chore: pin GitHub Actions to commit shas BED-7914

[lrfalslev]

Resolves: BED-7914
Updates actions to latest versions and pins them by git commit SHA for security hardening

Summary by CodeRabbit

• Chores
  • CI workflows: upgraded numerous actions to newer major releases and replaced tag references with pinned commits; normalized workflow indentation without changing step logic, inputs, outputs, artifacts, or control flow.
  • Bumped Go language target and updated indirect Go module dependency versions.
  • Updated build container base image to the newer Go release and adjusted image metadata formatting.
• Documentation
  • Updated README build prerequisite to require Go 1.25 or later.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Multiple GitHub Actions uses: references were updated to newer majors or pinned commit SHAs; Go toolchain and indirect module versions were bumped to 1.25; Docker build image and README Go prerequisite were updated. No workflow step logic, inputs/outputs, or public code entities were changed.

Changes

Cohort / File(s)	Summary
Workflows — build & publish \.github/workflows/build.yml, \.github/workflows/publish.yml	Replaced many uses: entries with newer major tags or pinned commit SHAs (e.g., actions/checkout, actions/setup-go, docker/*, docker/build-push-action, docker/metadata-action, aws-actions/*, actions/download-artifact, softprops/action-gh-release). No step logic, if: conditions, inputs/outputs, artifact names, or build args/tags/labels changed (one whitespace tweak).
Workflows — CLA & Jira \.github/workflows/cla.yml, \.github/workflows/jira-issue-transfer.yml	Pinned contributor-assistant/github-action and atlassian/gajira-* usages to specific commit SHAs and normalized YAML indentation for Jira steps; preserved conditional if logic and with payloads.
Docs README.md	Updated documented build prerequisite from “Go 1.18 or later” to “Go 1.25 or later.” No other content changed.
Go module go.mod	Bumped go directive to 1.25.0, removed explicit toolchain directive, and updated indirect deps: golang.org/x/image v0.18.0→v0.39.0 and golang.org/x/text v0.34.0→v0.36.0. No exported/public code changed.
Container build Dockerfile	Updated build-stage base image from golang:1.24 to golang:1.25 (and as casing). Adjusted label formatting in final stage. No other Dockerfile logic changed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through YAML, pinning tags with care,

SHAs snug like acorns, tidy everywhere.
Go grew taller, the builder took flight,
CI trails shimmer under moonlit night.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: pinning GitHub Actions to commit SHAs across multiple workflow files, which is the main focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lfalslev/bed-7914

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Line 16: The workflow uses mutable major tags like actions/checkout@v6 (and
other actions at the listed lines) which must be replaced with SHA-pinned refs;
update each occurrence (e.g., actions/checkout@v6, any actions at lines
referenced such as the ones at 19,36,39,47,56,61,71,74,77,90,96,121,124,153) to
the corresponding verified commit SHA (actions/<name>@<sha>) so the workflow is
fully pinned and repeatable—locate each uses: entry in the YAML and replace the
tag with the exact commit SHA from the action's GitHub repository.

In @.github/workflows/publish.yml:
- Line 26: Multiple workflow steps use floating action tags (e.g., uses:
actions/checkout@v6) which should be pinned to immutable 40-character commit
SHAs; update every uses: entry in .github/workflows/publish.yml (including
actions/checkout@v6 and the other eleven action refs) to their corresponding
full commit SHA (format: actions/owner/repo@<40-char-sha>) so each uses: line
references a specific commit, not a version tag, ensuring all 12 action refs are
replaced with their exact commit SHAs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 514239b9-f1f9-4874-bb32-59014e1a914f

📥 Commits

Reviewing files that changed from the base of the PR and between f98e580 and 35e3a68.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/publish.yml