chore(ci): SHA-pin third-party GitHub Actions refs

[WomB0ComB0]

Summary

Mechanical sweep: pin every third-party GitHub Actions uses: ref to a commit SHA with a trailing # <tag> comment. Dependabot keeps working through the version comment.

Closes the tj-actions/changed-files-class supply-chain attack vector — a malicious tag push on a popular action can no longer hijack our runs.

Unpinnable channel refs (e.g. dtolnay/rust-toolchain@stable) are left as-is by design.

Generated with pinact.

Test plan

• CI green
• Dependabot still proposes updates on the new SHA+comment refs

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@WomB0ComB0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 34 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 34 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 62902776-a5ae-4d39-bf55-dddf15b63d07

📥 Commits

Reviewing files that changed from the base of the PR and between a560608 and af990d6.

📒 Files selected for processing (9)

• .github/actions/prepare/action.yml
• .github/workflows/chromatic.yml
• .github/workflows/ci.yml
• .github/workflows/label-sync.yml
• .github/workflows/labeler.yml
• .github/workflows/post-release.yml
• .github/workflows/pr-review-requested.yml
• .github/workflows/release-package.yml
• .github/workflows/release.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/sha-pin-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}