chore: pin github actions to sha hashes

[yasnagat]

Proposed changes

This PR replaces mutable tag references with immutable commit SHA pins for all third-party GitHub Actions, as part of a supply chain security hardening effort.

Each workflow file now references the exact commit SHA of the desired action version instead of a floating tag. This guarantees that the same code is always executed regardless of whether the version tag is moved or the action's repository is modified after pinning.

Issue(s)

SB-958

How to test or reproduce

Screenshots

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Improvement (non-breaking change which improves a current function)
• New feature (non-breaking change which adds functionality)
• Documentation update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA
• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if applicable)
• I have added necessary documentation (if applicable)
• Any dependent changes have been merged and published in downstream modules

Further comments

Summary by CodeRabbit

• Chores
  • Pinned external GitHub Action references to specific commits across CI and workflow files.
  • Normalized workflow file endings (added missing trailing newlines).
  • No build, upload, or workflow inputs/logic were changed; there are no changes to public APIs or runtime behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ac4fbf7-7db6-49a6-bb77-78eab9c6fb27

📥 Commits

Reviewing files that changed from the base of the PR and between 22fc494 and 9c718c4.

📒 Files selected for processing (4)

• .github/actions/build-android/action.yml
• .github/actions/upload-android/action.yml
• .github/actions/upload-internal-android/action.yml
• .github/workflows/maestro-android.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/maestro-android.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/actions/upload-android/action.yml
• .github/actions/build-android/action.yml
• .github/actions/upload-internal-android/action.yml

---

Walkthrough

Multiple GitHub Actions workflows and composite actions were updated to pin third-party action references to specific commit SHAs (with inline version comments). No workflow logic, inputs, step conditions, paths, or build commands were changed. Several files also had trailing newlines normalized.

Changes

Cohort / File(s)	Summary
Composite Actions - General \.github/actions/setup-node/action.yml, \.github/actions/fetch-supported-versions/action.yaml	Replaced floating @v* action tags with pinned commit SHAs (e.g., actions/setup-node, actions/cache, actions/upload-artifact). No step inputs or logic changed.
Composite Actions - iOS \.github/actions/build-ios/action.yml, \.github/actions/upload-ios/action.yml	Pinned maxim-lobanov/setup-xcode, ruby/setup-ruby, actions/cache, actions/upload-artifact to commit SHAs (inline version comments). No functional changes.
Composite Actions - Android \.github/actions/build-android/action.yml, \.github/actions/upload-android/action.yml, \.github/actions/upload-internal-android/action.yml	Pinned ruby/setup-ruby, gradle/actions/setup-gradle, actions/cache, actions/download-artifact, actions/upload-artifact to specific SHAs; added/normalized trailing newlines.
Workflows - Checkout Standardization \.github/workflows/build-android.yml, \.github/workflows/build-ios.yml, \.github/workflows/build-official-android.yml, \.github/workflows/build-official-ios.yml, \.github/workflows/eslint.yml, \.github/workflows/prettier.yml	Replaced actions/checkout@v4 with pinned SHA @34e114876b0b11c390a56381ad16ebd13914f8d5 (commented v4.3.1) across checkout steps only.
Workflows - E2E & Build Pipelines \.github/workflows/e2e-build-android.yml, \.github/workflows/e2e-build-ios.yml	Pinned multiple actions to commit SHAs (actions/checkout, actions/cache, actions/setup-java, android-actions/setup-android, gradle/actions/setup-gradle, ruby/setup-ruby, maxim-lobanov/setup-xcode, actions/upload-artifact); normalized EOF newlines.
Workflows - Maestro & Utilities \.github/workflows/maestro-android.yml, \.github/workflows/maestro-ios.yml, \.github/workflows/generate-changelog.yml, \.github/workflows/organize_translations.yml, \.github/workflows/maestro-ios.yml	Pinned various workflow uses: references to commit SHAs (e.g., actions/checkout, actions/setup-java, actions/cache, actions/download-artifact, actions/upload-artifact, EndBug/add-and-commit, nick-fields/retry); no other changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: pinning GitHub Actions from tag references to immutable SHA commit hashes across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SB-958: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/actions/build-ios/action.yml (1)

81-81: ⚠️ Potential issue | 🟡 Minor

Pre-existing: unquoted secret in shell command.

Not introduced by this PR, but echo ${{ inputs.APP_STORE_CONNECT_API_KEY_BASE64 }} | base64 --decode interpolates the secret unquoted into the shell and also echoes it (logs redact but it's fragile). Consider piping via env + printenv. Flagging for awareness; not blocking this chore PR.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/build-ios/action.yml at line 81, The line echo ${{
inputs.APP_STORE_CONNECT_API_KEY_BASE64 }} | base64 --decode >
./ios/fastlane/app_store_connect_api_key.p8 exposes and unquotes a secret;
change it to avoid unquoted interpolation by first exporting the input to an
environment variable and then piping that environment variable through a safe
reader (e.g., use printenv) into base64 --decode to write
./ios/fastlane/app_store_connect_api_key.p8, or alternatively use a safe, quoted
write via printf with a quoted variable expansion; locate the offending command
in action.yml to update the shell invocation accordingly.

