security: pin github actions to commit SHAs across workflows

[ParticularlyPythonicBS]

This PR pins all GitHub Actions used in the repository's CI/CD workflows to specific, immutable commit SHAs. This is a security best practice (Supply Chain Security) that ensures the exact same code is executed in our pipelines every time, preventing potential risks from unexpected or malicious updates to mutable tags

Summary by CodeRabbit

• Chores
  • Updated continuous integration and deployment workflow dependencies to pinned versions for enhanced build stability and consistency across pipeline stages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce1986c3-ca16-4558-b0c7-fe871aa3d897

📥 Commits

Reviewing files that changed from the base of the PR and between 895453b and 9eca5a7.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/cleanup.yml
• .github/workflows/publish.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions used in three CI/CD workflows (ci.yml, cleanup.yml, publish.yml) are pinned to specific commit SHAs with version comments, replacing prior major-version tags. No changes to workflow steps, logic, inputs, environment variables, or test/coverage operations.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Pinning .github/workflows/ci.yml, .github/workflows/cleanup.yml, .github/workflows/publish.yml	Updated actions/checkout, actions/setup-python, and astral-sh/setup-uv action references from major version tags (@v4, @v5, @v6, @v8) to fixed commit SHAs with version comments. No changes to workflow commands, inputs, or logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Actions pinned like carrots in a row,
Each commit SHA locked in, steady and true,
No surprises in CI, just stable flow—
Version chaos tamed, our workflows debut! 🔒✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning GitHub Actions to commit SHAs across workflows for security purposes, which matches the actual changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin_actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!