Harden GitHub Actions: pin SHAs + persist-credentials

[simonsmallchua]

Summary

Dedicated supply-chain hardening pass for CI, completing the work deferred from #392 (flagged by CodeRabbit/zizmor).

• Pinned every third-party action to a commit SHA with a trailing # vX comment for readability, following the existing flyctl-actions@<sha> / build-push-action@<sha> precedent. Covers actions/checkout, actions/setup-go, actions/setup-node, actions/github-script, actions/upload-artifact, actions/download-artifact, actions/cache, golangci/golangci-lint-action, codecov/codecov-action, codecov/test-results-action, supabase/setup-cli, 1password/load-secrets-action, and goreleaser/goreleaser-action. No @vN tag refs remain.
• Set persist-credentials: false on 27 of 28 actions/checkout steps. These jobs authenticate to Fly/registry separately and don't need the persisted git token.

Intentional exception

auto-release.yml's checkout is SHA-pinned but keeps credentials persisted. It passes token: ${{ env.PAT_TOKEN }} precisely so it can git push --force-with-lease origin main and push release tags to bypass branch protection. Setting persist-credentials: false there would break the release automation, so it is the legitimate exception.

Validation

• All 10 workflow/action files parse via yaml.safe_load.
• Prettier reports no changes (YAML + CHANGELOG already conform).
• SHAs resolved via git ls-remote ... <tag> <tag>^{} (dereferenced commit for annotated tags).

Test plan

• CI green on this PR (test, changelog-check, security gates).
• Confirm review-app / deploy workflows still resolve actions (SHA refs valid).

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Hardened GitHub Actions workflows by pinning all third-party actions to specific commit hashes instead of floating version tags, improving the security and reliability of automated deployment and testing pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR pins all third-party GitHub Actions across CI/CD, testing, deployment, and release workflows to specific commit SHAs instead of floating major version tags. The Fly composite action and most checkout steps are also hardened with persist-credentials: false to improve supply-chain security and determinism.

Changes

GitHub Actions Workflow Hardening

Layer / File(s)	Summary
Fly Composite Action Foundation .github/actions/fly-setup/action.yml	The actions/setup-go and 1password/load-secrets-action steps are pinned to specific commit SHAs, replacing the floating v6 and v2 tags.
Deployment Infrastructure Workflows .github/workflows/fly-deploy.yml, .github/workflows/review-apps.yml	actions/checkout (with persist-credentials: false) and 1password/load-secrets-action are pinned to commit SHAs across build, release, reconciliation, autoscaler, and review-app provisioning jobs.
Release and Automation Workflows .github/workflows/auto-release.yml, .github/workflows/release-cli.yml, .github/workflows/cleanup-orphaned-apps.yml	actions/checkout, actions/setup-go, actions/setup-node, actions/github-script, 1password/load-secrets-action, and goreleaser/goreleaser-action are pinned to commit SHAs. Checkout steps use persist-credentials: false where applicable.
Testing and Validation Infrastructure .github/workflows/test.yml, .github/workflows/changelog-check.yml, .github/workflows/test-grafana-annotation.yml, .github/workflows/webflow-extension.yml	actions/checkout, actions/setup-go, actions/cache, actions/setup-node, actions/upload-artifact, actions/download-artifact, codecov/codecov-action, codecov/test-results-action, 1password/load-secrets-action, and golangci/golangci-lint-action are pinned to commit SHAs across lint, format, unit-tests, integration-tests, and coverage-report jobs.
Changelog and Release Notes CHANGELOG.md	Added Unreleased → Changed entry documenting workflow hardening via commit SHA pinning and persist-credentials: false on checkout steps, completing security work from PR #392.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Good-Native/hover#278: Both PRs modify the same GitHub Actions uses: references for core CI steps, so this PR is a direct follow-on that pins versions to commit SHAs rather than version tags.
• Good-Native/hover#361: Both PRs touch the .github/actions/fly-setup composite action and Fly deployment workflows; the retrieved PR introduced the action structure while this PR hardens it with commit SHA pinning.
• Good-Native/hover#277: Both PRs modify the same GitHub Actions workflow uses: entries across multiple files (e.g., auto-release.yml, changelog-check.yml, test.yml), though this PR pins to commit SHAs while the other PR adjusts version tags.

