnings added

Learnt from: ofek1weiss
Repo: elementary-data/elementary PR: 2222
File: .github/workflows/release.yml:48-53
Timestamp: 2026-04-27T15:33:17.054Z
Learning: In the elementary-data/elementary repository, the team intentionally uses floating major version tags (e.g., `v6`, `v4`, `v7`) instead of pinned commit SHAs for GitHub Actions from trusted vendors such as `actions/*` and `docker/*`. Do not flag these as security issues or suggest replacing them with commit SHAs.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[DanielRuf]

These are just tags or branches and this is not recommended. Pinning + version comment + dependabot should be used.