ci: pin GitHub Actions to full-length commit SHAs

[maxandersen]

Pin all action references to full-length commit SHAs for supply chain security.

This is required for enabling the org-level policy:
Require actions to be pinned to a full-length commit SHA

Original version tags are preserved as comments for readability.
Consider adding Dependabot for GitHub Actions to keep pins updated:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD infrastructure configurations to strengthen build process reliability and security.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions references in CI and release workflows are pinned to specific commit SHAs. The CI workflow pins actions/checkout and actions/setup-java. The release workflow pins the same actions plus stefanzweifel/git-auto-commit-action and softprops/action-gh-release across setup, release commit, publish, and snapshot phases.

Changes

CI/CD Action Pinning

Layer / File(s)	Summary
CI workflow action pinning .github/workflows/ci.yml	actions/checkout and actions/setup-java are pinned to fixed commit SHAs in the build job.
Release workflow action pinning .github/workflows/release.yml	actions/checkout and actions/setup-java are pinned in setup; stefanzweifel/git-auto-commit-action is pinned for release and snapshot commit/push phases; softprops/action-gh-release is pinned for GitHub release publication.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 Workflows now dance with certainty,
Pinned to commits, not floating free,
Each action knows its SHA address,
Reproducibility finds its class! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Actions to full-length commit SHAs across CI and release workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin-actions-to-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/java/dev/jbang/jdkdb/util/ArchiveUtils.java`:
- Around line 185-189: The Files.list stream in listTopLevel is not closed which
can leak file descriptors; modify the listTopLevel(Path dir) method to open
Files.list(dir) inside a try-with-resources block, read the stream into the
names array (map p -> p.getFileName().toString() then toArray), and return the
joined string, ensuring the stream is automatically closed; locate the method by
its name listTopLevel and update the block that calls Files.list to use try
(Stream<Path> s = Files.list(dir)) { ... } so behavior and return value remain
unchanged.
- Around line 147-151: The code in ArchiveUtils calling process.waitFor() before
draining streams can deadlock; update the process creation and consumption so
stderr is merged into stdout (call processBuilder.redirectErrorStream(true) or
process.redirectErrorStream(true) on the Process) and then read the combined
input stream (process.getInputStream()) into a buffer before calling
process.waitFor() — ensure this change is applied where the pkgutil invocation
is performed (look for the method that starts the Process for pkgutil in
ArchiveUtils) and replace the current read-order (waitFor then read streams)
with: merge errors into stdout, consume the combined stream fully, then call
waitFor() and log exitCode plus the captured output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6484bcd6-0c3b-4341-a1a2-b695ebec4270

📥 Commits

Reviewing files that changed from the base of the PR and between 72f05e6 and 594ee2c.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• src/main/java/dev/jbang/jdkdb/util/ArchiveUtils.java

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

1-67: Consider adding Dependabot configuration for automated updates.

The PR description mentions optionally adding Dependabot to keep action pins updated. This would help maintain the security benefit of SHA pinning by automatically creating PRs when new versions are released.

Would you like me to generate a .github/dependabot.yml configuration file based on the example in your PR description? This would enable automated weekly checks for GitHub Actions updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 1 - 67, Add a Dependabot config
to automate updates for your pinned Actions by creating a .github/dependabot.yml
that enables the "github-actions" package-ecosystem with schedule: "weekly" (and
sensible options like timezone, open-pull-requests-limit: 5 and allow/ignore
rules); also consider adding a second entry for Gradle (package-ecosystem:
"gradle") to keep build deps updated; this will keep the workflow named
"Release" and other workflows' SHA-pinned actions up to date by opening PRs
automatically.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 40: Update the inline comment that follows the pinned action SHA in the
workflow step using the identifier uses:
stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 —
change the trailing comment text from "# v7" to the more specific "# v7.1.0";
make the same edit for the other occurrence that currently uses the same
SHA/comment pair.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 1-67: Add a Dependabot config to automate updates for your pinned
Actions by creating a .github/dependabot.yml that enables the "github-actions"
package-ecosystem with schedule: "weekly" (and sensible options like timezone,
open-pull-requests-limit: 5 and allow/ignore rules); also consider adding a
second entry for Gradle (package-ecosystem: "gradle") to keep build deps
updated; this will keep the workflow named "Release" and other workflows'
SHA-pinned actions up to date by opening PRs automatically.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 98439be0-20dc-4408-bae9-b007f3b6619f

📥 Commits

Reviewing files that changed from the base of the PR and between 594ee2c and fd16410.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify git-auto-commit-action SHA corresponds to v7.x.x

# Fetch v7 tags
git ls-remote --tags https://github.com/stefanzweifel/git-auto-commit-action.git | grep -E 'v7\.' | head -20

# Check what tag points to this specific SHA
curl -s "https://api.github.com/repos/stefanzweifel/git-auto-commit-action/git/refs/tags" | \
  jq -r '.[] | select(.object.sha == "04702edda442b2e678b25b537cec683a1493fcb9") | .ref'

# Check the commit
curl -s "https://api.github.com/repos/stefanzweifel/git-auto-commit-action/commits/04702edda442b2e678b25b537cec683a1493fcb9" | \
  jq -r '.commit.message, .sha'

Repository: jbangdev/jdkdb-scraper

Length of output: 277

---

Update the inline comment to be more specific about the version.

The pinned SHA 04702edda442b2e678b25b537cec683a1493fcb9 correctly corresponds to v7.1.0. Update the comment from # v7 to # v7.1.0 for clarity and precision.

Also applies to: 65-65

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 40, Update the inline comment that
follows the pinned action SHA in the workflow step using the identifier uses:
stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 —
change the trailing comment text from "# v7" to the more specific "# v7.1.0";
make the same edit for the other occurrence that currently uses the same
SHA/comment pair.