fix: pin GitHub Actions to commit SHAs (INT-326)

[Xeboc]

Info

• Pins all uses: references in GitHub Actions workflows to full commit SHAs.

References

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

[coderabbitai]

Warning

Rate limit exceeded

@Xeboc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 54 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 14 minutes and 54 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 027aa1a7-b79f-422e-ad24-34e11503e15d

📥 Commits

Reviewing files that changed from the base of the PR and between 683ffbb and 5d11ecc.

📒 Files selected for processing (5)

• .github/workflows/lint.yml
• .github/workflows/release-please.yml
• .github/workflows/test.yml
• .trunk/trunk.yaml
• action.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/INT-326/pin-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Below is the Action testing on itself with this PR's source code against policies in /examples file by file. Confirm it is as expected.

File	Status	Passed	Total	Coverage	Details
./examples/tests/readers-writers-admins-teams_test.rego	✅ PASS	6	6	83.33% Uncovered Lines 16, 24, 28	Show Details ✅ test_allow_writers ✅ test_allow_admins ✅ test_allow_readers ✅ test_space_admin_access ✅ test_space_write_access ✅ test_space_read_access
./examples/tests/do-not-delete-stateful-resources_test.rego	✅ PASS	5	5	85.71% Uncovered Lines 34	Show Details ✅ test_deny_s3_bucket_deletion ✅ test_deny_db_instance_deletion ✅ test_deny_efs_file_system_deletion ✅ test_deny_dynamodb_table_deletion ✅ test_allow_instance_deletion
./examples/tests/track-using-labels_test.rego	✅ PASS	8	8	45.45% Uncovered Lines 3, 5, 12-13, 23-26, 35, 37-38, 41	Show Details ✅ test_track_different_branches ✅ test_propose_non_empty_branch ✅ test_propose_empty_branch ✅ test_affected_directory ✅ test_affected_extension ✅ test_not_affected_directory ✅ test_not_affected_extension ✅ test_ignore_not_affected
./examples/tests/cancel-in-progress-runs_test.rego	✅ PASS	2	2	83.33% Uncovered Lines 16	Show Details ✅ test_cancel_runs_allowed ✅ test_cancel_runs_denied
./examples/tests/enforce-password-length_test.rego	✅ PASS	3	3	90.91% Uncovered Lines 29	Show Details ✅ test_deny_creation_of_password_with_less_than_16_characters ✅ test_warn_creation_of_password_between_16_and_20_characters ✅ test_allow_creation_of_password_longer_than_20_characters
./examples/tests/notification-stack-failure-origins_test.rego	✅ PASS	7	7	96.67% Uncovered Lines 80	Show Details ✅ test_slack_notification_for_tracked_failed_run ✅ test_no_slack_notification_for_non_tracked_run ✅ test_no_slack_notification_for_successful_run ✅ test_slack_notification_with_unknown_github_user ✅ test_pr_comment_for_tracked_failed_run ✅ test_no_pr_comment_for_non_tracked_run ✅ test_no_pr_comment_for_successful_run
./examples/tests/enforce-module-use-policy_test.rego	✅ PASS	3	3	47.83% Uncovered Lines 37, 42, 46, 52, 54, 57, 60-61, 64, 68, 78, 80	Show Details ✅ test_deny_creation_of_controlled_resource_type ✅ test_deny_update_of_controlled_resource_type ✅ test_allow_creation_of_uncontrolled_resource_type
./examples/tests/ignore-changes-outside-root_test.rego	✅ PASS	12	12	92.86% Uncovered Lines 42	Show Details ✅ test_affected_no_files ✅ test_affected_tf_files ✅ test_affected_no_tf_files ✅ test_affected_outside_project_root ✅ test_ignore_affected ✅ test_ignore_not_affected ✅ test_ignore_tag ✅ test_propose_affected ✅ test_propose_not_affected ✅ test_track_affected ✅ test_track_not_affected ✅ test_track_not_stack_branch
./examples/drift-detection.rego	⚠️ NO TESTS	0	0	N/A	Show Details No test file found

Report generated by 🧪 GitHub Actions for OPA Rego Test

[github-actions]

Below is the Action testing on itself with this PR's source code against /examples entire package directory. Confirm it is as expected.