Poem

🐰 With actions pinned to commit hashes tight,
No floating versions in the CI night,
Security hardened, credentials denied,
Your workflows run deterministic with pride!
From PR three-ninety-two's deferred toil complete,
Supply-chain blessed, the hardening's sweet. 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden GitHub Actions: pin SHAs + persist-credentials' directly and clearly summarizes the main changes: pinning GitHub Actions to commit SHAs and configuring persist-credentials settings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden-actions-pin-shas

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Release Versions

App patch: v0.34.18 → v0.34.19

Changelog

Changed

• Pin all third-party GitHub Actions to commit SHAs and set
  persist-credentials: false on checkout steps, completing the workflow
  hardening deferred from PR Speed up deploy builds: Blacksmith + layer cache #392.

[supabase]

Updates to Preview Branch (harden-actions-pin-shas) ↗︎

Deployments	Status	Updated
Database	✅	Wed, 27 May 2026 10:31:32 UTC
Services	✅	Wed, 27 May 2026 10:31:32 UTC
APIs	✅	Wed, 27 May 2026 10:31:32 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Wed, 27 May 2026 10:31:39 UTC
Migrations	✅	Wed, 27 May 2026 10:32:30 UTC
Seeding	✅	Wed, 27 May 2026 10:32:40 UTC
Edge Functions	✅	Wed, 27 May 2026 10:32:40 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-393.fly.dev
Dashboard: https://hover-pr-393.fly.dev/dashboard

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/fly-deploy.yml:
- Line 321: The workflow step using the 1password action (uses:
1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0)
currently allows the action to install the `op` CLI at runtime with an implicit
“latest” resolution; update each load-secrets-action step (the occurrences with
that exact uses string) to add a with: block that pins the CLI by adding
version: <pinned-op-version>, ensuring the action still uses the pinned action
SHA but also installs a fixed `op` CLI version.

In @.github/workflows/review-apps.yml:
- Line 77: The 1Password action step (uses:
1password/load-secrets-action@581a835f...) doesn't pin the underlying 1Password
CLI/tool version; update the step(s) that reference
1password/load-secrets-action (the uses entries at the two locations) to include
the action input that pins the CLI (e.g., add a with: op-version:
"<desired-cli-version>" or the action's documented equivalent input) and set the
same explicit CLI version value for both occurrences so the workflow resolves a
fixed 1Password CLI/tool version reproducibly.

In @.github/workflows/test-grafana-annotation.yml:
- Line 26: The workflow currently uses 1password/load-secrets-action which
leaves the `op` CLI unpinned; update the job steps to first install a pinned
`op` using the `1password/install-cli-action` with a specific `version` (e.g.,
set the desired semver) and only after that run `1password/load-secrets-action`
so it will use the already-installed CLI; ensure the install step appears before
the load-secrets step and keep the existing load-secrets `uses:
1password/load-secrets-action@581a835f...` but remove any expectation that it
pins `op`.

In @.github/workflows/test.yml:
- Line 152: The workflow uses the pinned action identifier
1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 but does
not pin the OP CLI binary; for each occurrence of this action (the steps that
include "uses:
1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0" and
"with: export-env: true") add a "with: version: <exact OP CLI version>" field
(e.g., version: 2.31.1) to ensure the installed op CLI is deterministic and
consistent across runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9a3a85ac-2708-4947-8ed1-b4378af72596

📥 Commits

Reviewing files that changed from the base of the PR and between 3f57f20 and a48d5e2.

📒 Files selected for processing (11)

• .github/actions/fly-setup/action.yml
• .github/workflows/auto-release.yml
• .github/workflows/changelog-check.yml
• .github/workflows/cleanup-orphaned-apps.yml
• .github/workflows/fly-deploy.yml
• .github/workflows/release-cli.yml
• .github/workflows/review-apps.yml
• .github/workflows/test-grafana-annotation.yml
• .github/workflows/test.yml
• .github/workflows/webflow-extension.yml
• CHANGELOG.md