security: pin GitHub Actions to SHA commit hashes

[eabdelmoneim]

Pin all GitHub Actions to their specific SHA commit hashes instead of using floating version tags to prevent supply chain attacks from malicious package republishing.

Changes:

• actions/checkout: v4 → v4.3.1 (SHA: 34e1148)
• actions/setup-node: v4 → v4.4.0 (SHA: 49933ea)
• pnpm/action-setup: v2 → v2.4.1 (SHA: eae0cfe)
• actions/cache: v3 → v3.5.0 (SHA: 6f8efc2)
• actions/upload-artifact: v3 → v3.2.1-node20 (SHA: c24449f)
• softprops/action-gh-release: v1 → v2.5.0 (SHA: a06a81a)

All actions include inline version comments for easy maintenance and audit trail.

Also includes INSTALLATION.md updates.

Follows GitHub security best practices for immutable action references.

Summary by CodeRabbit

• Documentation
  • Updated installation instructions for WordPress.org marketplace method to reflect current approval status.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Two GitHub Actions workflow files are updated to pin action references to specific commit SHAs instead of version tags, enhancing reproducibility. One documentation file's installation method heading is updated with a status note.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow Pinning .github/workflows/build.yml, .github/workflows/release.yml	Replaced version tag references with specific commit SHAs for actions/checkout, actions/setup-node, pnpm/action-setup, actions/cache, and actions/upload-artifact. Added restore-keys configuration in build workflow.
Documentation Update INSTALLATION.md	Updated installation method heading from "WordPress.org (Recommended)" to "WordPress.org (COMING SOON - pending approval in WP marketplace)".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify commit SHAs correspond to the annotated versions in official action repositories
• Confirm restore-keys configuration aligns with pnpm caching best practices

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: pinning GitHub Actions to specific SHA commit hashes for security purposes, which is the main focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch eiman/action-sha-commits

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8b7a1a4 and 714f436.

📒 Files selected for processing (3)

• .github/workflows/build.yml (3 hunks)
• .github/workflows/release.yml (3 hunks)
• INSTALLATION.md (1 hunks)

🔇 Additional comments (6)

INSTALLATION.md (1)

43-43: Clear communication about marketplace status.

The updated heading appropriately manages user expectations by indicating the WordPress.org installation method is pending marketplace approval. This transparency helps users understand which installation method to use currently.

.github/workflows/build.yml (3)

18-18: Consistent SHA pinning across workflows.

The same commit SHAs are used here as in release.yml for actions/checkout, actions/setup-node, and pnpm/action-setup, which ensures consistency across workflows and simplifies maintenance.

Also applies to: 21-21, 26-26

---

84-84: No issues found. The version tag v3.2.1-node20 is a legitimate official release for actions/upload-artifact, and the SHA c24449f33cd45d4826c6702db7e49f7cdb9b551d correctly pins to that release. The "-node20" suffix is official and indicates Node.js 20 compatibility.

---

37-37: Good security hardening with improved cache hit rate.

The SHA pinning to v3.5.0 provides security benefits, and the restore-keys addition improves the cache strategy by falling back to the most recent cache matching the OS and pnpm-store prefix when an exact cache key miss occurs, reducing install times on subsequent runs.

.github/workflows/release.yml (2)

102-102: Good: Third-party action pinned to SHA.

Applying the same security hardening to third-party actions is important, as they represent additional supply chain risk. The SHA correctly references the v2.5.0 release.

---

18-18: Excellent security hardening with SHA pinning.

Pinning actions to commit SHAs effectively mitigates supply chain risks from tag republishing or force-pushing. The inline version comments improve maintainability by making it easy to identify when updates are needed.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}