workflows: pin to full git SHAs

[JuneStepp]

Tags are not sufficient to pin an action. What they reference can be later changed. This supply chain attack has wreaked havoc multiple times recently.

This commit also provides a solution to usining the correct repo in forks.
In the future the proposed $/ syntax may improve this. See https://github.com/orgs/community/discussions/26245#discussioncomment-15601440.

I think it would also be good to update the documentation, so that people can benefit from pinning atelier itself.
Another observation is that currently the recommendation is for users to use @master. Besides security concerns, this doesn't allow for breaking changes to be made to atelier.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a4eb8562-2054-42a9-b98b-1734c4a1557b

📥 Commits

Reviewing files that changed from the base of the PR and between 2158eaf and c76fcc5.

📒 Files selected for processing (3)

• .github/actions/atelier/action.yaml
• .github/workflows/build.yaml
• .github/workflows/discover.yaml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions to specific commit versions across all CI/CD workflows to ensure reproducible builds and enhance security by preventing unexpected changes from upstream action updates.
  • Applied commit pinning across build, deployment, and artifact management steps to maintain consistency and reduce supply chain risks.

Walkthrough

Six GitHub Action uses: references in .github/actions/atelier/action.yaml, .github/workflows/build.yaml, and .github/workflows/discover.yaml are updated from mutable branch names or version tags to pinned commit SHAs. No step logic, inputs, outputs, or workflow structure is changed.

Changes

Pin GitHub Action dependencies to commit SHAs

Layer / File(s)	Summary
Pin all action uses: references .github/actions/atelier/action.yaml, .github/workflows/build.yaml, .github/workflows/discover.yaml	wimpysworld/nothing-but-nix@main, nixos/nix-installer-action@main, and srz-zumix/post-run-action@v3 in the composite action are pinned to exact commit SHAs; actions/checkout@v6 and actions/upload-artifact@v7 in the build workflow and actions/checkout@v6 in the discover workflow are likewise pinned.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hopping through the CI lanes,
No more drifting mutable chains!
Each SHA locked, each action sealed,
No surprise commits left unconcealed.
The warren's builds stay safe and true —
Pinned tight, like carrots fresh with dew! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Actions in workflows to full git SHAs instead of tags.
Description check	✅ Passed	The description is directly related to the changeset, explaining the security rationale for pinning actions to full git SHAs and discussing implementation details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[stepbrobd]

do you know if we pin with full hash, dependabot would still be able to bump them?

about pinning with master in readme, yeah i should change it to pin to a tag

[JuneStepp]

do you know if we pin with full hash, dependabot would still be able to bump them?

It can. It should also update the tag comment.

[stepbrobd]

let's not change this for now (also below related changes that's not repinning to full hash)

imo users should fork directly and call their forked atelier instead of providing inputs for this

[JuneStepp]

Without this or some other solution, it's impossible to pin Atalier to a commit. People will think they're pinning to a commit, but in reality, it's just fetching master in multiple places behind the scenes.
People forking would also have to edit the code in multiple places to have their fork actually use itself.

[stepbrobd]

i see its mostly bc of uses: stepbrobd/atelier/.github/actions/atelier@master and some other forced master pin below

could you split this PR so that other dependent actions repin can be merged first

[JuneStepp]

Done. See #15 for the Atelier pinning part.

[stepbrobd]

thx