File	Status	Passed	Total	Coverage	Details
examples/tests/cancel-in-progress-runs_test.rego	✅ PASS	2	2	83.33% Uncovered Lines 16	Show Details ✅ test_cancel_runs_allowed ✅ test_cancel_runs_denied
examples/tests/do-not-delete-stateful-resources_test.rego	✅ PASS	5	5	85.71% Uncovered Lines 34	Show Details ✅ test_deny_s3_bucket_deletion ✅ test_deny_db_instance_deletion ✅ test_deny_efs_file_system_deletion ✅ test_deny_dynamodb_table_deletion ✅ test_allow_instance_deletion
examples/tests/enforce-module-use-policy_test.rego	✅ PASS	3	3	47.83% Uncovered Lines 37, 42, 46, 52, 54, 57, 60-61, 64, 68, 78, 80	Show Details ✅ test_deny_creation_of_controlled_resource_type ✅ test_deny_update_of_controlled_resource_type ✅ test_allow_creation_of_uncontrolled_resource_type
examples/tests/enforce-password-length_test.rego	✅ PASS	3	3	90.91% Uncovered Lines 29	Show Details ✅ test_deny_creation_of_password_with_less_than_16_characters ✅ test_warn_creation_of_password_between_16_and_20_characters ✅ test_allow_creation_of_password_longer_than_20_characters
examples/tests/ignore-changes-outside-root_test.rego	✅ PASS	12	12	92.86% Uncovered Lines 42	Show Details ✅ test_affected_no_files ✅ test_affected_tf_files ✅ test_affected_no_tf_files ✅ test_affected_outside_project_root ✅ test_ignore_affected ✅ test_ignore_not_affected#01 ✅ test_ignore_tag ✅ test_propose_affected ✅ test_propose_not_affected ✅ test_track_affected ✅ test_track_not_affected ✅ test_track_not_stack_branch
examples/tests/notification-stack-failure-origins_test.rego	✅ PASS	7	7	96.67% Uncovered Lines 80	Show Details ✅ test_slack_notification_for_tracked_failed_run ✅ test_no_slack_notification_for_non_tracked_run ✅ test_no_slack_notification_for_successful_run ✅ test_slack_notification_with_unknown_github_user ✅ test_pr_comment_for_tracked_failed_run ✅ test_no_pr_comment_for_non_tracked_run ✅ test_no_pr_comment_for_successful_run
examples/tests/readers-writers-admins-teams_test.rego	✅ PASS	6	6	83.33% Uncovered Lines 16, 24, 28	Show Details ✅ test_allow_writers ✅ test_allow_admins ✅ test_allow_readers ✅ test_space_admin_access ✅ test_space_write_access ✅ test_space_read_access
examples/tests/track-using-labels_test.rego	✅ PASS	8	8	86.36% Uncovered Lines 3, 12, 41	Show Details ✅ test_track_different_branches ✅ test_propose_non_empty_branch ✅ test_propose_empty_branch ✅ test_affected_directory ✅ test_affected_extension ✅ test_not_affected_directory ✅ test_not_affected_extension ✅ test_ignore_not_affected
./examples/drift-detection.rego	⚠️ NO TESTS	0	0	N/A	Show Details No test file found

Report generated by 🧪 GitHub Actions for OPA Rego Test

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟢	Statements	95.56%	86/90
🟢	Branches	93.1%	27/29
🟢	Functions	100%	8/8
🟢	Lines	96.63%	86/89

Test suite run success

15 tests passing in 1 suite.

Report generated by 🧪jest coverage report action from 5d11ecc

[oycyc]

LGTM - GitHub Actions SHA pinning and tooling updates.