chore: pin external GitHub Actions to commit SHAs

[joel-phantom]

Summary

• Pin all unpinned external GitHub Action uses: references to full 40-character commit SHAs
• Original version tags/branches preserved as inline comments for maintainability
• No other CI changes included

Motivation

Supply chain security hardening: pinning actions to immutable commit SHAs prevents silent changes from compromised or force-pushed tags.

Part of the org-wide audit tracked in SEC-6683 and SEC-7928.

Test plan

• CI passes on this branch
• Verify pinned SHAs match the expected versions

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations across multiple CI/CD pipelines for improved build stability and consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Four GitHub Actions workflows were updated to replace floating semantic version tags with pinned commit SHAs for third-party actions. Affected actions include checkout, cache, setup-node, setup-java, upload-artifact, and slack-github-action across e2e-tests, generate-docs, js-tests, and unit-tests workflows.

Changes

Cohort / File(s)

Summary

GitHub Actions Version Pinning .github/workflows/e2e-tests.yml, .github/workflows/generate-docs.yml, .github/workflows/js-tests.yml, .github/workflows/unit-tests.yml

Updated GitHub Actions step references from floating semantic version tags (@v4, @v3, @v2) to pinned commit SHAs across all workflows. Affected actions include actions/checkout, actions/cache, actions/setup-node, actions/setup-java, actions/upload-artifact, jlumbroso/free-disk-space, slackapi/slack-github-action, reactivecircus/android-emulator-runner, and peaceiris/actions-gh-pages. No changes to step logic, inputs, cache keys/paths, or run commands.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: pin external GitHub Actions to commit SHAs' accurately and clearly summarizes the main change across all modified workflow files—pinning GitHub Actions to commit SHAs for supply chain security.
Description check	✅ Passed	The description covers Summary, Motivation, and references a test plan, but the Testing section checkboxes from the template are not properly completed with selections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot/sec-7928-patch-remaining-repos-with-unpinned-github-actions-from-sec

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​reactivecircus/​android-emulator-runner@​70f4dee990796918b78d040e3278474bdbd348a7 ⏵ e89f39f1abbbd05b1113a29cf4db69e7540cae5a
	github/​peaceiris/​actions-gh-pages@​4a2e02b36f31d8974a0d09d3bb9f3172aa2d0d0d ⏵ 373f7f263a76c20808c831209c920827a82a2847

View full report

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/unit-tests.yml (1)

20-22: ⚠️ Potential issue | 🟠 Major

Migrate both ::set-output commands to $GITHUB_OUTPUT environment variable.

Lines 22 and 68 use the deprecated ::set-output workflow command, which GitHub Actions removed in favor of the $GITHUB_OUTPUT environment variable for improved security.

       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

This same fix applies to line 68.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/unit-tests.yml around lines 20 - 22, Replace deprecated
"::set-output" usage with the new $GITHUB_OUTPUT file write pattern in the
workflow steps: update the step with id "yarn-cache-dir-path" (currently running
echo "::set-output name=dir::$(yarn cache dir)") to instead append "dir=$(yarn
cache dir)" to the $GITHUB_OUTPUT file, and apply the identical change to the
other workflow step that uses "::set-output" later in the file (the second
set-output command referenced in the review) so both outputs are written via
echo "name=value" >> $GITHUB_OUTPUT.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-tests.yml:
- Around line 53-55: The workflow uses the deprecated ::set-output syntax in the
step named "Get yarn cache directory path" (id: yarn-cache-dir-path) and its
duplicate later; update both steps to write the output into the GitHub Actions
output file instead of using ::set-output by appending a line in the form
name=value to the $GITHUB_OUTPUT file (i.e., produce the yarn cache dir value
and redirect it into $GITHUB_OUTPUT so the key "dir" is set), removing the
::set-output invocation entirely and preserving the step id/name so downstream
steps continue to read the same output.

In @.github/workflows/generate-docs.yml:
- Around line 15-17: Replace the deprecated ::set-output usage in the step named
"Get yarn cache directory path" (id: yarn-cache-dir-path); instead of echoing
the output via ::set-output, append the key=value pair to the $GITHUB_OUTPUT
environment file so the step sets the output correctly (i.e., write the yarn
cache directory as dir=<value> into $GITHUB_OUTPUT). Ensure the run line
references $(yarn cache dir) to produce the value and uses the $GITHUB_OUTPUT
file for setting the output.

