Pin github action version with SHA checksum

[infeo]

See also cryptomator/cryptomator#4015

[coderabbitai]

Walkthrough

This pull request updates five GitHub Actions workflow files (.github/workflows/build.yml, codeql-analysis.yml, dependency-check.yml, publish-central.yml, and publish-github.yml) to replace generic version tag references with exact commit SHAs for all GitHub Actions dependencies. The changes pin actions like checkout, setup-java, cache, upload-artifact, and CodeQL-related actions to specific commits. In publish-github.yml, the show-progress: false option is removed from the checkout step and cache: 'maven' is added to the setup-java step. No workflow logic or control flow is altered.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

The review effort is low due to highly repetitive, homogeneous changes across five files. The pattern—replacing version tags with commit SHAs and inline comments—is consistent throughout. While five files are affected, each change follows the same verification step (confirming SHAs match intended versions). The minor configuration additions in publish-github.yml (cache addition, show-progress removal) add minimal complexity. No logic changes or functional behavior modifications warrant deeper scrutiny.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	❓ Inconclusive	The description "See also cryptomator/cryptomator#4015" is minimal and provides only a reference to a related pull request in another repository without explaining what this specific changeset accomplishes. While the reference indicates coordination across repositories and is not completely off-topic, the description is too vague and generic to convey meaningful information about the actual changes—someone reading this alone would not understand what modifications were made to the workflows without clicking through to the referenced PR.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Pin github action version with SHA checksum" directly and accurately reflects the primary change across all modified workflow files. The pull request systematically replaces generic version tags (v5, v4, v3) with explicit commit SHAs for multiple GitHub Actions, and the title clearly communicates this main objective. The phrasing is concise, specific, and would enable a developer reviewing commit history to immediately understand the purpose of this change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/pin-ci-actions

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fdeb8f8 and 193d684.

📒 Files selected for processing (5)

• .github/workflows/build.yml (2 hunks)
• .github/workflows/codeql-analysis.yml (1 hunks)
• .github/workflows/dependency-check.yml (1 hunks)
• .github/workflows/publish-central.yml (1 hunks)
• .github/workflows/publish-github.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build and Test
• GitHub Check: Build and Test
• GitHub Check: Analyse

🔇 Additional comments (5)

.github/workflows/publish-central.yml (1)

10-11: Workflow security improved: Actions pinned to commit SHAs.

Both actions/checkout and actions/setup-java are now pinned to exact commit SHAs with version tags noted in comments. This aligns with the PR objective and is consistent with pinning across the other workflow files.

.github/workflows/dependency-check.yml (1)

14-14: Reusable workflow reference pinned to commit SHA.

The external reusable workflow from skymatic/workflows is now pinned to a specific commit, following the same security-hardening approach applied to the direct action references. This ensures reproducible and tamper-resistant CI runs.

.github/workflows/codeql-analysis.yml (1)

19-35: All CodeQL workflow actions pinned to commit SHAs.

Actions checkout, setup-java, and both CodeQL action steps are now pinned to explicit commit SHAs. Notably, the same checkout and setup-java SHAs are consistently used across all workflows in the PR, and the CodeQL init/analyze actions share the same pin (v4.30.8), which is expected.

.github/workflows/publish-github.yml (1)

10-11: Publish-GitHub workflow actions pinned consistently.

Both actions/checkout and actions/setup-java use the same commit SHAs as in other workflows, ensuring consistency across the CI/CD pipeline. The cache: 'maven' configuration on line 15 is appropriate for Maven builds.

.github/workflows/build.yml (1)

11-47: Build workflow comprehensively pinned to action commit SHAs.

All five action references in the build workflow are now pinned: checkout, setup-java, cache, upload-artifact, and gh-release. Each has a unique SHA with corresponding version tag in comments. This comprehensive approach, combined with consistent reuse of checkout/setup-java SHAs across the repository, represents a solid security hardening across the entire CI/CD pipeline.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}