chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

file:///home/ubuntu/pin-actions/authkit-tanstack-start_pr_body.md

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

---

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

Greptile Summary

This PR replaces all floating version tags (e.g. @v4, @v2) in the three GitHub Actions workflow files with pinned full commit SHAs, following supply-chain security best practices. Version labels are preserved as inline comments. No logic or configuration changes were made.

Confidence Score: 5/5

Safe to merge — purely a security hardening change with no functional impact.

All changes are SHA-pinning of well-known, widely-used GitHub Actions. No logic is altered, comments preserve the human-readable version labels, and the change is internally consistent across all three workflow files.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Pinned actions/checkout, pnpm/action-setup, and actions/setup-node from floating v4 tags to full commit SHAs; version comments retained.
.github/workflows/release-please.yml	Pinned actions/create-github-app-token and googleapis/release-please-action from floating version tags to full commit SHAs; version comments retained.
.github/workflows/release.yml	Pinned actions/checkout, pnpm/action-setup, and actions/setup-node from floating v4 tags to full commit SHAs; consistent with ci.yml changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR event] --> B{Workflow triggered}
    B --> C[ci.yml - CI]
    B --> D[release-please.yml - Release Please]
    D --> E[release.yml - Publish to NPM]

    C --> C1["actions/checkout\n@34e1148... #v4"]
    C --> C2["pnpm/action-setup\n@b906aff... #v4"]
    C --> C3["actions/setup-node\n@49933ea... #v4"]

    D --> D1["actions/create-github-app-token\n@fee1f7d... #v2"]
    D --> D2["googleapis/release-please-action\n@5c625bf... #v4"]

    E --> E1["actions/checkout\n@34e1148... #v4"]
    E --> E2["pnpm/action-setup\n@b906aff... #v4"]
    E --> E3["actions/setup-node\n@49933ea... #v4"]

Loading

_{Reviews (2): Last reviewed commit: "Fix formatting in workflow files" | Re-trigger Greptile}

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v4	34e114876b0b11c390a56381ad16ebd13914f8d5	2025-11-13	166	OK
actions/create-github-app-token	v2	fee1f7d63c2ff003460e3d139729b119787bc349	2026-03-13	46	OK
actions/setup-node	v4	49933ea5288caeca8642d1e84afbd3f7d6820020	2025-04-02	391	OK
googleapis/release-please-action	v4	5c625bfb5d1ff62eadeeb3772007f7f66fdcf071	2026-03-30	30	OK
pnpm/action-setup	v4	b906affcce14559ad1aafd4ab0e942779e9f58b1	2026-03-11	49	OK

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.