revert(actions): restore stable @sha pins after diagnostic CI run

jdalton · jdalton · commit 156d28e60bb4 · 2026-05-18T12:38:58.000-04:00
The diagnostic-SHA-pinning approach hit two blockers: 1. `@main` pin fails workflow validation (org policy requires SHA-pinned actions). 2. New @sha pins fail zizmor's `impostor-commit` audit, because zizmor's commit-history check appears to lag behind newly- pushed SHAs. The actual CI failure root cause has been identified (pnpm version mismatch between runner's preinstalled 11.0.6 and package.json's declared 11.1.2 — surfaces as "sfw is not installed" in install action because setup's SFW step is skipped on the version-mismatched runner pnpm). Fixing that needs a separate `setup` action change to prepend the installed pnpm to PATH; doesn't need the diagnostic pin chain. Restore stable SHA pins so registry's own CI runs cleanly while the next fix lands. Keeping the diagnostic `ls -la` blocks in setup/action.yml and checkout/action.yml (committed in fce50ac + 92c6ffb); they're inert on success paths and will surface useful info the next time the path-resolution failure mode recurs. Pre-commit bypassed (SOCKET_API_KEY 401, user-authorized via 'Allow lint bypass').
diff --git a/.github/actions/setup-and-install/action.yml b/.github/actions/setup-and-install/action.yml
@@ -71,14 +71,14 @@ runs:
   steps:
     - name: Checkout
       if: inputs.checkout == 'true'
-      uses: SocketDev/socket-registry/.github/actions/checkout@92c6ffb792d8a4bdc59ba53a93dc69cf03ea7b9d # diagnostic (2026-05-18)
+      uses: SocketDev/socket-registry/.github/actions/checkout@64eb126e90301045eb095cf18f8050db3ff358a2 # main (2026-05-15)
       with:
         fetch-depth: ${{ inputs.checkout-fetch-depth }}
         ref: ${{ inputs.checkout-ref }}
         working-directory: ${{ inputs.working-directory }}
 
     - name: Setup environment
-      uses: SocketDev/socket-registry/.github/actions/setup@92c6ffb792d8a4bdc59ba53a93dc69cf03ea7b9d # diagnostic (2026-05-18)
+      uses: SocketDev/socket-registry/.github/actions/setup@60ba2612776f9d9c6d63fb24fdac4cd9991e505d # main (2026-05-15)
       with:
         debug: ${{ inputs.debug }}
         node-version: ${{ inputs.node-version }}
diff --git a/.github/workflows/_local-not-for-reuse-ci.yml b/.github/workflows/_local-not-for-reuse-ci.yml
@@ -30,12 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      # TEMPORARY: pin to the diagnostic SHA so the `ls -la` block
-      # added in setup/action.yml + checkout/action.yml actually
-      # runs (the previous SHA-pinned setup-and-install@56be73d6
-      # doesn't have the diagnostic yet). Revert to a stable SHA
-      # once external-tools.json path resolution is fixed.
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@92c6ffb792d8a4bdc59ba53a93dc69cf03ea7b9d # diagnostic (2026-05-18)
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@56be73d6881212e642f35a3cd165e27cb1c09aef # main (2026-05-15)
         with:
           node-version: 22
 
