chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

Description

Pin all third-party GitHub Actions to full commit SHAs, hardening the CI supply chain against compromised mutable version tags.

Each pinned reference includes a trailing version comment for readability (e.g. actions/checkout@<sha> # v4).

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

No documentation changes needed — this PR only modifies .github/workflows/ files.

Closes https://linear.app/workos/issue/SECENG-294

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow action versions to use pinned commit references for improved stability and security.

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-294 Pin all third-party Github Actions for Public SDKs

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 934b38e7-7103-4ae9-9cd2-04bbda45b7e5

📥 Commits

Reviewing files that changed from the base of the PR and between c614bd7 and 43e5718.

📒 Files selected for processing (2)

• .github/workflows/lint-pr-title.yml
• .github/workflows/release-please.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflow files updated to pin action versions to specific commit SHAs instead of using floating version tags, enhancing reproducibility and security in CI/CD processes.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Pinning .github/workflows/lint-pr-title.yml, .github/workflows/release-please.yml	Action references updated from floating tags (@v6, v4) to pinned commit SHAs, maintaining all existing configuration and step parameters.

Suggested reviewers

• nicknski
• csrbarber

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: pinning third-party GitHub Actions to commit SHAs for supply chain security.
Description check	✅ Passed	The description follows the template structure, provides clear context for the changes, and addresses all required sections including documentation assessment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1777478741-pin-github-actions

---

_{Review rate limit: 2/3 reviews remaining, refill in 20 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v6.0.2	de0fac2e4500dabe0009e67214ff5f5447ce83dd	2026-01-09	109	OK
actions/create-github-app-token	3.1.1	1b10c78c7865c340bc4f6099eb2f838309f1e8c3	2026-04-11	18	OK
actions/setup-node	6.3.0	53b83947a5a98c8d113130e565377fae1a50d02f	2026-03-02	57	OK
amannn/action-semantic-pull-request	v6	48f256284bd46cdaab1048c3721360e808335d50	2025-08-22	250	OK
denoland/setup-deno	v2.0.3	e95548e56dfa95d4e1a28d6f422fafe75c4c26fb	2025-05-15	348	OK
googleapis/release-please-action	v4	5c625bfb5d1ff62eadeeb3772007f7f66fdcf071	2026-03-30	30	OK
oven-sh/setup-bun	2.2.0	0c5077e51419868618aeaa5fe8019c62421857d6	2026-03-14	46	OK

[greptile-apps]

Greptile Summary

This PR hardens the CI supply chain by replacing mutable version tags with pinned full commit SHAs for both third-party GitHub Actions, with trailing version comments for readability. Both changes are straightforward and correct — the only minor issue is that the release-please-action comment uses # v4 rather than the more precise # v4.4.1.

Confidence Score: 5/5

Safe to merge — changes only pin Actions SHAs with no functional impact on CI behavior.

All findings are P2 style suggestions. The SHA pinning is correct and the version comments are readable; only one comment is slightly imprecise (v4 vs v4.4.1).

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/lint-pr-title.yml	Pins amannn/action-semantic-pull-request to full commit SHA with accurate # v6.1.1 version comment
.github/workflows/release-please.yml	Pins googleapis/release-please-action to full commit SHA, but version comment says # v4 rather than the more accurate # v4.4.1

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Actions Workflow trigger] --> B{Workflow}
    B --> C[lint-pr-title.yml]
    B --> D[release-please.yml]
    C --> E["amannn/action-semantic-pull-request\n@48f256284bd4... #v6.1.1\n✅ SHA-pinned"]
    D --> F["googleapis/release-please-action\n@5c625bfb5d1f... #v4\n⚠️ comment could be #v4.4.1"]

Loading

_{Reviews (2): Last reviewed commit: "Apply suggestions from code review" | Re-trigger Greptile}