ci: pin GitHub Actions to full commit SHAs for supply-chain hardening

[NotAProfDev]

Closes #31

What

Pin every GitHub Actions step in ci.yml and codeql.yml to a full commit SHA, with a trailing # vX.Y.Z comment that Dependabot uses to keep the version fresh. A force-moved tag can no longer inject untrusted code into CI.

Action	Pin
actions/checkout	@9c091bb # v7.0.0 (ci + codeql)
Swatinem/rust-cache	@c193711 # v2.9.1
taiki-e/install-action	@9e1e580 # v2.82.2
actions/upload-artifact	@043fb46 # v7.0.1
github/codeql-action/{init,analyze}	@8aad20d # v4.36.2
dtolnay/rust-toolchain	@67ef31d # master + toolchain: input

dtolnay/rust-toolchain publishes no semver releases, so it's pinned to a master commit SHA and the Rust version is selected via the toolchain: input (1.96.0 for ci, 1.90 for the MSRV job — both quoted so YAML doesn't coerce 1.90 to the float 1.9). It's added to the Dependabot ignore list (no release stream to track) and the rust-toolchain.toml cross-reference now points at that input instead of the removed @<version> ref.

Verification

• Every pinned SHA resolved against upstream via git ls-remote — including dereferencing annotated tags (v2.9.1^{}, v4.36.2^{}) to their commit SHAs.
• Confirmed master's action.yml declares the toolchain (required) and components inputs the workflows pass.
• just ci passes locally; pre-push hook re-ran the full gate green.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows across CI, CodeQL, and Dependabot with pinned commit SHAs for third-party actions (checkout, rust-toolchain, rust-cache, install-action, upload-artifact, and codeql-action).
  • Revised configuration file comments to clarify toolchain input and workflow action references.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 52127778-1ac7-46e1-bb94-4746bd3c792a

📥 Commits

Reviewing files that changed from the base of the PR and between 5836f53 and 0a35876.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• rust-toolchain.toml

---

📝 Walkthrough

Walkthrough

All third-party action references in .github/workflows/ci.yml and .github/workflows/codeql.yml are switched from mutable version tags to pinned commit SHAs with version comments. The Dependabot configuration comment for dtolnay/rust-toolchain and the cross-reference comment in rust-toolchain.toml are updated to reflect the new toolchain: input pattern.

Changes

Supply-chain hardening: SHA-pin all actions

Layer / File(s)	Summary
Commit-SHA pinning in ci.yml and codeql.yml .github/workflows/ci.yml, .github/workflows/codeql.yml	In the ci and msrv jobs, actions/checkout, dtolnay/rust-toolchain, Swatinem/rust-cache, taiki-e/install-action, and actions/upload-artifact are pinned to commit SHAs. In codeql.yml, actions/checkout and both github/codeql-action steps (init, analyze) are pinned to the same v4.36.2 SHA. All existing inputs and step configurations are unchanged.
Dependabot comment and rust-toolchain.toml cross-reference .github/dependabot.yml, rust-toolchain.toml	The Dependabot ignore-block comment for dtolnay/rust-toolchain is updated to describe the SHA + toolchain: input pattern and explain that Dependabot should not advance the pin automatically. The rust-toolchain.toml comment is updated to reference the ci workflow's toolchain: input as the source of truth for the Rust version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• NotAProfDev/oath#27: Modifies the dtolnay/rust-toolchain step in ci.yml and aligns the Rust version with rust-toolchain.toml, the same files and step this PR re-pins to a commit SHA.
• NotAProfDev/oath#29: Updates github/codeql-action init/analyze steps in codeql.yml from v3 to v4, the same steps this PR further hardens by pinning to a full commit SHA.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title follows the Conventional Commits format with the 'ci' type prefix and clearly describes the main change (pinning GitHub Actions to commit SHAs for supply-chain hardening).
Linked Issues check	✅ Passed	The PR fully implements the objectives from issue #31: all actions in ci.yml and codeql.yml are pinned to commit SHAs with version comments, dtolnay/rust-toolchain uses SHA pinning with toolchain input, Dependabot rules are updated, rust-toolchain.toml is synchronized, and local tests pass.
Out of Scope Changes check	✅ Passed	All changes directly support the supply-chain hardening objective: updates to dependabot.yml, ci.yml, codeql.yml, and rust-toolchain.toml are all in scope and necessary for implementing SHA pinning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-actions-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}