chore(actions): pin all workflow uses to commit SHA

[wilcorrea]

Summary

Pins every GitHub Action reference in this repo's workflows to an immutable commit SHA, and adds a Dependabot config so the pins stay current automatically.

This applies the SHA-pinning hardening that CodeRabbit has been flagging on the last two PRs (PR #2 and PR #3) — addressed here as a single repo-wide change instead of step-by-step, which is the right granularity for a security policy.

Why

Tags like @v3 are mutable. If an action's maintainer account is compromised, the attacker can retarget the tag to point at malicious code, and every workflow using that tag will execute it on the next run with access to repo secrets (e.g. DOCKERHUB_TOKEN). This is what happened in the tj-actions/changed-files incident (March 2025) and a few others since. Pinning to a full commit SHA makes the reference content-addressed — the SHA cannot point at different code without changing.

Doing it per-step would leave the rest of the file inconsistent and not actually close the attack surface. Doing it repo-wide + automated keeps it sustainable.

Pin format

Each uses: keeps the original semver tag as an inline comment so Dependabot can recognize and update both halves:

- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Pinned references (7 actions, 14 occurrences across 3 workflows)

Action	Tag	SHA
actions/checkout	v4.3.1	34e114876b0b11c390a56381ad16ebd13914f8d5
docker/setup-qemu-action	v3.7.0	c7c53464625b32c7a7e944ae62b3e17d2b600130
docker/setup-buildx-action	v3.12.0	8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
docker/login-action	v3.7.0	c94ce9fb468520275223c153574b00df6fe4bcc9
docker/metadata-action	v5.10.0	c299e40c65443455700f0fdfc63efafe5b349051
docker/build-push-action	v6.19.2	10e90e3645eae34f1e60eeb005ba3a3d33f178e8
tj-actions/changed-files	v44.0.0	2d756ea4c53f7f6b397767d8723b3a10a9f35bf2

Each SHA was resolved against the action's repo via the GitHub API at PR time.

Dependabot config

Adds .github/dependabot.yml with the github-actions ecosystem and weekly grouped updates:

• docker-actions group: all docker/* actions bundled into one PR
• actions-org group: all actions/* actions bundled into one PR
• Other actions (e.g. tj-actions/changed-files) get individual PRs

Grouping limits PR noise while keeping related Docker-org actions versioned together (since they're often updated in sync).

Test plan

• Workflows still parse (yq eval smoke-tested all four files locally)
• validate.yml runs on this PR and passes
• No build matrix entries are affected — only the uses: step references change
• Dependabot picks up the config after merge and opens its first PR within the next weekly cycle

[coderabbitai]

Warning

Review limit reached

@wilcorrea, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 25 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bfb131e1-c6b5-4987-89bd-2936daf7e21e

📥 Commits

Reviewing files that changed from the base of the PR and between 731c925 and 630afd9.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/build-images.yml
• .github/workflows/copilot-sandbox.yml
• .github/workflows/validate.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-actions-to-sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}