chore(ci): SHA-pin third-party GitHub Actions

[mattrothenberg]

Summary

Pin high/medium-risk third-party actions to immutable commit SHAs to prevent supply chain attacks via mutable tag/branch references.

Pinned actions

Action	Was	SHA	Files
ask-bonk/ask-bonk/github	@main	8c7a831	bonk, bigbonk, reviewer
pnpm/action-setup	@v4	f40ffcd	bonk, bigbonk
changesets/action	@v1	63a615b	release

First-party actions/* left as tag-pinned (lower risk, maintained by GitHub).

Why

Mutable tags and branch refs can be rewritten by a compromised upstream maintainer (see tj-actions incident). SHA-pinning ensures we run exactly the code we audited.

• Reviews
  • bonk has reviewed the change
  • automated review not possible because: CI-only change, no component code affected
• Tests
  • Additional testing not necessary because: workflow ref changes only, CI run validates resolution

[mattrothenberg]

/bonk review

[ask-bonk]

Review: SHA-pin third-party GitHub Actions

I've verified the changes in all four workflow files. Here's my assessment:

Changes Verified ✓

Action	Location	SHA (full 40-char)
ask-bonk/ask-bonk/github	bonk.yml:45	8c7a8314f4f4865e2e41e5718dfabc4ab7a2274b
ask-bonk/ask-bonk/github	bigbonk.yml:44	8c7a8314f4f4865e2e41e5718dfabc4ab7a2274b
ask-bonk/ask-bonk/github	reviewer.yml:61	8c7a8314f4f4865e2e41e5718dfabc4ab7a2274b
pnpm/action-setup	bonk.yml:33	f40ffcd9367d9f12939873eb1018b921a783ffaa
pnpm/action-setup	bigbonk.yml:32	f40ffcd9367d9f12939873eb1018b921a783ffaa
changesets/action	release.yml:42	63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b

First-party actions correctly left as tags

• actions/checkout@v6 / actions/checkout@v4
• actions/setup-node@v6

Assessment

LGTM!

This is a solid security improvement. All high/medium-risk third-party actions are now pinned to immutable 40-character commit SHAs, preventing supply chain attacks via tag rewriting. The change is minimal, focused, and follows security best practices. First-party GitHub-maintained actions appropriately remain tag-pinned as they're lower risk.

The CI run on this PR will validate that the pinned SHAs resolve correctly.

github run

[pkg-pr-new]

npm i https://pkg.pr.new/@cloudflare/kumo@525

commit: 7cccdaf

[github-actions]

Docs Preview

View docs preview

Commit: fa76538

[github-actions]

Visual Regression Report — 10 changed, 28 unchanged

10 screenshot(s) with visual changes:

Button / Loading State

1 px (0%) changed

Before	After	Diff

Dialog / Dialog Alert

862 px (0.85%) changed

Before	After	Diff

Select / Select Without Label

105 px (0.1%) changed

Before	After	Diff

Select / Select With Field

635 px (0.54%) changed

Before	After	Diff

Select / Select Custom Rendering

1,009 px (0.99%) changed

Before	After	Diff

Select / Select Loading

0 px (0%) changed

Before	After	Diff

Select / Select Disabled Items

176 px (0.17%) changed

Before	After	Diff

Select / Select Grouped With Disabled

450 px (0.44%) changed

Before	After	Diff

Select / Select Long List

898 px (0.76%) changed

Before	After	Diff

Select (Open)

777 px (0%) changed

Before	After	Diff

28 screenshot(s) unchanged

• Button / Basic
• Button / Variant: Primary
• Button / Variant: Secondary
• Button / Variant: Ghost
• Button / Variant: Destructive
• Button / Variant: Outline
• Button / Variant: Secondary Destructive
• Button / Sizes
• Button / With Icon
• Button / Icon Only
• Button / Disabled State
• Button / Title
• Button / Link as Button
• Dialog / Dialog With Actions
• Dialog / Dialog Basic
• Dialog / Dialog Confirmation
• Dialog / Dialog With Select
• Dialog / Dialog With Combobox
• Dialog / Dialog With Dropdown
• Dialog (Open)
• Select / Select Basic
• Select / Select Sizes
• Select / Select Placeholder
• Select / Select With Tooltip
• Select / Select Multiple
• Select / Select Complex
• Select / Select Disabled Options
• Select / Select Grouped

---

Generated by Kumo Visual Regression