Replace GitHub Actions version tags with SHA for deterministic builds…

[sukhmancode]

(Issue #1158)

Proposed change

This PR replaces all version tags (@v1, @v2, @v5) in GitHub Actions workflows with the exact commit SHAs. This ensures deterministic builds and improves security by locking the workflow actions to specific versions.

Note: The pypa/gh-action-pypi-publish action was originally using release/@v1; I replaced it with the latest SHA. Please review this SHA to ensure it aligns with the intended release.

All other actions remain functionally identical.

Type of change

• Dependency upgrade (workflow actions)

Checklist

• I've followed the [contributing guidelines]contributing-guidelines
• I've run make pre-commit, it didn't generate any changes
• I've run make test, all tests passed locally

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline configuration to use pinned action versions for improved build reproducibility and security.

Walkthrough

All modifications are in the CI/CD workflow: action usages across the workflow were changed from broad/major-version references to explicit, pinned versions or SHAs (checkout, setup-python, CodeQL, pre-commit, artifact and Docker actions). No job additions, removals, or control-flow restructuring were introduced.

Changes

Cohort / File(s)	Summary
CI workflow — action pinning /.github/workflows/ci_cd.yml	Replaced multiple GitHub Actions references with explicit pinned versions/SHAs (e.g., actions/checkout, actions/setup-python, CodeQL init/analysis, pre-commit, upload-artifact, download-artifact, Docker build/login/qemu actions). Overall workflow structure, jobs, and stage ordering are unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify each pinned action/SHAs for compatibility with step inputs used in the workflow (especially CodeQL, setup-python, and Docker actions).
• Confirm artifact upload/download and caching steps still behave as expected with new pins.
• Check concurrency/trigger semantics if any trigger lines were slightly adjusted during pinning.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Replace GitHub Actions version tags with SHA for deterministic builds…" directly describes the main change in the changeset. It clearly identifies what is being changed (GitHub Actions version tags being replaced with SHAs) and the primary benefit (deterministic builds). The title is specific, concise, and accurately reflects the content of the CI/CD workflow updates shown in the raw summary, where all action version tags are replaced with explicit commit SHAs across multiple jobs.
Description Check	✅ Passed	The PR description is clearly related to the changeset and provides meaningful context about the changes. It explains the proposed change (replacing version tags with commit SHAs), the motivation (deterministic builds and security), and specifically calls out the pypa/gh-action-pypi-publish action that requires review. The description includes proper metadata (issue reference, change type, and contributor checklist items), all of which align with the workflow updates described in the raw summary.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 208df66 and 1777ab5.

📒 Files selected for processing (1)

• .github/workflows/ci_cd.yml (12 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci_cd.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 677f13e and 208df66.

📒 Files selected for processing (1)

• .github/workflows/ci_cd.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ci_cd.yml

[error] 1-1: wrong new line character: expected \n

(new-lines)

🔇 Additional comments (12)

.github/workflows/ci_cd.yml (12)

328-328: Verify pypa/gh-action-pypi-publish SHA matches intended release.

As noted in the PR description, this action SHA requires explicit review to confirm it references the intended release version. This action publishes packages to PyPI and TestPyPI registries, making it a critical security checkpoint.

Please confirm:

1. That SHA ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e corresponds to an official, stable release of pypa/gh-action-pypi-publish
2. The release date and changelog for this version
3. Any security advisories or breaking changes in this version

You can verify this by checking the GitHub repository: https://github.com/pypa/gh-action-pypi-publish/releases and matching the commit SHA.

Also applies to: 354-354

---

3-17: Approve workflow metadata and trigger configuration updates.

The workflow triggers (merge_group, pull_request, push, workflow_dispatch) and concurrency configuration are well-structured. The concurrency group prevents duplicate runs and improves resource efficiency.

---

21-33: Approve pre-commit job configuration with pinned SHAs.

The pre-commit job properly uses SHAs for deterministic builds and follows best practices for GitHub Actions security.

---

35-60: Approve CodeQL job configuration with pinned SHAs.

The CodeQL security scanning job is properly configured with consistent SHAs across both init and analyze steps. The matrix strategy for multiple languages is appropriate.

---

63-84: Approve test job configuration with pinned SHAs.

The run-tests job correctly depends on pre-commit completion and uses pinned SHAs. Poetry-based dependency and test execution is properly configured.

---

86-113: Approve build and artifact upload with pinned SHAs.

The build-package job properly downloads, builds, and uploads artifacts using consistent pinned SHAs across all steps.

---

115-147: Approve cross-platform testing with pinned SHAs.

The test-build-package job correctly tests both macOS and Ubuntu platforms using both wheel and source distributions. Artifact handling uses consistent pinned SHAs.

---

150-200: Approve Docker image testing with pinned SHAs.

The test-docker-image job comprehensively tests Docker image functionality including localization (Persian), modules, profiles, and command execution. Uses pinned SHAs correctly.

---

202-240: Approve Docker version matrix testing with pinned SHAs.

The test-docker-image-build job tests multiple Docker versions (27.5.0, 26.1.4, 26.0.0) following official Docker documentation, using pinned SHAs.

---

242-305: Approve Docker registry publishing jobs with pinned SHAs.

Both dev and release Docker publishing jobs are properly gated with repository and ref checks, use consistent pinned SHAs across all setup steps, and follow Docker best practices.

---

307-354: Approve PyPI publishing jobs structure with pinned SHAs (pending SHA verification).

Both Test PyPI and PyPI publishing jobs are properly configured with correct environment gating, OIDC permissions, and artifact handling. SHAs are consistent across both jobs. Subject to verification of the pypa/gh-action-pypi-publish SHA noted above.

---

1-18: All action SHAs verified as legitimate and current.

All 11 action SHAs in the workflow have been validated against their official GitHub repositories and confirmed as valid commits. The pypa/gh-action-pypi-publish SHA corresponds to the latest stable release v1.13.0 (released 2025-09-04). The security practice of pinning to commit SHAs is properly implemented throughout the workflow.

[arkid15r]

LGTM

@sukhmancode thank you for your contribution. Please make sure to run pre-commit checks locally next time.

Thanks 👍

// @securestep9 this awaits your approval to merge