chore: lock github actions versions

[raven-wing]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations to use pinned versions for improved consistency and reliability across CI/CD pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflow files are updated to pin external action versions using specific commit SHAs instead of floating major version tags (v5, v6, v7). This affects three workflows: release.yml, tests.yml, and todo.yaml. No job logic, conditionals, inputs, or outputs were modified.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Version Pinning .github/workflows/release.yml, .github/workflows/tests.yml, .github/workflows/todo.yaml	Pinned external action versions to specific commit SHAs: actions/checkout, actions/setup-python, actions/cache, actions/upload-artifact, actions/download-artifact, coverallsapp/github-action, and alstr/todo-to-issue-action. Also normalized line endings in tests.yml.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix: remove tests job from release workflow and update tests workflow trigger #295: Both PRs edit the same GitHub Actions workflow files (release.yml and tests.yml), with this PR pinning action versions while the related PR modifies job structure/triggers.
• fix: updated pipeline to fix semantic release #272: Both PRs update the same GitHub Actions workflow files to pin uses: references to specific commit SHAs for dependency security and reproducibility.

Poem

🐰 Bouncing through workflows so sprightly and true,
We pin every version to SHAs brand new,
No floating tags wandering off in the night,
Each action locked firmly—reproducible and tight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: lock github actions versions' clearly and concisely describes the main change: pinning GitHub Actions to specific commit SHAs across three workflow files (release.yml, tests.yml, todo.yaml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🧪 E2E Test Results

📊 View full workflow run
🔗 Commit: bba2594

📊 E2E Stress Test Performance

✅ Status: PASSED (12031.45ms max < 25000ms limit)

Metric	Value
Average Time	10591.96ms
Minimum Time	9741.12ms
Maximum Time	12031.45ms
Completed Runs	5/5
Avg Markers Loaded	71

📈 Individual Run Times

Run	Time (ms)	Markers
Run 1	10544.91ms	71
Run 2	9741.12ms	71
Run 3	10631.96ms	71
Run 4	10010.34ms	71
Run 5	12031.45ms	71

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

33-134: Consider adding version comments to pre-existing SHA-pinned actions.

For consistency with the newly pinned actions in this PR (which include version comments like # v6.0.2), consider adding version comments to the actions that were already pinned to SHAs:

• Line 33: actions/create-github-app-token
• Line 68: python-semantic-release/python-semantic-release
• Line 99: python-semantic-release/publish-action
• Line 134: pypa/gh-action-pypi-publish

Version comments improve maintainability by making it clear which version each SHA represents, which helps when reviewing updates or debugging workflow issues.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 33 - 134, Add explicit version
comments for the SHA-pinned GitHub Actions entries so reviewers know which
release each SHA represents: update the uses lines for
actions/create-github-app-token,
python-semantic-release/python-semantic-release,
python-semantic-release/publish-action, and pypa/gh-action-pypi-publish by
appending a comment like "# vX.Y.Z" after each SHA (matching the actual released
tag for that SHA) adjacent to the existing uses: entries (e.g., the lines
containing uses: actions/create-github-app-token@f8d387b... and the three
python-semantic-release/pypa entries) to keep style consistent with other pinned
actions in the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 33-134: Add explicit version comments for the SHA-pinned GitHub
Actions entries so reviewers know which release each SHA represents: update the
uses lines for actions/create-github-app-token,
python-semantic-release/python-semantic-release,
python-semantic-release/publish-action, and pypa/gh-action-pypi-publish by
appending a comment like "# vX.Y.Z" after each SHA (matching the actual released
tag for that SHA) adjacent to the existing uses: entries (e.g., the lines
containing uses: actions/create-github-app-token@f8d387b... and the three
python-semantic-release/pypa entries) to keep style consistent with other pinned
actions in the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bff68563-f913-4851-b259-cc9cbcdc8dc2

📥 Commits

Reviewing files that changed from the base of the PR and between 1021554 and bba2594.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• .github/workflows/tests.yml
• .github/workflows/todo.yaml