ci: pin softprops/action-gh-release to a commit SHA

[eliottreich]

Description

Pins softprops/action-gh-release from the mutable v2.6.1 tag to the exact commit that tag points to today (153bb8e04406...) in .github/workflows/build-branch.yml, keeping a # v2.6.1 comment so the version stays legible. A mutable tag can be re-pointed by the upstream maintainer; pinning to an immutable commit SHA is the GitHub-recommended hardening for third-party actions.

Type of Change

• Improvement

Screenshots and Media (if applicable)

N/A. CI configuration change with no user-facing behavior.

Test Scenarios

Ref-only change: the pinned SHA is the exact commit v2.6.1 resolves to today, so the release step runs identically. No application code is touched.

References

A repository-specific security report with the other categories reviewed (public files only): https://www.task-bounty.com/fix-more?repo=makeplane/plane

_{Prepared by TaskBounty. Glad to adjust or close if this isn't useful.}

Summary by CodeRabbit

Release Notes

No user-visible changes in this release. This update involves internal infrastructure maintenance with no impact on application functionality or user experience.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request pins the softprops/action-gh-release GitHub Action in the release workflow to a specific commit SHA instead of a semantic version tag, improving build reproducibility and supply-chain consistency.

Changes

CI Workflow Update

Layer / File(s)	Summary
Release action commit pinning .github/workflows/build-branch.yml	The softprops/action-gh-release action in the publish_release job's "Create Release" step is pinned from tag @v2.6.1 to commit SHA @153bb8e04406b158c6c84fc1615b65b24149a1fe.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A tiny pin, so neat and precise,
Commit SHA's now the release device,
No tag drift shall cloud our build,
Reproducible workflows, forever thrilled! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: pin softprops/action-gh-release to a commit SHA' accurately and specifically describes the main change in the pull request.
Description check	✅ Passed	The description includes all required template sections: a detailed description of the security rationale, type of change marked, and references to the security report. All key sections are complete and well-filled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/build-branch.yml (1)

394-394: Pin for softprops/action-gh-release matches v2.6.1

softprops/action-gh-release release v2.6.1 corresponds to commit 153bb8e04406b158c6c84fc1615b65b24149a1fe, matching the pinned SHA on line 394—so the SHA mismatch/behavior-change risk is addressed.

Optional: consider addressing zizmor’s superfluous-actions suggestion and/or applying pinning consistency to the other marketplace actions in this workflow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-branch.yml at line 394, The workflow currently pins
softprops/action-gh-release to a specific commit SHA
(153bb8e04406b158c6c84fc1615b65b24149a1fe) which is correct; to follow that
pattern and address the reviewer suggestion, update other GitHub Marketplace
actions in the workflow to use explicit commit SHA pins (or consistently use
semver tags everywhere) and remove or consolidate any "superfluous" duplicate
action usages as suggested by zizmor; look for action usages (e.g.,
softprops/action-gh-release) and any other steps using marketplace actions and
replace tag-only references with their corresponding commit SHAs or make all
action references consistently pinned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build-branch.yml:
- Line 394: The workflow currently pins softprops/action-gh-release to a
specific commit SHA (153bb8e04406b158c6c84fc1615b65b24149a1fe) which is correct;
to follow that pattern and address the reviewer suggestion, update other GitHub
Marketplace actions in the workflow to use explicit commit SHA pins (or
consistently use semver tags everywhere) and remove or consolidate any
"superfluous" duplicate action usages as suggested by zizmor; look for action
usages (e.g., softprops/action-gh-release) and any other steps using marketplace
actions and replace tag-only references with their corresponding commit SHAs or
make all action references consistently pinned.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1d911b5-7a74-4c9d-b2fe-c5c526905fbf

📥 Commits

Reviewing files that changed from the base of the PR and between fd16d03 and 165a71a.

📒 Files selected for processing (1)

• .github/workflows/build-branch.yml