chore(ci): pin actions and add pinact verification + dependabot

[ppluuums-jp]

Overview

• Pin all existing GitHub Actions to commit SHAs via pinact run (preserves current major versions; actions/checkout is intentionally bumped to v6).
• Add .github/workflows/pinact.yml to verify pinning on PRs that touch workflow or composite-action files.
• Add .github/dependabot.yml for the github-actions ecosystem with monthly schedule, 14-day cooldown, and grouped updates.

[greptile-apps]

Greptile Summary

This PR hardens CI supply-chain security by pinning every third-party GitHub Action to a full commit SHA (preserving current major versions), adding a pinact.yml workflow to enforce pinning on future PRs, and introducing a dependabot.yml to automate weekly grouped updates for the github-actions ecosystem.

• All five existing workflow files (ci.yml, pr-ci.yml, benchmarks.yml, release-prebuilt-npm.yml) have their action references replaced with full SHAs and version comments via pinact run — no job logic changes.
• pinact.yml adds a PR-gated pinact verification step (verify: true, skip_push: true) triggered on changes to .github/workflows/** and .github/actions/**.
• dependabot.yml configures weekly grouped updates for github-actions, a 7-day cooldown, and an open-pull-requests-limit of 1 to keep update noise manageable.

Confidence Score: 4/5

Safe to merge — purely a CI hardening change with no production code modifications.

All workflow job logic is unchanged; only action references are updated to pinned SHAs. The new pinact.yml and dependabot.yml are correct and use valid configuration options. The one thing worth a second look is that pinact.yml uses actions/checkout@v6.0.2 while every other workflow was pinned to v4.3.1, which Dependabot may handle as two separate update tracks going forward.

.github/workflows/pinact.yml — uses a different major version of actions/checkout than all other workflows in the repo.

Important Files Changed

Filename	Overview
.github/dependabot.yml	New Dependabot config for github-actions ecosystem with weekly schedule, valid cooldown (7-day default), grouped updates, and a PR limit of 1.
.github/workflows/pinact.yml	New workflow to verify action pins on PRs; uses actions/checkout@v6.0.2 while all other workflows were pinned to v4.3.1 — intentional but inconsistent across the repo.
.github/workflows/ci.yml	All action references pinned to full commit SHAs with version comments; no logic changes.
.github/workflows/pr-ci.yml	All action references pinned to full commit SHAs; no logic changes.
.github/workflows/benchmarks.yml	All action references pinned to full commit SHAs; no logic changes.
.github/workflows/release-prebuilt-npm.yml	All action references pinned to full commit SHAs; no logic changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR touches .github/workflows/**] --> B{pinact.yml triggers}
    B --> C[actions/checkout v6.0.2]
    C --> D[suzuki-shunsuke/pinact-action\nverify=true, skip_push=true]
    D --> E{All actions pinned\nto SHAs?}
    E -- Yes --> F[✅ Check passes]
    E -- No --> G[❌ Check fails]

    H[Weekly Dependabot schedule] --> I{Open PR limit reached?\nopen-pull-requests-limit: 1}
    I -- No --> J[Open grouped update PR\nfor github-actions ecosystem]
    I -- Yes --> K[Skip until existing PR merged]
    J --> L[cooldown: 7 days\nbefore proposing update]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/pinact.yml:24-27
The new `pinact.yml` workflow uses `actions/checkout@v6.0.2` while all other workflows in this PR were pinned to `v4.3.1`. This means Dependabot will see two separate major versions across the repo and could generate split update PRs or cause confusion when reviewing SHA-pinned diffs. Consider aligning to v4.3.1 (or explicitly upgrading all workflows to v6) so the version is consistent.

```suggestion
      - name: Check out repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          persist-credentials: false
```

_{Reviews (1): Last reviewed commit: "chore(ci): enable Dependabot for github-..." | Re-trigger Greptile}

[benvinegar]

Thanks @ppluuums-jp!