Pin CI action and tool versions

[AnthonyRonning]

Summary

• Pins all GitHub Actions uses: refs to the commit currently behind their existing tag or branch refs, with the original ref kept as an inline comment.
• Freezes moving tool selectors used today: Rust stable to 1.95.0, Temurin Java 21 to 21.0.11, Go 1.22.x to 1.22.12, and @types/bun latest to 1.3.13.
• Adds SHA-256 verification for the Linux sccache v0.8.2 tarball while preserving existing cache keys and paths.

Resolved refs

Previous ref	Pinned SHA
actions/checkout@v4	34e114876b0b11c390a56381ad16ebd13914f8d5
oven-sh/setup-bun@v1	f4d14e03ff726c06358e5557344e1da148b56cf7
dtolnay/rust-toolchain@stable	29eef336d9b2848a0b548edc03f92a220660cdb8
actions/cache@v4	0057852bfaa89a56745cba8c7296529d2fc39830
irgaly/xcode-cache@v1	4141f139f00e335c6e1031fb93e667181f86146f
maxim-lobanov/setup-xcode@v1	ed7a3b1fda3918c0306d1b724322adc0b8cc0a90
actions/upload-artifact@v4	ea165f8d65b6e75b540449e92b4886f43607fa02
tauri-apps/tauri-action@v0	84b9d35b5fc46c1e45415bdb6144030364f7ebc5
actions/setup-java@v4	c1e323688fd81a25caa38c78aa6df2d33d3e20d9
android-actions/setup-android@v3	9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407
nttld/setup-ndk@v1.5.0	afb4c9964b521afb97c864b7d40b11e6911bd410
actions/setup-go@v5	40f1582b2485089dde7abd97c1529aa768e1baff

Validation

• git diff --check
• jq empty frontend/package.json
• YAML parse of .github/workflows/*.yml via the existing frontend yaml package
• pre-commit hook: Prettier check, bun run build, bun test

---

Summary by CodeRabbit

• Chores
  • Pinned CI/CD actions to specific commit SHAs for more deterministic builds.
  • Fixed Rust to 1.95.0, Java to 21.0.11, and Go to 1.22.12 across workflows.
  • Added SHA-256 verification for downloaded build tools/artifacts.
  • Improved sccache install and caching steps for more reliable caching.
  • Pinned a frontend dev dependency for consistent installs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 217f5614-bd2d-42ee-a3ae-fe52d16e87dd

📥 Commits

Reviewing files that changed from the base of the PR and between 7692aeb and d01b979.

⛔ Files ignored due to path filters (1)

• frontend/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/frontend-tests.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/release.yml
• .github/workflows/rust-tests.yml
• .github/workflows/zapstore-publish.yml
• frontend/package.json

---

📝 Walkthrough

Walkthrough

This PR pins all GitHub Actions across nine CI/CD workflows to specific commit SHAs instead of floating version tags for determinism and supply chain security. Rust toolchain is updated to 1.95.0 and Java to 21.0.11 across affected workflows. sccache installations now verify SHA-256 checksums before extraction. The frontend package.json pins @types/bun to 1.3.13.

