chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

file:///home/ubuntu/pin-actions/authkit-react-router_pr_body.md

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

---

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

Greptile Summary

This PR replaces mutable version tags (@v6) with full commit SHA pins for actions/checkout and actions/setup-node across both workflow files, following supply-chain security best practices. Both SHAs are verified: de0fac2e → checkout@v6.0.2 and 48b55a01 → setup-node@v6.4.0.

Confidence Score: 5/5

Safe to merge — SHA pins are correct and verified against upstream releases.

Only change is pinning GitHub Actions to verified commit SHAs. Both SHAs resolve to the expected versions. The sole finding is a P2 style nit about the version comment being # v6 instead of # v6.4.0.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	All action references pinned to full commit SHAs; checkout SHA verified as v6.0.2, setup-node SHA verified as v6.4.0. Version comment for setup-node is abbreviated to # v6 instead of the specific # v6.4.0.
.github/workflows/release.yml	Same SHA pinning applied consistently; same imprecise # v6 comment pattern for setup-node as in ci.yml, but otherwise correct and safe.

_{Reviews (1): Last reviewed commit: "Pin third-party GitHub Actions to full c..." | Re-trigger Greptile}

[greptile-apps]

Imprecise version comment for pinned SHA

The SHA 48b55a0... resolves to actions/setup-node@v6.4.0, but the comment only says # v6. Using the full version tag in the comment (e.g., # v6.4.0) makes it much easier to audit which exact release is pinned and to know when a newer patch/minor is available. The same applies to every other setup-node reference in this file and in release.yml.

Suggested change

	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v6	de0fac2e4500dabe0009e67214ff5f5447ce83dd	2026-01-09	109	✅ OK
actions/setup-node	v6	48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e	2026-04-20	9	✅ OK

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.