chore: pin github action shas

[GangGreenTemperTatum]

Summary

• pin external GitHub Actions to the latest provider release commit SHAs
• leave Dependabot cooldown unchanged because default-days: 3 is already configured

Testing

• not run (workflow-only change)

[greptile-apps]

Greptile Summary

This PR pins all external GitHub Actions to specific commit SHAs for supply-chain security hardening — a good practice that prevents tag-mutation attacks. However, two issues are worth noting:

• goreleaser/goreleaser-action is silently bumped from v6 to v7.0.0 in release.yml. The PR description only mentions SHA pinning, but this is a major-version upgrade of a release-critical action. It should be explicitly acknowledged and validated.
• codecov/codecov-action is pinned to v6.0.0 (the first release of v6) rather than a more recent v6 patch, potentially missing bug fixes and security patches within the same major version.

All other pins (actions/checkout@v6.0.2, actions/setup-go@v6.4.0, golangci/golangci-lint-action@v9.2.0) are consistent and correctly annotated with version comments.

Confidence Score: 4/5

Safe to merge with low risk, but the undisclosed goreleaser-action v6→v7 major version bump in the release workflow warrants explicit verification before the next tag push.

The changes are workflow-only with no application code impact. SHA-pinning is a security best practice. The main concern is the undisclosed major version bump for goreleaser-action in a release-critical workflow — it only fires on tag pushes, so it won't break CI, but it could silently fail on the next release if there are any v7 incompatibilities.

.github/workflows/release.yml — goreleaser-action major version bump from v6 to v7 needs explicit confirmation and validation

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	SHA-pins four actions for supply-chain security; codecov-action is pinned to v6.0.0 rather than the latest v6 patch release
.github/workflows/release.yml	SHA-pins actions including an undisclosed goreleaser-action major version bump from v6 → v7.0.0, which is a release-critical change

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to master / PR] --> B[CI Workflow]
    B --> C[actions/checkout\nde0fac2e #v6.0.2]
    C --> D[actions/setup-go\n4a360112 #v6.4.0]
    D --> E[golangci-lint-action\n1e7e51e7 #v9.2.0]
    D --> F[Run Tests Matrix]
    F --> G[codecov-action\n57e3a136 #v6.0.0]
    E & G --> H[Build]

    I[Push tag v*] --> J[Release Workflow]
    J --> K[actions/checkout\nde0fac2e #v6.0.2]
    K --> L[actions/setup-go\n4a360112 #v6.4.0]
    L --> M[goreleaser-action\nec59f474 #v7.0.0 ⚠️ bumped from v6]
    M --> N[GitHub Release + Homebrew tap]

Loading

_{Reviews (1): Last reviewed commit: "chore: pin github action shas" | Re-trigger Greptile}

[greptile-apps]

Undisclosed major version bump (v6 → v7)

The PR description frames this as purely SHA-pinning, but goreleaser/goreleaser-action has been quietly bumped from @v6 to v7.0.0. This is a major version change for a release-critical action that runs on every tag push. The v6→v7 migration removed some deprecated inputs and changed default behavior.

While the current configuration (version: latest, args: release --clean) is likely compatible with v7, this upgrade deserves explicit acknowledgment rather than being bundled silently into a security-pinning PR. Please confirm this bump is intentional and that the GoReleaser config has been validated against v7.

[greptile-apps]

codecov-action pinned to v6.0.0, not the latest v6 patch

The original @v6 tag resolved to the latest v6 release automatically. This PR pins to 57e3a136b779b570ffcdbf80b3bdc90e7fab3de2, which corresponds to v6.0.0 — the first patch of the v6 series, not the most recent. The v6 line has had subsequent patch releases (e.g. v6.1.x, v6.4.x) that include bug fixes and security improvements.

Consider pinning to the latest v6 patch SHA instead to stay current within the major version while still getting the supply-chain security benefit of SHA pinning.