chore: SHA-pin all GitHub Actions

[JuliusScheuerer]

Summary

• Pin all GitHub Action references to full 40-char commit SHAs
• Prevents supply chain attacks via force-pushed tags (see Trivy incident 2026-03-19)
• Added Dependabot config for GitHub Actions to keep SHAs up-to-date automatically

Changes

• All uses: references now use @<sha> # <version> format
• Dependabot config added/updated

Applied via npx actions-up.

[greptile-apps]

Greptile Summary

This PR hardens the CI pipeline's supply-chain security by SHA-pinning all GitHub Actions uses: references to 40-character commit SHAs with inline version comments, and adds a Dependabot config to keep those SHAs automatically updated on a weekly cadence.

• All actions/checkout and astral-sh/setup-uv references are correctly pinned at the same SHA across every job (v6.0.2 and v7.6.0 respectively).
• actions/upload-artifact was bumped from v6 → v7.0.0 as part of the pinning — a silent major-version upgrade that warrants a quick review of the v7 release notes to confirm no breaking input changes affect the current name/path/retention-days usage.
• docker://semgrep/semgrep:latest in the security job was not updated and still floats on the latest tag, leaving one mutable reference that undercuts the overall hardening goal.
• The new .github/dependabot.yml correctly groups all GitHub Actions under a single weekly update, which is the right companion configuration for SHA pinning.

Confidence Score: 4/5

Safe to merge with a follow-up to pin the Semgrep Docker image and verify the upload-artifact v7 upgrade is intentional

The core supply-chain hardening is well executed and the Dependabot config is correct. The P1 concern (upload-artifact major version bump) is most likely benign given that the standard inputs used here haven't changed across major releases of that action, but it was silent and deserves explicit acknowledgement. The unpinned Semgrep Docker image is a P2 gap relative to the PR's stated goal but is pre-existing and doesn't introduce a regression.

.github/workflows/ci.yml — verify the upload-artifact v7 upgrade and pin the semgrep Docker image

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	All uses: references SHA-pinned with version comments; actions/upload-artifact quietly upgraded from v6 → v7 (major); docker://semgrep/semgrep:latest remains unpinned
.github/dependabot.yml	New Dependabot config enabling weekly automated SHA updates for all GitHub Actions — well-formed and appropriate

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[push / pull_request] --> B[lint]
    A --> C[typecheck]
    A --> D[security]
    B --> E[test]
    C --> E
    D --> E
    E --> F[compliance]

    subgraph SHA-pinned
        B -->|checkout v6.0.2| B
        B -->|setup-uv v7.6.0| B
        C -->|checkout v6.0.2| C
        C -->|setup-uv v7.6.0| C
        E -->|checkout v6.0.2| E
        E -->|setup-uv v7.6.0| E
        E -->|upload-artifact v7.0.0 upgrade| E
        F -->|checkout v6.0.2| F
        F -->|setup-uv v7.6.0| F
    end

    subgraph Unpinned
        D -->|docker semgrep:latest warning| D
    end

Loading

_{Reviews (1): Last reviewed commit: "chore: SHA-pin all GitHub Actions for su..." | Re-trigger Greptile}

[greptile-apps]

Silent major-version upgrade alongside pinning

actions/upload-artifact was bumped from v6 → v7.0.0 (not just pinned). Major version releases commonly include breaking API changes. For example, upload-artifact v4 changed the default artifact retention behaviour and renamed inputs. Mixing a version upgrade with the pinning work makes it harder to attribute any CI regressions. This change is fine if intentional, but it's worth verifying the v7 release notes and confirming the name/path/retention-days inputs are still compatible.