Pin GitHub Actions to commit SHAs in workflows (supply-chain hardening)

[frankbria]

Description

Raised by CodeRabbit and claude-review on PR #274: the uses: entries in .github/workflows/*.yml (e.g. actions/checkout@v3, actions/setup-node@v3, actions/upload-artifact, codecov/codecov-action) reference mutable version tags instead of full commit SHAs.

PR #274 added a least-privilege permissions: contents: read block to test.yml; SHA-pinning was deferred as out of scope for the E2E test work.

Tasks

• Pin every external action in .github/workflows/test.yml to a full commit SHA (with a tag comment, e.g. # v3)
• Apply the same to claude.yml and claude-code-review.yml
• Consider adding Dependabot/Renovate config to keep pinned SHAs updated

References

• PR test(e2e): full-loop E2E suite running ralph_loop.sh as a subprocess (#17) #274 review threads (CodeRabbit "Critical — outside diff range", claude-review follow-up)

[coderabbitai]

🔗 Related PRs

#135 - ci(workflow): add concurrency blocks to prevent duplicate runs [merged]
#137 - fix(setup): create .ralphrc with consistent tool permissions [merged]
#158 - fix: progress detection improvements (#141, #144) [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!