chore: add version comments to SHA-pinned GitHub Actions

[netram75]

Proposed change

Resolves #4542

Description:
This PR adds human-readable version tags as comments to all currently SHA-pinned GitHub Actions across our CI/CD workflows.
While SHA pinning is excellent for security and reproducibility, it obscures which version of an action is actively being used. By appending version tags (e.g., # v4.1.0), this PR improves:

• Context and visibility for developers
• Easier debugging and auditing capabilities
• Clarity when reviewing Dependabot updates

Changes made:

• Systematically mapped all unique SHA hashes across .github/workflows/*.yaml to their corresponding official release tags on GitHub.
• Appended comments in the # vX.Y.Z format to all uses: statements pinned by SHA.
• Verified that these are comment-only changes and do not alter the functional behavior of any CI/CD pipelines.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configurations with inline version annotations on pinned action references across multiple workflows. No functional changes to build, test, or deployment processes.

Walkthrough

This PR adds inline version comments to SHA-pinned GitHub Actions across eight workflow files. The comments document the action versions (e.g., # v6.0.2) without modifying commit SHAs, logic, inputs, or control flow.

Changes

Cohort / File(s)	Summary
PR Issue and Issue Label Workflows \.github/workflows/check-pr-issue.yaml, label-issues.yaml, label-pull-requests.yaml	Added inline version comments to pinned action references (actions/checkout, arkid15r/check-pr-issue-action, actions/github-script, actions/labeler) without changing commit SHAs or workflow logic.
CI/CD and Code QL Workflows \.github/workflows/run-ci-cd.yaml, run-code-ql.yaml	Added version comments across multiple pinned actions (checkout, setup-python, setup-node, docker buildx/build-push, Codecov, artifact upload, AWS actions, ZAP, CodeQL actions) without modifying functionality.
Fuzz Testing and Backend Setup \.github/workflows/run-fuzz-tests.yaml, setup-backend-environment/action.yaml	Added inline version comments to pinned Docker and checkout actions while preserving all existing configurations and runtime behavior.
Image Update Workflow \.github/workflows/update-nest-test-images.yaml	Added version comments to checkout, Docker setup, login, and build-push action references without altering build or deployment logic.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• CI hardening: pin GitHub Actions to SHAs and define explicit job permissions #3174: Also modifies GitHub Actions workflow files including run-ci-cd.yaml to adjust action references and permissions structure.
• Pin Github actions to specific commit #1195: Modifies workflow uses: lines by pinning actions to commit SHAs with inline version annotations.
• Enforce YAML linting/formatting #4032: Updates the same workflow files such as check-pr-issue.yaml and run-ci-cd.yaml.

Suggested reviewers

• arkid15r
• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: add version comments to SHA-pinned GitHub Actions' directly and clearly summarizes the main change: adding version comments to SHA-pinned actions across workflows.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for adding version comments, mapping SHA hashes to release tags, and confirming comment-only changes with no functional impact.
Linked Issues check	✅ Passed	The PR fully meets the acceptance criteria from issue #4542: all SHA-pinned GitHub Actions across workflows now include version comments in the consistent '# vX.Y.Z' format, with no functional changes.
Out of Scope Changes check	✅ Passed	All changes are strictly in scope—only version comments were added to existing pinned action references across workflow files with no modifications to logic, inputs, or control flow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 8 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/check-pr-issue.yaml (1)

25-25: Use the agreed # vX.Y.Z format here as well.
Line 25 uses # 0.1.5; this should be # v0.1.5 to keep annotation format consistent across workflows.

Suggested diff

-        uses: arkid15r/check-pr-issue-action@09f681e4d30d66e3ba085dfbbf7e07e0b3e4e263  # 0.1.5
+        uses: arkid15r/check-pr-issue-action@09f681e4d30d66e3ba085dfbbf7e07e0b3e4e263  # v0.1.5

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check-pr-issue.yaml at line 25, Update the version
annotation comment for the check-pr-issue action to use the agreed "# vX.Y.Z"
format: find the uses entry
'arkid15r/check-pr-issue-action@09f681e4d30d66e3ba085dfbbf7e07e0b3e4e263' and
change the trailing comment from "# 0.1.5" to "# v0.1.5" so the workflow
annotations are consistent across files.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/check-pr-issue.yaml:
- Line 25: Update the version annotation comment for the check-pr-issue action
to use the agreed "# vX.Y.Z" format: find the uses entry
'arkid15r/check-pr-issue-action@09f681e4d30d66e3ba085dfbbf7e07e0b3e4e263' and
change the trailing comment from "# 0.1.5" to "# v0.1.5" so the workflow
annotations are consistent across files.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 55a8bfa2-7a5b-426e-b3e8-7d63e81a9ae7

📥 Commits

Reviewing files that changed from the base of the PR and between 5a3a625 and ae4cf8b.

📒 Files selected for processing (8)

• .github/workflows/check-pr-issue.yaml
• .github/workflows/label-issues.yaml
• .github/workflows/label-pull-requests.yaml
• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/run-fuzz-tests.yaml
• .github/workflows/setup-backend-environment/action.yaml
• .github/workflows/update-nest-test-images.yaml

[cubic-dev-ai]

0 issues found across 8 files (changes from recent commits).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (c4f2a36) to head (c7005e2).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4591   +/-   ##
=======================================
  Coverage   98.92%   98.92%           
=======================================
  Files         527      527           
  Lines       16956    16956           
  Branches     2360     2360           
=======================================
  Hits        16774    16774           
  Misses         97       97           
  Partials       85       85           

Flag	Coverage Δ
backend	99.50% <ø> (ø)
frontend	97.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c4f2a36...c7005e2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netram75]

Hi @arkid15r and @kasya,

I’ve completed the implementation for this issue and all checks are passing.
Would really appreciate it if you could take a look when you get time.

Thanks!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud