Context (PR #33 declined nit): repo-wide convention is floating major tags (`@v6`/`@v5`/`@v8`/`@v7`). Following GitHub's published guidance, pin third-party actions to immutable commit SHAs.
Scope:
- `golangci/golangci-lint-action`
- `goreleaser/goreleaser-action`
- `astral-sh/setup-uv`
- (Lower priority but consistent) `actions/checkout`, `actions/setup-go`, `actions/setup-node`, `actions/upload-artifact`, `actions/download-artifact`
Single PR, one pass, plus a Dependabot config to auto-bump SHAs.
Context (PR #33 declined nit): repo-wide convention is floating major tags (`@v6`/`@v5`/`@v8`/`@v7`). Following GitHub's published guidance, pin third-party actions to immutable commit SHAs.
Scope:
Single PR, one pass, plus a Dependabot config to auto-bump SHAs.