ci: pin GitHub Actions to full-length commit SHAs

[maxandersen]

Pin all action references to full-length commit SHAs for supply chain security.

This is required for enabling the org-level policy:
Require actions to be pinned to a full-length commit SHA

Original version tags are preserved as comments for readability.
Consider adding Dependabot for GitHub Actions to keep pins updated:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions CI/CD workflow to use pinned versions of dependencies for improved build reliability and security across checkout, Java setup, caching, artifact management, and code coverage reporting.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the GitHub Actions CI workflow to pin all external actions to specific commit SHAs instead of version tags. Changes affect actions/checkout, actions/setup-java, actions/cache, actions/upload-artifact, codecov/codecov-action, and marvinpinto/action-automatic-releases across the workflow file.

Changes

CI Workflow Action Pinning

Layer / File(s)	Summary
Pin CI workflow action versions to specific SHAs .github/workflows/CI.yml	All action steps updated from version tags (@v5, @v4, @v5-beta) to pinned commit SHAs: checkout, setup-java, cache, upload-artifact, automatic-releases, and codecov.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Action pins, now locked in place,
Security hardened, a safer race,
No more drift from version tags so free,
This workflow's chain is verifiably clean! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: pin GitHub Actions to full-length commit SHAs' is clear, concise, and directly summarizes the main change in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin-actions-to-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/CI.yml:
- Line 15: The workflow pins actions/setup-java to the commit SHA
be666c2fcd27ec809703dec50e508c2fdc7f6654 which is actually a v6 update despite
the comment saying v5; fix by making the pin and comment consistent: either
update the action reference to the v6 tag (e.g., actions/setup-java@v6 or the
correct v6 SHA) or replace the SHA with the true v5 release commit and adjust
the comment, ensuring the actions/setup-java@be666c2f... reference and its
accompanying comment both match the intended major version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 503c2c69-a95b-4e63-98d7-15418a2c8c36

📥 Commits

Reviewing files that changed from the base of the PR and between 45893d0 and 2fdb3c3.

📒 Files selected for processing (1)

• .github/workflows/CI.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify actions/setup-java SHA corresponds to v5

echo "Checking actions/setup-java SHA..."
gh api repos/actions/setup-java/commits/be666c2fcd27ec809703dec50e508c2fdc7f6654 --jq '{sha: .sha, message: .commit.message}' || echo "SHA not found"

echo -e "\nChecking v5 tag..."
gh api repos/actions/setup-java/git/ref/tags/v5 --jq '.object.sha' || echo "v5 tag not found"

Repository: jbangdev/jbang-eclipse

Length of output: 348

---

The SHA pin corresponds to a v6 commit, not v5.

The SHA be666c2fcd27ec809703dec50e508c2fdc7f6654 is tagged as v5 in the actions/setup-java repository, but its commit message explicitly states "Chore: Version Update and Checkout Update to v6 (#973)". Either the tag is incorrect, the comment should reference v6, or the pinned commit should be updated to the actual v5 release commit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/CI.yml at line 15, The workflow pins actions/setup-java to
the commit SHA be666c2fcd27ec809703dec50e508c2fdc7f6654 which is actually a v6
update despite the comment saying v5; fix by making the pin and comment
consistent: either update the action reference to the v6 tag (e.g.,
actions/setup-java@v6 or the correct v6 SHA) or replace the SHA with the true v5
release commit and adjust the comment, ensuring the
actions/setup-java@be666c2f... reference and its accompanying comment both match
the intended major version.