ci: pin all versions for third party actions

[crookedstorm]

This is a step toward automating actions updates with dependabot and maintaining a better security posture.

Summary by CodeRabbit

• New Features

  • Added a configurable Studio web-root input (defaults to "web") to locate the Studio workspace.

• Chores

  • CI workflows and actions pinned to immutable commits for more reproducible, secure runs.
  • Node/pnpm toolchain setup hardened: workspace validation, Corepack/pnpm activation, and scoped lockfile/caching to stabilize installs and caching.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6ccad97d-7ae6-47f0-a6de-ece123db2d5a

📥 Commits

Reviewing files that changed from the base of the PR and between 8ae0b6a and a8bf356.

📒 Files selected for processing (1)

• .github/workflows/security.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/security.yaml

---

📝 Walkthrough

Walkthrough

Pins third-party GitHub Actions to fixed commit SHAs and updates the composite wheel-build action: adds studio-web-root, changes pnpm cache path, and replaces pnpm/action-setup with a Corepack/bash activation flow that validates and activates the declared pnpm version.

Changes

GitHub Actions SHA pinning and composite action updates

Layer / File(s)	Summary
Composite action: studio-web-root + Corepack pnpm setup .github/actions/build-nemo-platform-wheel/action.yaml	Adds studio-web-root input (default web), pins astral-sh/setup-uv and actions/setup-node, switches pnpm cache path to use studio-web-root, and replaces pnpm/action-setup with a Corepack-based activation step that validates package.json/pnpm-lock.yaml and activates the declared pnpm version.
Release-bundle workflow pinning .github/workflows/release-bundle.yaml	Pins actions/checkout (v6.0.3) across plan-release, reserve-release-tag, and build-sdks; pins actions/upload-artifact (v7.0.1) and actions/download-artifact; pins astral-sh/setup-uv in assemble-release-bundle.
Security workflow pinning .github/workflows/security.yaml	Pins actions/checkout in secrets-scan and pins github/codeql-action/init and github/codeql-action/analyze to CodeQL v4.36.2 SHAs in the codeql job; checkout in secrets-scan now sets persist-credentials: false.
Semantic pull request template update .github/workflows/semantic-pull-requests.yaml	Reusable workflow uses: reference updated from v0.65.12 to a pinned commit (annotated v1.5.1).

Sequence Diagram(s)

sequenceDiagram
  participant buildAction as build-nemo-platform-wheel
  participant Repo as Repository
  participant NodeSetup as actions/setup-node
  participant Corepack as Corepack
  buildAction->>Repo: read package.json & pnpm-lock.yaml (studio-web-root)
  buildAction->>NodeSetup: setup-node (pinned)
  buildAction->>Corepack: install corepack@0.31.0 && corepack enable
  buildAction->>Corepack: corepack prepare pnpm@<declared> --activate
  Corepack->>buildAction: pnpm available (version printed)

Loading

sequenceDiagram
  participant planRelease as plan-release
  participant buildSdks as build-sdks
  participant assemble as assemble-release-bundle
  participant checkout as actions/checkout
  participant upload as actions/upload-artifact
  participant download as actions/download-artifact
  participant setupUv as astral-sh/setup-uv
  planRelease->>checkout: checkout workflow (pinned)
  buildSdks->>checkout: checkout workflow & source (pinned)
  buildSdks->>upload: upload SDK wheel (pinned)
  assemble->>download: download SDK wheels (pinned)
  assemble->>setupUv: install uv (pinned)

Loading

Possibly related issues

• chore(ci): Repo-wide SHA pinning of actions/*, persist-credentials: false, and Dependabot config #82: Shares the repo-wide Actions SHA pinning objective and overlaps on checkout/pinning changes.

Possibly related PRs

• NVIDIA-NeMo/nemo-platform#78: Modifies the same composite action; directly related to composite action changes.

Suggested reviewers

• svvarom
• mckornfield

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately summarizes the main change: pinning versions for third-party GitHub Actions across multiple workflow files and the composite action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch better-ci-positioning/crookedstorm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suite	Lines Covered	Line Rate	Branch Rate
Unit Tests	19124/25199	75.9%	62.4%
Integration Tests	12194/23971	50.9%	26.2%

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yaml:
- Around line 29-32: The checkout step using actions/checkout (the line "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10") is leaving Git
credentials available to later steps; update that checkout step to include the
input persist-credentials: false under its with block (alongside fetch-depth: 0)
so credentials are not persisted to subsequent steps or artifacts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 66c768b5-223d-48e3-bd2a-a8e276aaaa3d

📥 Commits

Reviewing files that changed from the base of the PR and between 0f44c93 and f50e1e3.

📒 Files selected for processing (4)

• .github/actions/build-nemo-platform-wheel/action.yaml
• .github/workflows/release-bundle.yaml
• .github/workflows/security.yaml
• .github/workflows/semantic-pull-requests.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/build-nemo-platform-wheel/action.yaml:
- Around line 122-129: The "Set up Node.js" step currently enables pnpm caching
before pnpm is installed later by the Corepack/pnpm step; move the Corepack
bootstrap/pnpm installation to run before the "Set up Node.js" step (or
alternately remove the cache: pnpm option and add caching after pnpm is
installed) so that actions/setup-node sees pnpm when enabling cache. Update the
workflow so the step that installs pnpm via Corepack (the pnpm installation step
referenced after lines 130-165) executes prior to the actions/setup-node step
named "Set up Node.js" (or adjust the cache configuration to run after
installation).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 048b5ea0-5b6a-461e-9d33-7ae2de352d84

📥 Commits

Reviewing files that changed from the base of the PR and between 02c5287 and 9f11cff.

📒 Files selected for processing (1)

• .github/actions/build-nemo-platform-wheel/action.yaml

[svvarom]

lgtm