chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

file:///home/ubuntu/pin-actions/cli-action_pr_body.md

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 12 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 47cfb88c-cde8-48b9-bff7-4dfde574c411

📥 Commits

Reviewing files that changed from the base of the PR and between bfc3456 and 8d98d4f.

📒 Files selected for processing (1)

• .github/workflows/main.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1777478664-pin-github-actions

---

_{Review rate limit: 0/3 reviews remaining, refill in 16 minutes and 12 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR pins actions/checkout from the mutable @v2 tag to the full commit SHA ee0669bd1cc54295c223e0bb666b733df41de1c5 in the CI workflow, which is a good supply-chain security practice. The SHA correctly corresponds to the v2 release, but since v2 uses the deprecated Node.js 16 runtime, upgrading to v4 at the same time would be worth considering.

Confidence Score: 4/5

Safe to merge; the SHA is correct and the change improves supply-chain security.

Only P2 findings — the pinned SHA is verified correct for v2, and the sole suggestion is to upgrade to v4 while doing the pinning.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/main.yml	Pins actions/checkout from the mutable v2 tag to a full commit SHA — change is correct, but the pinned version is outdated (v2 vs. current v4)

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to branch] --> B[CI Workflow triggered]
    B --> C["actions/checkout@ee0669bd\n(pinned SHA for v2)"]
    C --> D[Install WorkOS CLI\nuses: ./]
    D --> E[Test CLI\nworkos --version]
    E --> F{Matrix OS}
    F --> G[ubuntu-latest]
    F --> H[ubuntu-20.04]
    F --> I[macos-latest]
    F --> J[windows-latest]
    F --> K[windows-2019]

Loading

_{Reviews (1): Last reviewed commit: "Pin third-party GitHub Actions to full c..." | Re-trigger Greptile}

[greptile-apps]

Consider upgrading to actions/checkout@v4

The pinned SHA ee0669bd1cc54295c223e0bb666b733df41de1c5 is confirmed correct for v2, but actions/checkout@v2 is significantly outdated — the current stable release is v4. Since this PR is already updating the reference for security pinning, it would be a good opportunity to also upgrade to the latest version to benefit from bug fixes and Node.js 20 support (v2 uses the deprecated Node.js 16 runner).

Suggested change

	uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v2	ee0669bd1cc54295c223e0bb666b733df41de1c5	2023-03-24	1132	✅ OK