feat: pin GitHub Actions to SHA digests and add pin-check workflow

[rebEllieous]

What

Pin all GitHub Actions workflows to SHA digests and enforce pinning via CI.
Closes #33
see opendefensecloud/dev-kit#14 for upstream PR of config

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions across CI/CD workflows to use pinned commit SHAs instead of floating version tags for improved security and reproducibility
  • Added automated validation to enforce that all GitHub Actions are pinned to specific commit versions

[coderabbitai]

Warning

Rate limit exceeded

@rebEllieous has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 43 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b6a60b27-14c2-47a5-8e3b-35a428b6133c

📥 Commits

Reviewing files that changed from the base of the PR and between fc2f3e9 and 19244c9.

📒 Files selected for processing (5)

• .github/workflows/docker.yaml
• .github/workflows/docs-release.yaml
• .github/workflows/golang.yaml
• .github/workflows/helm-lint.yaml
• .github/workflows/helm-publish.yaml

📝 Walkthrough

Walkthrough

This PR pins all GitHub Actions across the repository's CI/CD workflows to specific commit SHAs instead of floating version tags, and introduces a validation workflow to enforce this pattern in future pull requests.

Changes

Action Pinning and Enforcement

Layer / File(s)	Summary
Action pinning enforcement mechanism .github/workflows/update-action-pins.yml	New workflow validates all workflow files use pinned commit SHAs for GitHub Actions, failing checks and providing remediation instructions for unpinned actions.
PR validation and commit linting actions .github/workflows/conventional-commits.yml	Semantic PR title and commitlint actions pinned to specific commit SHAs while preserving checkout depth and step configuration.
Docker container build and registry actions .github/workflows/docker.yaml	All Docker-related actions—checkout, metadata, QEMU, Buildx, registry login, build/push, Cosign signing, SBOM, and attestation—pinned to specific commit SHAs.
Documentation deployment workflows .github/workflows/docs-develop.yaml, .github/workflows/docs-release.yaml	Checkout and Python setup actions pinned to specific commit SHAs in both docs workflows while preserving existing build and deployment logic.
Go testing and coverage workflows .github/workflows/golang.yaml	Checkout, Go setup, golangci-lint, code coverage conversion, and Coveralls actions pinned across lint and test jobs.
Helm chart linting and publishing actions .github/workflows/helm-lint.yaml, .github/workflows/helm-publish.yaml	Checkout, Helm setup, Cosign, and registry login actions pinned to specific commit SHAs in chart validation and release workflows.
Release and project automation actions .github/workflows/issues-add-to-project.yml, .github/workflows/release-drafter.yaml	Issue-to-project and release-drafter actions pinned to specific commit SHAs for consistent automation.
OSV scanner workflow syntax cleanup .github/workflows/osv-scanner.yml	Double quotes removed from reusable workflow references in scheduled and PR scan jobs for consistent YAML formatting.

---

🐰 Version tags drift and break,
So we pin them down with SHA,
Now workflows stay true,
Checked and enforced too,
Reproducible actions at stake!

---

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description is missing required sections (Why, Testing, Notes for reviewers, Checklist) and only provides minimal details compared to the template.	Add the missing template sections: Why (motivation), Testing (how it was tested), Notes for reviewers, and complete the Checklist with appropriate items marked.
Linked Issues check	⚠️ Warning	PR changes do not implement the mock OCI registry required by issue #33; instead they only pin GitHub Actions versions.	Either implement the mock OCI registry functionality required by issue #33 or update the linked issue to reflect the actual scope of changes.
Out of Scope Changes check	⚠️ Warning	All changes (pinning GitHub Actions and adding pin-check workflow) are out of scope relative to issue #33 which requires implementing a mock OCI registry.	The PR scope (GitHub Actions pinning) does not match the linked issue requirements (mock OCI registry). Clarify the intended scope or link to the correct issue.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: pinning GitHub Actions to SHA digests and adding a pin-check workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/33-pin-gh-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 26218187774

Coverage increased (+0.4%) to 84.806%

Details

• Coverage increased (+0.4%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	928
Covered Lines:	787
Line Coverage:	84.81%
Coverage Strength:	1121.16 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/docker.yaml (1)

77-86: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope the BuildKit GHA cache to prevent cross-context cache overwrites (incl. PR-labeled runs).

docker/build-push-action defaults type=gha cache scope to buildkit when scope isn’t set, so your cache-to: type=gha,mode=max writes can be shared across different build contexts/images. This job runs for pull_request when the ok-to-image label is present, as well as for push to main and published release, so a labeled PR can clobber the cache used by later trusted builds. Add a per-workflow/ref/image scope (or skip cache-to for pull_request).

Suggested patch (scoped cache)

       - name: Build and push
         id: image
         timeout-minutes: 10
         uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           target: ${{ matrix.image.target }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=${{ github.workflow }}-${{ github.ref_name }}-${{ matrix.image.name }}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow }}-${{ github.ref_name }}-${{ matrix.image.name }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yaml around lines 77 - 86, The GHA BuildKit cache
is currently written with cache-to: type=gha,mode=max which uses a shared
default scope and can cause cross-context overwrites; update the
docker/build-push-action cache configuration by adding an explicit scope on
cache-to (and optionally cache-from) that uniquely identifies this
workflow/ref/image (e.g., include workflow name, github.ref or
matrix.image.target) so PR runs don’t clobber trusted builds, or conditionally
omit cache-to for pull_request runs; update the keys referenced (cache-to,
cache-from, and
docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f) accordingly
to implement the scoped cache.

