chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

file:///home/ubuntu/pin-actions/authkit-session_pr_body.md

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

---

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

Greptile Summary

This PR pins all third-party GitHub Actions references in ci.yml and release.yml from mutable version tags (@v4) to immutable full commit SHAs, with inline comments preserving the human-readable version. The SHAs are verified valid (e.g., actions/setup-node@49933ea5288... = v4.4.0) and are applied consistently across all jobs in both workflow files.

Confidence Score: 5/5

Safe to merge — purely a supply-chain hardening change with no logic modifications.

All changes replace mutable tag references with verified immutable commit SHAs. No functional logic, permissions, or secrets handling is altered. SHAs are confirmed to correspond to the correct v4 releases.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	All three action references (actions/checkout, pnpm/action-setup, actions/setup-node) pinned to full commit SHAs with inline version comments; applied consistently in both the lint and test jobs.
.github/workflows/release.yml	Same three actions pinned to the same full commit SHAs with inline version comments, consistent with ci.yml.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event\npush / PR / release] --> B[Runner starts]
    B --> C["actions/checkout\n@34e114876b0b... #v4"]
    C --> D["pnpm/action-setup\n@b906affcce14... #v4"]
    D --> E["actions/setup-node\n@49933ea5288c... #v4"]
    E --> F[Install / Build / Test / Publish]

    style C fill:#d4edda,stroke:#28a745
    style D fill:#d4edda,stroke:#28a745
    style E fill:#d4edda,stroke:#28a745

Loading

_{Reviews (3): Last reviewed commit: "Fix formatting in workflow files" | Re-trigger Greptile}

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v4	34e114876b0b11c390a56381ad16ebd13914f8d5	2025-11-13	166	OK
actions/setup-node	v4	49933ea5288caeca8642d1e84afbd3f7d6820020	2025-04-02	391	OK
pnpm/action-setup	v4	b906affcce14559ad1aafd4ab0e942779e9f58b1	2026-03-11	49	OK

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.