chore(deps): pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	pinDigest	-> 08eba0b
actions/checkout	action	digest	08c6903 -> ff7abcd
actions/create-github-app-token	action	pinDigest	-> d72941d
actions/download-artifact	action	pinDigest	-> d3f86a1
actions/setup-node	action	pinDigest	-> a0853c2
actions/setup-python	action	pinDigest	-> a26af69
actions/upload-artifact	action	pinDigest	-> ea165f8
codecov/codecov-action	action	pinDigest	-> 5a10915
codecov/test-results-action	action	pinDigest	-> 47f89e9
jupyter-server/jupyter_releaser	action	pinDigest	-> 6accaa3
jupyterlab/maintainer-tools	action	pinDigest	-> affc83b
qltysh/qlty-action	action	digest	06730ef -> a192421

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates multiple GitHub Actions workflows to pin external action references to exact commit SHAs. Affected files: .github/workflows/{build,check-release,ci,prep-release,publish-release,update-integration-tests}. Actions pinned include actions/checkout, actions/setup-python, actions/setup-node, actions/upload-artifact, actions/download-artifact, codecov actions, dorny/test-reporter, qltysh/qlty-action, jupyterlab/maintainer-tools base-setup, jupyter-server/jupyter_releaser actions, create-github-app-token, and check-links/update-snapshots. Step order, inputs, and control flow are unchanged.

Possibly related PRs

• chore: qlty setup deepnote#5 — Also updates .github/workflows/ci.yml, pinning checkout and qlty-related action SHAs.
• chore(deps): update qltysh/qlty-action digest to a192421 deepnote#31 — Changes qltysh/qlty-action reference in ci.yml to a different commit SHA.
• deepnote/deepnote-toolkit#158 — Modifies CI/workflow files and migration context related to GitHub Actions usage.

Suggested reviewers

• Artmann
• saltenasl
• jamesbhobbs

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title follows conventional commit format and concisely describes the main change of the pull request, which is pinning dependencies (in this case, GitHub Actions) to specific versions. It is clear, specific to the primary change, and easily understood by team members reviewing the history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.50%. Comparing base (b865e79) to head (7951561).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #20   +/-   ##
=======================================
  Coverage   18.50%   18.50%           
=======================================
  Files          13       13           
  Lines         200      200           
  Branches       27       27           
=======================================
  Hits           37       37           
  Misses        163      163           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish-release.yml (1)

18-25: Tighten GITHUB_TOKEN permissions; drop id-token if unused.

If no OIDC is used, remove id-token: write and set minimal contents: read to avoid over-privilege. App token already carries needed rights.

Example:

   publish_release:
     runs-on: ubuntu-latest
-    environment: release
-    permissions:
-      id-token: write
+    environment: release
+    permissions:
+      contents: read

If OIDC is required later, keep id-token and document its use.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7382e7a and 7951561.

📒 Files selected for processing (6)

• .github/workflows/build.yml (5 hunks)
• .github/workflows/check-release.yml (1 hunks)
• .github/workflows/ci.yml (5 hunks)
• .github/workflows/prep-release.yml (1 hunks)
• .github/workflows/publish-release.yml (2 hunks)
• .github/workflows/update-integration-tests.yml (3 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ci.yml

[warning] 43-43: too few spaces before comment: expected 2

(comments)

---

[warning] 46-46: too few spaces before comment: expected 2

(comments)

---

[warning] 67-67: too few spaces before comment: expected 2

(comments)

---

[warning] 70-70: too few spaces before comment: expected 2

(comments)

---

[warning] 91-91: too few spaces before comment: expected 2

(comments)

---

[warning] 94-94: too few spaces before comment: expected 2

(comments)

---

[warning] 114-114: too few spaces before comment: expected 2

(comments)

---

[warning] 116-116: too few spaces before comment: expected 2

(comments)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: check_release

🔇 Additional comments (5)

.github/workflows/prep-release.yml (1)

32-32: Good hardening: actions pinned to SHAs.

No behavior change; improves supply-chain safety.

Also applies to: 36-36

.github/workflows/check-release.yml (1)

20-20: Pins look good.

Deterministic action sources; no flow changes.

Also applies to: 23-23, 31-31, 34-34, 42-42

.github/workflows/update-integration-tests.yml (1)

32-32: LGTM on pinning.

Consistent SHAs across maintainer-tools; no logic changes.

Also applies to: 72-72, 83-83

.github/workflows/publish-release.yml (1)

22-25: Pins look solid.

Good supply-chain hardening; flow unchanged.

Also applies to: 32-32, 43-43

.github/workflows/build.yml (1)

19-19: Broad pinning looks good.

Deterministic, safer builds; no logic changes. When re-enabling the commented integration-tests job, pin those actions too.

Also applies to: 22-22, 59-59, 67-67, 84-84, 96-96, 100-100, 185-187