.github/workflows/e2e-build-android.yml (1)

26-97: ⚠️ Potential issue | 🔴 Critical

Fix incorrect SHA for gradle/actions/setup-gradle action.

The gradle/actions/setup-gradle action is pinned to an incorrect SHA. The workflow specifies ed408507eac070d1f99cc633dbcf757c94c7933a for v4.4.3, but the correct SHA is 48b5f213c81028ace310571dc5ec0fbbca0b2947. Update this SHA before merging.

The other pinned actions (actions/setup-java v4.8.0 and android-actions/setup-android v3.2.2) have correct SHAs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-build-android.yml around lines 26 - 97, Update the
pinned SHA for the Gradle setup action: replace the incorrect SHA used in the
uses entry
"gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a" with the
correct SHA "48b5f213c81028ace310571dc5ec0fbbca0b2947" (keeping the v4.4.3 tag)
so the setup step "Set up Gradle" references the correct commit.

🧹 Nitpick comments (1)

.github/actions/upload-android/action.yml (1)

56-56: Optional: add a name: to this step for consistency.

All other uses: steps in this composite include a name:; this one does not. Not blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/upload-android/action.yml at line 56, Add a missing name for
the download-artifact step: locate the step with uses:
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 in the
composite action and add a descriptive name: field (e.g., name: "Download
artifact") above the uses: line to match the style of the other steps and
improve consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/actions/build-ios/action.yml:
- Line 81: The line echo ${{ inputs.APP_STORE_CONNECT_API_KEY_BASE64 }} | base64
--decode > ./ios/fastlane/app_store_connect_api_key.p8 exposes and unquotes a
secret; change it to avoid unquoted interpolation by first exporting the input
to an environment variable and then piping that environment variable through a
safe reader (e.g., use printenv) into base64 --decode to write
./ios/fastlane/app_store_connect_api_key.p8, or alternatively use a safe, quoted
write via printf with a quoted variable expansion; locate the offending command
in action.yml to update the shell invocation accordingly.

In @.github/workflows/e2e-build-android.yml:
- Around line 26-97: Update the pinned SHA for the Gradle setup action: replace
the incorrect SHA used in the uses entry
"gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a" with the
correct SHA "48b5f213c81028ace310571dc5ec0fbbca0b2947" (keeping the v4.4.3 tag)
so the setup step "Set up Gradle" references the correct commit.

---

Nitpick comments:
In @.github/actions/upload-android/action.yml:
- Line 56: Add a missing name for the download-artifact step: locate the step
with uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 in
the composite action and add a descriptive name: field (e.g., name: "Download
artifact") above the uses: line to match the style of the other steps and
improve consistency.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5398bb7f-55a8-49c3-99a9-385dea9493d6

📥 Commits

Reviewing files that changed from the base of the PR and between 9d43512 and 22fc494.

📒 Files selected for processing (19)

• .github/actions/build-android/action.yml
• .github/actions/build-ios/action.yml
• .github/actions/fetch-supported-versions/action.yaml
• .github/actions/setup-node/action.yml
• .github/actions/upload-android/action.yml
• .github/actions/upload-internal-android/action.yml
• .github/actions/upload-ios/action.yml
• .github/workflows/build-android.yml
• .github/workflows/build-ios.yml
• .github/workflows/build-official-android.yml
• .github/workflows/build-official-ios.yml
• .github/workflows/e2e-build-android.yml
• .github/workflows/e2e-build-ios.yml
• .github/workflows/eslint.yml
• .github/workflows/generate-changelog.yml
• .github/workflows/maestro-android.yml
• .github/workflows/maestro-ios.yml
• .github/workflows/organize_translations.yml
• .github/workflows/prettier.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: ESLint and Test / run-eslint-and-test

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-26T10:48:56.700Z

Learnt from: Rohit3523
Repo: RocketChat/Rocket.Chat.ReactNative PR: 7008
File: .github/workflows/maestro-ios.yml:90-93
Timestamp: 2026-02-26T10:48:56.700Z
Learning: In the Rocket.Chat.ReactNative repository's Maestro iOS workflow (.github/workflows/maestro-ios.yml), the `retry_on: timeout` configuration is intentionally used instead of `retry_on: any` because test failures are handled within the .github/scripts/run-maestro.sh script itself. Workflow-level retries should only occur when Maestro hangs (timeout), not on test failures.

Applied to files:

• .github/workflows/maestro-android.yml
• .github/workflows/maestro-ios.yml

📚 Learning: 2026-04-07T17:49:17.538Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat.ReactNative PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-07T17:49:17.538Z
Learning: Run yarn prettier-lint and TZ=UTC yarn test for modified files before committing

Applied to files:

• .github/workflows/eslint.yml

🔇 Additional comments (19)

.github/workflows/prettier.yml (1)

19-19: Pinned checkout reference is consistent.

