Pin GitHub Actions to commit SHAs

[jportner-ant]

Pin third-party GitHub Actions references to immutable commit SHAs.

[claude]

LGTM — straightforward SHA-pinning of third-party actions for supply-chain hardening.

Extended reasoning...

Overview

This PR pins oven-sh/setup-bun references to immutable commit SHAs across three workflow files. In ci.yml, two @v2 floating tags are pinned to 0c5077e… (v2.2.0) and one @v1 tag is pinned to f4d14e0… (v1.2.2). In test-mcp-servers.yml and action.yml, the SHAs were already pinned — only the trailing comments were normalized to include the version label and (sha-pinned) marker.

Security risks

None introduced — this change reduces supply-chain risk by replacing mutable tag references with immutable commit SHAs, which is the GitHub-recommended hardening practice for third-party actions. The 0c5077e… SHA was already in use (and trusted) in action.yml, so two of the three new pins reuse a SHA the repo already depends on. The remaining SHA (f4d14e0… for v1.2.2) corresponds to a published release of the same well-known action.

Level of scrutiny

Low. Half the diff is comment-only normalization with zero behavioral effect. The functional half replaces floating tags with fixed SHAs from the same upstream repo — a mechanical, well-understood operation. CI workflows themselves will exercise these pins immediately on this PR, so any incorrect SHA would surface as a failed checkout.

Other factors

No bugs were found by the bug-hunting system, no CODEOWNERS file exists for these paths, and there are no outstanding reviewer comments. The change is small, self-contained, and follows an established security best practice.