chore: migrate to pinned actions

[remyleone]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.47%. Comparing base (7ec8e84) to head (d3e8955).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5322   +/-   ##
=======================================
  Coverage   55.47%   55.47%           
=======================================
  Files         320      320           
  Lines       72193    72193           
=======================================
  Hits        40046    40046           
  Misses      30653    30653           
  Partials     1494     1494           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates GitHub Actions workflows to use pinned action references (commit SHAs) instead of floating version tags, improving supply-chain security and build reproducibility across CI and release pipelines.

Changes:

• Pin actions/checkout, actions/setup-go, and other third-party actions to specific commit SHAs across multiple workflows.
• Add/retain inline version annotations next to pinned SHAs for readability.
• Update coverage, lint, docs, release, and test workflows to use the pinned references.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/wasm.yml	Pin checkout/setup-go/pnpm actions for WASM CI job.
.github/workflows/tests.yml	Pin checkout/setup-go actions for test matrix jobs.
.github/workflows/release.yml	Pin checkout/setup-go/buildx/goreleaser/pnpm actions in release pipeline.
.github/workflows/purge.yml	Pin checkout/setup-go actions for manual sweeper run.
.github/workflows/nightly.yml	Pin checkout/setup-go actions for nightly acceptance + sweepers jobs.
.github/workflows/lint.yml	Pin checkout/golangci-lint/typos actions used in lint workflows.
.github/workflows/labeler.yml	Pin checkout/labeler actions for PR label automation.
.github/workflows/docs.yml	Pin checkout/setup-go and markdown link check action for docs workflows.
.github/workflows/deploy-docs.yml	Pin checkout action for docs deployment workflow.
.github/workflows/coverage.yml	Pin checkout/setup-go/codecov actions for coverage reporting.
.github/workflows/codeql-analysis.yml	Pin checkout action for CodeQL workflow.
.github/workflows/build.yml	Pin checkout/setup-go actions for build and docker jobs.

Comments suppressed due to low confidence (1)

.github/workflows/deploy-docs.yml:19

• The inline comment for the “Verify release commit” step still references actions/checkout@v6, but this workflow now pins checkout to a commit SHA. Update the comment to reflect the pinned reference (or remove the action version mention) so it doesn’t become misleading over time.

        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.release.tag_name }}
      - name: Verify release commit
        run: | # Commit hash to compare with the commit returned by actions/checkout@v6 - Tag to compare with the latest release

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.