The SHA pin and # v4.3.1 comment follow the same convention used elsewhere, and the changed push line does not alter behavior.

Also applies to: 50-50

.github/workflows/build-ios.yml (1)

30-30: Both checkout pins look correct.

The build and upload jobs consistently pin actions/checkout to the same immutable SHA with the version comment preserved.

Also applies to: 70-70

.github/actions/fetch-supported-versions/action.yaml (1)

16-20: Artifact upload pin looks good.

actions/upload-artifact is pinned to an immutable SHA and the artifact configuration remains unchanged.

.github/workflows/build-official-ios.yml (1)

30-30: Official iOS checkout pins are consistent.

Both checkout steps use the same pinned SHA and keep the human-readable version comment.

Also applies to: 80-80

.github/workflows/build-android.yml (1)

32-32: Android checkout pins are consistent.

All three checkout steps now use the same immutable actions/checkout revision with the version comment retained.

Also applies to: 79-79, 100-100

.github/actions/setup-node/action.yml (1)

6-12: Setup and cache actions are properly pinned.

Both external actions use immutable SHAs and keep inline version comments without changing the existing Node/cache behavior.

.github/workflows/generate-changelog.yml (1)

13-13: Changelog workflow pins look good.

Both third-party action references are SHA-pinned and keep clear version comments; the changelog logic is unchanged.

Also applies to: 34-34

.github/workflows/eslint.yml (1)

12-12: SHA-pinned checkout reference is properly configured.

The actions/checkout action is correctly pinned to a 40-character SHA with a human-readable version comment for maintainability. Repository-wide verification confirms all external action references in .github/workflows/ follow this pattern.

.github/actions/upload-internal-android/action.yml (1)

26-39: LGTM — pins consistent with the sibling composite action.

Same SHA/version mapping verification applies (see .github/actions/upload-android/action.yml).

.github/workflows/maestro-android.yml (1)

19-89: LGTM — action pins applied uniformly.

No logic changes; all uses: references now pinned with version comments. SHA-to-version verification covered in the earlier comment.

.github/workflows/organize_translations.yml (2)

12-42: LGTM on the SHA pins.

---

26-26: This concern is unfounded—the step-security/changed-files switch occurred in a prior PR (#6248), not in this one.

The current PR (commit 22fc494: "chore: pin github actions to sha hashes") only pins three actions: actions/checkout, actions/setup-node, and EndBug/add-and-commit—exactly as listed in the PR summary. The step-security/changed-files line was already pinned to SHA in the previous commit (3794e56: "ci: Remove tj-actions/changed-files (#6248)"), which switched from tj-actions/changed-files@v42 to the StepSecurity hardened fork. That behavioral change was addressed in PR #6248, not in this PR.

			> Likely an incorrect or invalid review comment.

.github/actions/build-android/action.yml (1)

48-154: LGTM.

Pins match the same set used elsewhere (ruby/setup-ruby v1.302.0, gradle/actions/setup-gradle v4.4.3, actions/cache v4.3.0, actions/upload-artifact v4.6.2).

Note: gradle/actions/setup-gradle is a sub-path of the gradle/actions repo; the SHA resolves against that repo, not a separate setup-gradle repo. Please include this in the SHA verification (the script in the first file already targets gradle/actions).

.github/workflows/build-official-android.yml (1)

32-97: LGTM.

Three identical actions/checkout pins, consistent with the repo-wide pattern.

.github/workflows/maestro-ios.yml (1)

18-105: LGTM.

All pins match those used in maestro-android.yml and the composite actions. retry_on: timeout behavior preserved.

.github/actions/build-ios/action.yml (1)

54-170: LGTM.

Xcode setup, Ruby, cache, and all five upload-artifact steps pinned consistently.

.github/actions/upload-android/action.yml (1)

26-56: All pinned SHAs match their annotated versions correctly.

Verification confirmed that all third-party action SHAs across the workflow are properly mapped to their respective versions, with no mismatches found.

.github/workflows/e2e-build-ios.yml (1)

29-107: SHA pinning implemented correctly with proper version documentation.

All third-party actions are correctly pinned to immutable commit SHAs with inline version comments. The SHAs for actions/checkout@v4.3.1 and actions/upload-artifact@v4.6.2 have been verified as correct, and the consistent reuse of pinned SHAs across the workflow (e.g., maxim-lobanov/setup-xcode, ruby/setup-ruby, actions/cache) confirms uniform pinning practices.

.github/actions/upload-ios/action.yml (1)

40-112: SHA-pinned actions correctly reference version tags and have no known security vulnerabilities.

All pinned SHAs match their claimed versions: actions/download-artifact v4.3.0, actions/cache v4.3.0, maxim-lobanov/setup-xcode v1.7.0, and ruby/setup-ruby v1.302.0. The consistent use of identical SHAs for repeated actions correctly implements immutable references to mitigate supply-chain risks from mutable tags.

[Rohit3523]

LGTM