Pin and update versions to commit SHAs

[mikeredmond]

Based on zizmor findings

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to use pinned action versions for improved consistency and reproducibility across deployments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

All GitHub Actions workflows are updated to pin action references to specific commit SHAs instead of version tags, replacing generic version identifiers with exact commit hashes for actions/checkout, actions/setup-node, aws-actions/setup-sam, and preactjs/compressed-size-action across multiple workflow files.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow pinning .github/workflows/build-size.yaml, deploy-api-lambda.yaml, deploy-cloudfront.yaml, deploy-preview.yaml, lint-build-test.yaml, publish-vechain-kit.yaml, test-e2e.yaml, test-lambda.yml	Action references pinned to specific commit SHAs: actions/checkout (8e8c483d...), actions/setup-node (49933ea5...), aws-actions/setup-sam (c2a20b18...), and preactjs/compressed-size-action (85180459...), replacing generic version tags (v3/v4/v6) for deterministic behavior and security

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 With pins so precise and hashes so tight,
Our actions now stable, our builds locked just right,
No versions will drift on a whim or a whirl,
Reproducible workflows—the rabbit's delight! 🔒✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Pin and update versions to commit SHAs' directly and clearly describes the main change across all modified workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52d002e and 2124180.

📒 Files selected for processing (8)

• .github/workflows/build-size.yaml
• .github/workflows/deploy-api-lambda.yaml
• .github/workflows/deploy-cloudfront.yaml
• .github/workflows/deploy-preview.yaml
• .github/workflows/lint-build-test.yaml
• .github/workflows/publish-vechain-kit.yaml
• .github/workflows/test-e2e.yaml
• .github/workflows/test-lambda.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Lint & Build
• GitHub Check: build-size-check

🔇 Additional comments (8)

.github/workflows/deploy-preview.yaml (1)

90-90: LGTM! Consistent SHA pinning.

The commit SHA for actions/checkout is consistent with other workflows in this PR, maintaining a uniform security posture across all pipelines.

.github/workflows/test-e2e.yaml (1)

15-15: LGTM! Consistent security hardening.

Both action references are pinned to the same commit SHAs used in other workflows, ensuring consistent security practices across all CI/CD pipelines.

Also applies to: 18-18

.github/workflows/deploy-cloudfront.yaml (1)

35-35: LGTM! Security improvement applied.

The action pinning is consistent with other workflows in this PR.

.github/workflows/test-lambda.yml (1)

16-16: LGTM! Security hardening complete.

Both actions are pinned consistently with the other workflows in this PR, completing the security improvements across all pipelines.

Also applies to: 19-19

.github/workflows/lint-build-test.yaml (1)

20-20: Excellent security improvement by pinning actions to specific commit SHAs.

This change follows security best practices by pinning GitHub Actions to specific commit SHAs, preventing potential supply chain attacks. The pinned SHAs are correct: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 matches v6.0.1 and actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 matches v4. The inline version comments maintain readability.

.github/workflows/publish-vechain-kit.yaml (1)

18-18: Security improvement: Actions pinned to commit SHAs.

Pinning GitHub Actions to specific commit SHAs instead of mutable tags is a security best practice that prevents potential supply chain attacks. The inline version comments maintain readability. Verified that the pinned SHAs correctly correspond to the claimed versions:

• actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 → v6.0.1 ✓
• actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 → v4 ✓

Also applies to: 23-23, 51-51, 56-56

.github/workflows/deploy-api-lambda.yaml (1)

21-21: Security improvement: Actions pinned to commit SHAs.

All action references are correctly pinned to specific commit SHAs for enhanced security:

• actions/checkout pinned to v6.0.1
• aws-actions/setup-sam pinned to v2
• aws-actions/configure-aws-credentials pinned to v4

This is consistent with security improvements across all workflows.

.github/workflows/build-size.yaml (1)

57-57: Security improvement: Actions pinned to commit SHAs.

The action references on lines 57, 63, and 77 are correctly pinned to specific commit SHAs:

• actions/checkout v6.0.1
• actions/setup-node v4
• preactjs/compressed-size-action v2.9.0

This follows security best practices for GitHub Actions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Vombato]

LGTM

[github-actions]

Size Change: 0 B

Total Size: 5.76 MB

ℹ️ View Unchanged

Filename	Size
packages/vechain-kit/dist/assets	4.1 kB
packages/vechain-kit/dist/assets-aAdDxPJu.mjs	50.1 kB
packages/vechain-kit/dist/assets-aAdDxPJu.mjs.map	70.2 kB
packages/vechain-kit/dist/assets-DXVXPy3w.cjs	54.8 kB
packages/vechain-kit/dist/assets-DXVXPy3w.cjs.map	71.6 kB
packages/vechain-kit/dist/assets/index.cjs	716 B
packages/vechain-kit/dist/assets/index.d.cts	973 B
packages/vechain-kit/dist/assets/index.d.mts	973 B
packages/vechain-kit/dist/assets/index.mjs	718 B
packages/vechain-kit/dist/index--hSO7Xv4.d.mts	5.63 kB
packages/vechain-kit/dist/index--hSO7Xv4.d.mts.map	2.99 kB
packages/vechain-kit/dist/index-Bc58XN_C.d.cts	151 kB
packages/vechain-kit/dist/index-Bc58XN_C.d.cts.map	43.8 kB
packages/vechain-kit/dist/index-DCB0kQN7.d.mts	151 kB
packages/vechain-kit/dist/index-DCB0kQN7.d.mts.map	43.8 kB
packages/vechain-kit/dist/index-I8fe7GR2.d.cts	5.63 kB
packages/vechain-kit/dist/index-I8fe7GR2.d.cts.map	2.99 kB
packages/vechain-kit/dist/index.cjs	612 kB
packages/vechain-kit/dist/index.cjs.map	1.86 MB
packages/vechain-kit/dist/index.d.cts	20.5 kB
packages/vechain-kit/dist/index.d.mts	20.5 kB
packages/vechain-kit/dist/index.mjs	578 kB
packages/vechain-kit/dist/index.mjs.map	1.81 MB
packages/vechain-kit/dist/utils	4.1 kB
packages/vechain-kit/dist/utils-CNYVq6tT.mjs	21.2 kB
packages/vechain-kit/dist/utils-CNYVq6tT.mjs.map	63.4 kB
packages/vechain-kit/dist/utils-DcAJej3n.cjs	26.4 kB
packages/vechain-kit/dist/utils-DcAJej3n.cjs.map	63.7 kB
packages/vechain-kit/dist/utils/index.cjs	1.94 kB
packages/vechain-kit/dist/utils/index.d.cts	2.97 kB
packages/vechain-kit/dist/utils/index.d.mts	2.97 kB
packages/vechain-kit/dist/utils/index.mjs	1.96 kB

_{compressed-size-action}