♻️ Duplicate comments (1)

.github/workflows/update-action-pins.yml (1)

8-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit workflow/job permissions for least privilege.

GITHUB_TOKEN permissions are not explicitly constrained. Please set minimal permissions (at least contents: read for checkout) to satisfy security policy and avoid implicit broad defaults.

Based on learnings: for private repositories using actions/checkout, add workflow-level permissions: contents: read.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-action-pins.yml around lines 8 - 13, The workflow
currently leaves GITHUB_TOKEN permissions implicit; add an explicit permissions
block to restrict rights to least privilege (at minimum contents: read for
actions/checkout). Update the workflow (either top-level or inside the
check-pins job) to include permissions: contents: read so the GITHUB_TOKEN used
by the step that calls actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
is constrained; ensure you do this in the same file and verify the check-pins
job still runs as expected.

🧹 Nitpick comments (1)

.github/workflows/conventional-commits.yml (1)

8-10: ⚡ Quick win

Verify repository visibility vs contents permission for checkout.

Because this workflow explicitly overrides permissions, checkout in private repos may need contents: read. If this repo is private (or could be forked to private deployments), add it explicitly.

Suggested patch (if private repo support is required)

 permissions:
+  contents: read
   pull-requests: read

Based on learnings: "If the repository is private, add permissions: contents: read (in the workflow-level permissions block) so checkout can read the repository contents."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-commits.yml around lines 8 - 10, The
workflow's permissions block only grants pull-requests: read which can prevent
actions/checkout from reading repository contents in private repos; update the
permissions block in the workflow to include contents: read alongside
pull-requests: read (i.e., add the permissions key "contents: read") so
actions/checkout and other steps can access repo files when the repository is
private or used in private forks.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/conventional-commits.yml:
- Around line 36-38: Update the actions/checkout step to set
persist-credentials: false so credentials are not written to local git config,
and update the workflow-level permissions to include contents: read (in addition
to pull-requests: read) so actions/checkout can read the repository using
GITHUB_TOKEN; target the actions/checkout@... step and the top-level permissions
block when making these changes.

In @.github/workflows/docs-develop.yaml:
- Around line 18-20: The checkout step using actions/checkout (the step with
uses: actions/checkout@...) must set persist-credentials: false to avoid leaving
the write token in local git config; update that checkout step to include
persist-credentials: false and then add/authenticate only in the later
deploy/push step (where mike deploy --push runs) by configuring the token (e.g.,
via actions/setup-auth or git config) just for that step. Apply the same change
to both docs-develop and docs-release workflow checkout steps.

In @.github/workflows/golang.yaml:
- Line 36: The checkout steps that call actions/checkout (the steps using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) leave the
GITHUB_TOKEN persisted in git; update both checkout steps to disable credential
persistence by adding a with block containing persist-credentials: false for
each actions/checkout invocation so the token is not written into git config for
subsequent steps.

In @.github/workflows/update-action-pins.yml:
- Around line 18-20: The recursive grep pipeline assigning to variable unpinned
produces filename prefixes which break the start-anchored exclusions; update the
pipeline that builds unpinned (the grep -rE ... | grep -vE ... sequence) to
suppress filenames (e.g., add -h or --no-filename to the recursive grep) so the
subsequent anchored patterns like '^\s+(- )?uses: \.\/' match the line content
correctly and stop local uses: ./ entries from being flagged.

---

Outside diff comments:
In @.github/workflows/docker.yaml:
- Around line 77-86: The GHA BuildKit cache is currently written with cache-to:
type=gha,mode=max which uses a shared default scope and can cause cross-context
overwrites; update the docker/build-push-action cache configuration by adding an
explicit scope on cache-to (and optionally cache-from) that uniquely identifies
this workflow/ref/image (e.g., include workflow name, github.ref or
matrix.image.target) so PR runs don’t clobber trusted builds, or conditionally
omit cache-to for pull_request runs; update the keys referenced (cache-to,
cache-from, and
docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f) accordingly
to implement the scoped cache.

---

Duplicate comments:
In @.github/workflows/update-action-pins.yml:
- Around line 8-13: The workflow currently leaves GITHUB_TOKEN permissions
implicit; add an explicit permissions block to restrict rights to least
privilege (at minimum contents: read for actions/checkout). Update the workflow
(either top-level or inside the check-pins job) to include permissions:
contents: read so the GITHUB_TOKEN used by the step that calls
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 is constrained; ensure
you do this in the same file and verify the check-pins job still runs as
expected.

---

Nitpick comments:
In @.github/workflows/conventional-commits.yml:
- Around line 8-10: The workflow's permissions block only grants pull-requests:
read which can prevent actions/checkout from reading repository contents in
private repos; update the permissions block in the workflow to include contents:
read alongside pull-requests: read (i.e., add the permissions key "contents:
read") so actions/checkout and other steps can access repo files when the
repository is private or used in private forks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 74bd56f6-e45b-47b2-9417-0f0614d24142

📥 Commits

Reviewing files that changed from the base of the PR and between db07e2f and fc2f3e9.

📒 Files selected for processing (11)

• .github/workflows/conventional-commits.yml
• .github/workflows/docker.yaml
• .github/workflows/docs-develop.yaml
• .github/workflows/docs-release.yaml
• .github/workflows/golang.yaml
• .github/workflows/helm-lint.yaml
• .github/workflows/helm-publish.yaml
• .github/workflows/issues-add-to-project.yml
• .github/workflows/osv-scanner.yml
• .github/workflows/release-drafter.yaml
• .github/workflows/update-action-pins.yml