In @.github/workflows/js-tests.yml:
- Around line 17-19: The workflow step with id "yarn-cache-dir-path" uses the
deprecated ::set-output syntax; update the step to write the output key "dir" to
the $GITHUB_OUTPUT file instead of using ::set-output. Concretely, replace the
run command that does echo "::set-output name=dir::$(yarn cache dir)" with a
command that echoes "dir=$(yarn cache dir)" and appends it to $GITHUB_OUTPUT so
the step output "dir" is set correctly for downstream steps.

---

Outside diff comments:
In @.github/workflows/unit-tests.yml:
- Around line 20-22: Replace deprecated "::set-output" usage with the new
$GITHUB_OUTPUT file write pattern in the workflow steps: update the step with id
"yarn-cache-dir-path" (currently running echo "::set-output name=dir::$(yarn
cache dir)") to instead append "dir=$(yarn cache dir)" to the $GITHUB_OUTPUT
file, and apply the identical change to the other workflow step that uses
"::set-output" later in the file (the second set-output command referenced in
the review) so both outputs are written via echo "name=value" >> $GITHUB_OUTPUT.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7d19e50b-3bf5-42ce-a9c5-a88306d3ae67

📥 Commits

Reviewing files that changed from the base of the PR and between 9b24cd8 and 22cc57b.

📒 Files selected for processing (4)

• .github/workflows/e2e-tests.yml
• .github/workflows/generate-docs.yml
• .github/workflows/js-tests.yml
• .github/workflows/unit-tests.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify deprecated command usage is removed from this workflow
rg -n '::set-output' .github/workflows/e2e-tests.yml

Repository: phantom/stripe-react-native

Length of output: 199

---

Replace deprecated ::set-output with $GITHUB_OUTPUT on lines 55 and 210.

GitHub Actions deprecated the ::set-output syntax. Both yarn cache directory steps must use the environment variable approach instead.

Proposed fix

       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "::set-output name=dir::$(yarn cache dir)"
	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

🧰 Tools

🪛 actionlint (1.7.11)

[error] 55-55: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-tests.yml around lines 53 - 55, The workflow uses the
deprecated ::set-output syntax in the step named "Get yarn cache directory path"
(id: yarn-cache-dir-path) and its duplicate later; update both steps to write
the output into the GitHub Actions output file instead of using ::set-output by
appending a line in the form name=value to the $GITHUB_OUTPUT file (i.e.,
produce the yarn cache dir value and redirect it into $GITHUB_OUTPUT so the key
"dir" is set), removing the ::set-output invocation entirely and preserving the
step id/name so downstream steps continue to read the same output.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify deprecated command usage is removed from this workflow
rg -n '::set-output' .github/workflows/generate-docs.yml

Repository: phantom/stripe-react-native

Length of output: 134

---

Replace deprecated ::set-output with $GITHUB_OUTPUT on line 17.

The ::set-output command is deprecated in GitHub Actions. Replace it with the environment variable approach:

Proposed fix

       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "::set-output name=dir::$(yarn cache dir)"
	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

🧰 Tools

🪛 actionlint (1.7.11)

[error] 17-17: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/generate-docs.yml around lines 15 - 17, Replace the
deprecated ::set-output usage in the step named "Get yarn cache directory path"
(id: yarn-cache-dir-path); instead of echoing the output via ::set-output,
append the key=value pair to the $GITHUB_OUTPUT environment file so the step
sets the output correctly (i.e., write the yarn cache directory as dir=<value>
into $GITHUB_OUTPUT). Ensure the run line references $(yarn cache dir) to
produce the value and uses the $GITHUB_OUTPUT file for setting the output.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify deprecated command usage is removed from this workflow
rg -n '::set-output' .github/workflows/js-tests.yml

Repository: phantom/stripe-react-native

Length of output: 134

---

Replace deprecated ::set-output with $GITHUB_OUTPUT environment variable.

The workflow command ::set-output used on line 19 is deprecated in GitHub Actions and will stop working on future runner versions. Switch to the $GITHUB_OUTPUT environment variable instead.

Proposed fix

       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "::set-output name=dir::$(yarn cache dir)"
	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"

🧰 Tools

🪛 actionlint (1.7.11)

[error] 19-19: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/js-tests.yml around lines 17 - 19, The workflow step with
id "yarn-cache-dir-path" uses the deprecated ::set-output syntax; update the
step to write the output key "dir" to the $GITHUB_OUTPUT file instead of using
::set-output. Concretely, replace the run command that does echo "::set-output
name=dir::$(yarn cache dir)" with a command that echoes "dir=$(yarn cache dir)"
and appends it to $GITHUB_OUTPUT so the step output "dir" is set correctly for
downstream steps.