fix: pin GitHub Actions to commit SHAs (INT-326)

[Xeboc]

Info

• Pins all uses: references in GitHub Actions workflows to full commit SHAs.

References

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Summary by CodeRabbit

• Chores
  • Updated development infrastructure dependencies and pinned GitHub Actions to latest versions
  • Upgraded development tooling, linting utilities, and build environment runtime to newer versions for improved stability and compatibility

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions dependencies and Trunk CLI configuration were updated to newer versions. Actions checkout, Trunk, and Terraform setup actions were pinned to specific commit SHAs. Trunk CLI version bumped from 1.19.0 to 1.25.0, Node runtime upgraded to 22.16.0, and multiple linting tools received version updates.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/lint.yaml	Updated three action dependencies to pinned commit SHAs: actions/checkout@v4 → v6.0.2, trunk-io/trunk-action@v1 → v1.2.4, and hashicorp/setup-terraform@v2 → v4.0.0. Workflow logic remains unchanged.
Trunk Configuration .trunk/trunk.yaml	Upgraded Trunk CLI from v1.19.0 to v1.25.0 and plugin ref from v1.4.2 to v1.7.6. Updated Node runtime to v22.16.0. Bumped linting tools including checkov, actionlint, terrascan, markdownlint, prettier, tflint, trivy, trufflehog, and yamllint to newer versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Dependencies dance, versions take flight,
Trunk and Node sparkle so bright,
Linters leap forward with zealous delight,
Actions all pinned in commits held tight,
Our configurations now stand upright! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change in the PR: pinning GitHub Actions to commit SHAs, which is the primary modification across both .github/workflows/lint.yaml and the security-focused updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/INT-326/pin-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/lint.yaml (1)

16-20: Consider automating pinned-action updates.

To avoid stale SHAs over time, consider enabling Dependabot/Renovate updates for GitHub Actions so pinned commits stay current with security patches.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/lint.yaml around lines 16 - 20, The workflow pins actions
by commit SHA (e.g.,
trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b and
hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85); add
automated dependency updates (enable Dependabot or Renovate) to keep those
pinned commits current: create a dependabot configuration that targets GitHub
Actions updates (or configure Renovate) with a reasonable schedule, allow/ignore
rules for these actions, and validate updates by running the lint workflow so CI
catches breaking changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/lint.yaml:
- Around line 16-20: The workflow pins actions by commit SHA (e.g.,
trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b and
hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85); add
automated dependency updates (enable Dependabot or Renovate) to keep those
pinned commits current: create a dependabot configuration that targets GitHub
Actions updates (or configure Renovate) with a reasonable schedule, allow/ignore
rules for these actions, and validate updates by running the lint workflow so CI
catches breaking changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0b38f7c-c423-45af-982d-e9cf94f4d0b3

📥 Commits

Reviewing files that changed from the base of the PR and between 6185e06 and f19a27a.

📒 Files selected for processing (2)

• .github/workflows/lint.yaml
• .trunk/trunk.yaml

[oycyc]

LGTM - GitHub Actions SHA pinning and tooling updates.