Pin exact version of external ci actions

[infeo]

See cryptomator/cryptomator#4015

[coderabbitai]

Walkthrough

This pull request pins GitHub Actions workflow steps to specific commit hashes across four workflow files (build.yml, codeql-analysis.yml, dependency-check.yml, and pullrequest.yml) and adds a CHANGELOG entry noting CI pinning. Actions such as actions/checkout, actions/setup-java, github/codeql-action, attest-build-provenance, upload-artifact, and release-related actions are updated from floating version tags (e.g., v4, v5, v6) to exact commit SHAs. No functional logic, control flow, or configuration parameters are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Action versions to exact commit SHAs across multiple workflow files.
Description check	✅ Passed	The description provides a reference to a related PR that provides context for this change, which is related to the changeset of pinning CI action versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29c7eb5 and e0e8e17.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/dependency-check.yml
• .github/workflows/pullrequest.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyse

🔇 Additional comments (5)

.github/workflows/build.yml (3)

48-49: Good consistency using the same action hashes across all jobs.

The deploy-central and deploy-github jobs use the same commit hashes as the build job for checkout and setup-java actions, ensuring consistency across the workflow.

Also applies to: 82-83

---

113-113: Action hash is correctly pinned to v2.5.0.

Commit hash a06a81a03ee405af7f2048a818ed3f03bbf83c7b correctly corresponds to softprops/action-gh-release v2.5.0.

---

18-36: All action commit hashes are correct and properly pinned. The pinning across checkout, setup-java, attest-build-provenance, and upload-artifact is accurate and matches the claimed versions.

.github/workflows/codeql-analysis.yml (1)

19-34: Excellent security improvement pinning all actions to specific commits. All commit hashes are verified to match their claimed versions (actions/checkout v6.0.1, actions/setup-java v5.1.0, and github/codeql-action v4.31.9).

.github/workflows/pullrequest.yml (1)

19-20: Good security practice pinning actions to specific commits. The commit hashes match those used in codeql-analysis.yml, ensuring consistency across workflows, and both hashes correctly correspond to their claimed versions (v6.0.1 for checkout, v5.1.0 for setup-java).

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e0e8e17 and 4af5bb8.

📒 Files selected for processing (1)

• CHANGELOG.md

🧰 Additional context used

🪛 LanguageTool

CHANGELOG.md

[uncategorized] ~17-~17: The official name of this software platform is spelled with a capital “H”.
Context: ...17) ### Changed * Require JDK 25 * Pin Github action versions used in CI ([#132](http...

(GITHUB)