Changes

CI/CD Workflow and Dependency Pinning

Layer / File(s)	Summary
Android CI/CD platforms (build, PR, release) .github/workflows/android-build.yml, .github/workflows/android-pr-build.yml, .github/workflows/release.yml	Android build and PR workflows pin GitHub Actions (checkout, setup-java, setup-android, setup-bun, cache, rust-toolchain, setup-ndk, upload-artifact) to commit SHAs. Java updated to 21.0.11. Rust toolchain set to 1.95.0 with Android targets. sccache download now includes SHA-256 verification.
Desktop CI/CD platforms (macOS/Linux, build, PR, release) .github/workflows/desktop-build.yml, .github/workflows/desktop-pr-build.yml, .github/workflows/release.yml	Desktop build and PR workflows pin GitHub Actions (checkout, setup-bun, rust-toolchain, cache, tauri-action, upload-artifact) to commit SHAs for both macOS and Linux jobs. Rust toolchain set to 1.95.0 with Darwin targets on macOS. Linux sccache install rewritten with explicit archive verification and binary placement.
Mobile/iOS CI/CD platforms (build, PR) .github/workflows/mobile-build.yml, .github/workflows/mobile-pr-build.yml	Mobile build and PR workflows pin GitHub Actions (checkout, setup-bun, rust-toolchain, cache, setup-xcode, upload-artifact) to commit SHAs. Rust toolchain set to 1.95.0 with aarch64-apple-ios target. Xcode caching and ONNX Runtime iOS build caching pinned to specific versions.
Test and utility workflows .github/workflows/frontend-tests.yml, .github/workflows/rust-tests.yml, .github/workflows/zapstore-publish.yml, .github/workflows/release.yml	Frontend-tests, rust-tests, and zapstore-publish workflows pin GitHub Actions (checkout, setup-bun, cache, rust-toolchain, setup-go) to commit SHAs. Rust tests updated to toolchain 1.95.0 with sccache SHA-256 verification. Go version pinned to 1.22.12. Release orchestration jobs pinned to commit SHAs.
Frontend dependency pinning frontend/package.json	@types/bun devDependency pinned from "latest" to version 1.3.13.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• OpenSecretCloud/Maple#308: The sccache installation and caching changes overlap with earlier sccache-focused CI updates.
• OpenSecretCloud/Maple#434: Related to pinning and fixing Android NDK setup in release workflows.
• OpenSecretCloud/Maple#257: Previously added Android release-build job that this PR further pins and hardens.

Poem

🐰 With actions pinned and hashes in place,
Our CI/CD runs with deterministic grace,
Rust 1.95 and Java stand tall,
sccache checked, artifacts won't fall—hooray for the wall!

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: pinning CI action and tool versions across all workflows and dependencies.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden-ci-pinning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	d01b979
Status:	✅  Deploy successful!
Preview URL:	https://cf269819.maple-ca8.pages.dev
Branch Preview URL:	https://harden-ci-pinning.maple-ca8.pages.dev

View logs

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/zapstore-publish.yml (1)

16-20: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider adding persist-credentials: false for defense in depth.

The checkout action does not explicitly set persist-credentials: false. While sparse-checkout limits exposure, explicitly disabling credential persistence provides additional protection against potential credential leakage in supply chain attack scenarios.

🔒 Recommended security hardening

       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           sparse-checkout: |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/zapstore-publish.yml around lines 16 - 20, The checkout
step using "actions/checkout@..." currently sets sparse-checkout but doesn't
disable credential persistence; update the checkout action block (the step that
uses actions/checkout and sets sparse-checkout) to include persist-credentials:
false under the with: section to prevent Git credentials from being persisted to
the workspace.

🧹 Nitpick comments (3)

.github/workflows/android-build.yml (1)

14-14: ⚡ Quick win

Harden checkout by disabling persisted Git credentials.

Line 14 can set persist-credentials: false to reduce token exposure and align with your PR workflows.

🔐 Suggested patch

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-build.yml at line 14, The checkout step currently
uses actions/checkout@... without disabling persisted credentials; update the
actions/checkout step (the line with "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") to add the input
persist-credentials: false so GitHub tokens are not stored in the workspace,
lowering token exposure during the android-build workflow.

.github/workflows/mobile-build.yml (1)

14-14: ⚡ Quick win

Harden checkout by disabling persisted Git credentials.

Line 14 should set persist-credentials: false for least-privilege consistency.

🔐 Suggested patch

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mobile-build.yml at line 14, The checkout step using
"uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" should be
hardened by adding "persist-credentials: false" under that step; locate the
checkout step and add the persist-credentials key (with boolean false) as a
sibling to uses so the action doesn't persist Git credentials to subsequent
steps.

.github/workflows/desktop-build.yml (1)

17-17: ⚡ Quick win

Harden checkout by disabling persisted Git credentials.

Line 17 and Line 123 should set persist-credentials: false for tighter token handling.

