chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

Description

Pin all third-party GitHub Actions to full commit SHAs, hardening the CI supply chain against compromised mutable version tags.

Each pinned reference includes a trailing version comment for readability (e.g. actions/checkout@<sha> # v5).

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

No documentation changes needed — this PR only modifies .github/workflows/ files.

Closes https://linear.app/workos/issue/SECENG-294

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-294 Pin all third-party Github Actions for Public SDKs

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
amannn/action-semantic-pull-request	v5	e32d7e603df1aa1ba07e981f2a23455dee596825	2024-06-10	688	✅ OK

[greptile-apps]

Greptile Summary

This PR pins the amannn/action-semantic-pull-request action in lint-pr-title.yml from the mutable @v5 tag to a full commit SHA, completing the SHA-pinning pattern already applied to all other workflow files (ci.yml, lint.yml, release-please.yml). The change is minimal, mechanically correct, and aligned with supply-chain security best practices.

Confidence Score: 5/5

Safe to merge — single-line security hardening change with no logic impact.

Only one line is changed: a mutable version tag is replaced with a pinned commit SHA. The workflow behavior is identical; all other workflow files were already pinned in the same style. No custom rules are violated.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/lint-pr-title.yml	Pins amannn/action-semantic-pull-request from mutable @v5 tag to full commit SHA e32d7e603...; consistent with the existing SHA-pinning pattern already used across ci.yml, lint.yml, and release-please.yml.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR Opened / Edited / Synchronized] --> B[pull_request_target trigger]
    B --> C[lint_pr_title job]
    C --> D["amannn/action-semantic-pull-request\n@ e32d7e6... # v5\n(was: @v5 mutable tag)"]
    D --> E{PR title matches Conventional Commits?}
    E -- Yes --> F[✅ Check passes]
    E -- No --> G[❌ Check fails]

Loading

_{Reviews (1): Last reviewed commit: "Pin third-party GitHub Actions to full c..." | Re-trigger Greptile}