Pin GitHub Actions to commit SHAs

[mindmonk]

Pin all GitHub Actions and reusable workflows to immutable commit SHAs instead of version tags.
This improves supply-chain security.

[coderabbitai]

Walkthrough

The PR updates three GitHub Actions workflows (.github/workflows/build.yml, dependency-check.yml, native-image.yml). Multiple action uses are pinned from generic version tags to exact commit SHAs. dependency-check.yml also changes the scheduled cron from "0 23 * * 0" to "0 12 * * 0", bumps java-version from 21 to 25, removes one slack webhook secret reference and adds ossindex-username and ossindex-token secrets while replacing the slack webhook secret with a different secret name. No control-flow or step-sequence changes were introduced.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Pin GitHub Actions to commit SHAs' accurately and concisely summarizes the main change: updating GitHub Actions references to use commit SHAs instead of version tags.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the purpose of pinning GitHub Actions and reusable workflows to commit SHAs for supply-chain security improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/pin-ci-actions

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

.github/workflows/native-image.yml (1)

14-15: Pinned action SHAs are correctly verified. All four action references correctly map to their stated version tags:

• actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 → v4.3.1 ✓
• graalvm/setup-graalvm@54b4f5a65c1a84b2fdfdc2078fe43df32819e4b1 → v1.4.5 ✓
• actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 → v4.6.2 ✓
• softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b → v2.5.0 ✓

Minor style nit: lines 14, 15, and 41 use #v… (no space) while line 52 uses # v… (with space). Consider standardizing the comment format across all four actions.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/native-image.yml:
- Line 14: The checkout action string in the workflow uses an incorrect
double-at symbol ("actions/checkout@@34e114...") which will break resolution;
update the uses reference in the native-image.yml workflow to the correct
single-at form ("actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") so
the action can be resolved and executed properly.

🧹 Nitpick comments (1)

.github/workflows/dependency-check.yml (1)

4-4: Additional functional changes beyond SHA pinning.

This file includes several changes not mentioned in the PR description:

• Schedule changed from 11 PM to 12 PM Sunday (Line 4)
• New ossindex-username and ossindex-token secrets (Lines 20-21)
• Slack webhook secret changed to SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP (Line 22)

These may be intentional to align with the v3.0.3 reusable workflow, but the PR description only mentions pinning SHAs. Consider updating the PR description or splitting these into a separate commit for clarity.

Also applies to: 20-22