pin action commits

[adhami3310]

No description provided.

[greptile-apps]

Greptile Summary

This PR pins all GitHub Actions references from floating version tags (e.g., actions/checkout@v4) to exact commit SHAs with version comments (e.g., actions/checkout@de0fac2e...# v6.0.2), a standard supply-chain hardening practice. Several actions are also bumped to newer major versions as part of this change (checkout v4→v6, setup-node v4→v6, upload-artifact v4→v7, setup-python v5→v6, setup-uv v6/v7→v8).

• All 20 workflow/action files across .github/ and docs/app/.github/ have their action references replaced with full SHA pins.
• publish.yml also gains new with options on the setup-uv step (version: \"0.11.14\", python-version: \"3.14.5\", cache disabled) that were not present before and are not explained by the PR description.

Confidence Score: 4/5

Safe to merge for most workflows; the publish workflow deserves a closer look before the next PyPI release.

Almost all changes are mechanical SHA-pinning of existing action tags with low risk. The standout is publish.yml, which adds previously-absent version: "0.11.14" and python-version: "3.14.5" constraints to the uv setup step. If Python 3.14.5 is not available in GitHub-hosted runners when a release is cut, the publish job will fail and no PyPI package will be produced.

.github/workflows/publish.yml — the newly added uv and Python version pins are the only part of this PR that could cause a live failure.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	SHA-pins checkout and setup-uv; also unexpectedly adds hardcoded version: "0.11.14" and python-version: "3.14.5" which didn't exist before and could break the publish workflow.
.github/actions/setup_build_env/action.yml	SHA-pins astral-sh/setup-uv (v6→v8.1.0) and actions/setup-node (v4→v6.4.0); both are major version bumps beyond just pinning.
.github/workflows/integration_tests.yml	SHA-pins all actions; actions/upload-artifact bumped from v4 to v7.0.1 (skips two major versions) and SocketDev/action updated to v1.3.2.
.github/workflows/performance.yml	SHA-pins all actions; actions/upload-artifact bumped from v4 to v7.0.1 and actions/setup-python bumped from v5 to v6.2.0.
.github/workflows/codeql.yml	SHA-pins actions/checkout and both github/codeql-action/init and github/codeql-action/analyze to the same commit hash at v4.35.4.
.github/workflows/unit_tests.yml	Straightforward SHA-pinning of actions/checkout (v4→v6.0.2) in both matrix jobs.
.github/workflows/dispatch_release.yml	SHA-pins actions/checkout (v6→v6.0.2) and astral-sh/setup-uv (v7→v8.1.0) across all four steps.
docs/app/.github/workflows/unit_tests.yml	SHA-pins checkout, setup-uv, and upload-artifact (v7→v7.0.1 exact SHA).
docs/app/.github/workflows/integration_tests.yml	SHA-pins actions/checkout and astral-sh/setup-uv.

_{Reviews (1): Last reviewed commit: "pin action commits" | Re-trigger Greptile}

[greptile-apps]

Unexplained version pins added to publish workflow

Beyond the SHA pinning goal of this PR, two hard-coded version constraints were added to the Install uv step that didn't exist before: version: "0.11.14" (pins the uv tool itself) and python-version: "3.14.5" (pins a very specific CPython patch). Neither value appears in any other workflow. If Python 3.14.5 is not yet available in the GitHub-hosted Ubuntu image at publish time, setup-uv will fail here — blocking the entire PyPI release. The uv build and uv publish commands do not inherently require a single specific Python patch version, so this level of pinning in the critical publish path should be accompanied by an explanation.

[adhami3310]

the pinning to minimize potential latest fake versions, ideally we should be able to set a SHA but it doesn't look like it

[codspeed-hq]

Merging this PR will not alter performance

✅ 24 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing pin-action-commits (6a172a3) with main (cb9ae99)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