chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

file:///home/ubuntu/pin-actions/cli_pr_body.md

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

---

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 53 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: be43fab4-c64b-4cab-aeb9-442d1ee5f6f8

📥 Commits

Reviewing files that changed from the base of the PR and between b29b7dd and b5b3fcf.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/release-please.yml
• .github/workflows/release.yml
• .github/workflows/socket-tier1-analysis.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1777478660-pin-github-actions

---

_{Review rate limit: 0/3 reviews remaining, refill in 9 minutes and 53 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR pins all third-party GitHub Actions from floating @v4 version tags to full commit SHAs, improving supply-chain security by ensuring each workflow run uses a known, immutable version of each action. All four workflow files are updated consistently.

Confidence Score: 5/5

Safe to merge — changes are limited to pinning floating action tags to immutable SHAs with no logic modifications.

All four workflow files are updated consistently, no functional logic is altered, and the change improves supply-chain security. No P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Pins actions/checkout, pnpm/action-setup, and actions/setup-node to full commit SHAs; no logic changes.
.github/workflows/release-please.yml	Pins googleapis/release-please-action to a full commit SHA; no logic changes.
.github/workflows/release.yml	Pins actions/checkout, pnpm/action-setup, and actions/setup-node to full commit SHAs; no logic changes.
.github/workflows/socket-tier1-analysis.yml	Pins actions/checkout to a full commit SHA; the Socket CLI is still installed unpinned via npm but that is pre-existing and out of scope.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to main / PR] --> B[ci.yml]
    B --> B1["actions/checkout@SHA #v4"]
    B --> B2["pnpm/action-setup@SHA #v4"]
    B --> B3["actions/setup-node@SHA #v4"]

    A2[Push to main] --> C[release-please.yml]
    C --> C1["googleapis/release-please-action@SHA #v4"]
    C1 -->|release_created| D[release.yml]

    D --> D1["actions/checkout@SHA #v4"]
    D --> D2["pnpm/action-setup@SHA #v4"]
    D --> D3["actions/setup-node@SHA #v4"]

    A3[Schedule / workflow_dispatch] --> E[socket-tier1-analysis.yml]
    E --> E1["actions/checkout@SHA #v4"]
    E --> E2["npm install -g socket (unpinned)"]

Loading

_{Reviews (2): Last reviewed commit: "Fix formatting in workflow files" | Re-trigger Greptile}

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v4	34e114876b0b11c390a56381ad16ebd13914f8d5	2025-11-13	166	OK
actions/setup-node	v4	49933ea5288caeca8642d1e84afbd3f7d6820020	2025-04-02	391	OK
googleapis/release-please-action	v4	5c625bfb5d1ff62eadeeb3772007f7f66fdcf071	2026-03-30	30	OK
pnpm/action-setup	v4	b906affcce14559ad1aafd4ab0e942779e9f58b1	2026-03-11	49	OK

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.