🔐 Suggested patch

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
@@
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false

Also applies to: 123-123

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/desktop-build.yml at line 17, The checkout steps using
"uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" need to be
hardened by adding "persist-credentials: false" to their step inputs; locate the
two checkout occurrences (the one at the top using that actions/checkout
reference and the second occurrence around the other build job) and add the
persist-credentials: false key under each checkout step so the runner does not
persist the workflow token into the checked-out repository.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/frontend-tests.yml:
- Line 16: The checkout step "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" should explicitly
disable credential persistence; update that step to include a "with:" block
containing "persist-credentials: false" so runner-scoped GitHub token
credentials are not left in the workspace and cannot be leaked to artifacts or
caches.

In @.github/workflows/release.yml:
- Line 16: The checkout steps are persisting the default GITHUB_TOKEN to local
git config; update each actions/checkout invocation (the steps using
actions/checkout@... shown at the occurrences around the existing checkout
lines) to disable credential persistence by adding persist-credentials: false
under the step's with: block for every checkout (the occurrences at the
currently flagged spots), ensuring the workflow still checks out code but does
not write the token into local git config.

In @.github/workflows/rust-tests.yml:
- Around line 19-21: The inline comment saying "# stable" is misleading because
the action is pinned to a specific commit
(dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8) and the
toolchain is explicitly set to "1.95.0"; update the comment to accurately state
that the action is pinned to a specific SHA and the workflow uses Rust 1.95.0
(or remove the comment entirely) so readers aren’t misled into thinking it
tracks the floating "stable" channel.
- Line 16: The checkout step currently uses actions/checkout without disabling
credential persistence; update the checkout invocation (the actions/checkout@...
step) to include persist-credentials: false so GitHub token credentials are not
left in the workspace to reduce leakage risk—add the persist-credentials: false
key alongside any existing settings for the actions/checkout step.

In `@frontend/package.json`:
- Line 81: The `@types/bun` dependency is pinned to 1.3.13 which is newer than the
Bun runtime (bun@1.3.5); update the frontend/package.json entry for "`@types/bun`"
to a version that matches the runtime (e.g., "1.3.5") or alternatively upgrade
the runtime to bun@1.3.13 so types and runtime are aligned; modify the
"`@types/bun`" version string in package.json accordingly and run install to
validate.

---

Outside diff comments:
In @.github/workflows/zapstore-publish.yml:
- Around line 16-20: The checkout step using "actions/checkout@..." currently
sets sparse-checkout but doesn't disable credential persistence; update the
checkout action block (the step that uses actions/checkout and sets
sparse-checkout) to include persist-credentials: false under the with: section
to prevent Git credentials from being persisted to the workspace.

---

Nitpick comments:
In @.github/workflows/android-build.yml:
- Line 14: The checkout step currently uses actions/checkout@... without
disabling persisted credentials; update the actions/checkout step (the line with
"uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") to add the
input persist-credentials: false so GitHub tokens are not stored in the
workspace, lowering token exposure during the android-build workflow.

In @.github/workflows/desktop-build.yml:
- Line 17: The checkout steps using "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" need to be hardened
by adding "persist-credentials: false" to their step inputs; locate the two
checkout occurrences (the one at the top using that actions/checkout reference
and the second occurrence around the other build job) and add the
persist-credentials: false key under each checkout step so the runner does not
persist the workflow token into the checked-out repository.

In @.github/workflows/mobile-build.yml:
- Line 14: The checkout step using "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" should be hardened by
adding "persist-credentials: false" under that step; locate the checkout step
and add the persist-credentials key (with boolean false) as a sibling to uses so
the action doesn't persist Git credentials to subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d1bf0ac-3f60-4737-b338-62ee7d554979

📥 Commits

Reviewing files that changed from the base of the PR and between d0d8136 and 7692aeb.

⛔ Files ignored due to path filters (1)

• frontend/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/frontend-tests.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/release.yml
• .github/workflows/rust-tests.yml
• .github/workflows/zapstore-publish.yml
• frontend/package.json