fix: harden GitHub Actions workflows (zizmor audit)

[aniketmaurya]

Summary

• Pin all actions to commit SHAs instead of mutable tag refs (@v4 → full SHA with version comment)
• Add persist-credentials: false to all actions/checkout steps to prevent credential leakage via artifacts
• Set permissions: contents: read on pytest.yml (was using overly broad defaults)
• Fix template injection in publish-dashboard-ui.yml — moved ${{ github.ref_name }} from inline run: to env vars
• Pin pypa/gh-action-pypi-publish to commit hash (was unpinned release/v1 branch ref)
• Replace softprops/action-gh-release with built-in gh release upload CLI (fewer third-party dependencies)

All findings from zizmor resolved. Two remaining low-confidence cache-poisoning warnings are suppressed inline (tag-only triggers limit exposure).

Test plan

• Verify pytest workflow runs on PR
• Verify publish workflows still work on next tag push

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows with enhanced security and reproducibility configurations across build, test, and publishing pipelines.

Note: This release contains no user-facing changes; updates are internal infrastructure improvements.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e31c7b7e-4cc7-4d04-a443-97b69505d6af

📥 Commits

Reviewing files that changed from the base of the PR and between 30108f6 and b545036.

📒 Files selected for processing (3)

• .github/workflows/publish-dashboard-ui.yml
• .github/workflows/publish.yml
• .github/workflows/pytest.yml

---

📝 Walkthrough

Walkthrough

Listen. Three workflow files hardened for security and determinism. Actions pinned to specific commit SHAs, credentials locked down, and release uploads shifted from an action to CLI-based implementation. Tactical adjustments, nothing more.

Changes

Cohort / File(s)	Summary
GitHub Actions Security Hardening github/workflows/publish-dashboard-ui.yml, github/workflows/publish.yml, github/workflows/pytest.yml	Pinned actions/checkout, actions/setup-node, astral-sh/setup-uv, actions/setup-python, and pypa/gh-action-pypi-publish to specific commit SHAs. Added persist-credentials: false to checkout steps and workflow-level permissions: contents: read to pytest workflow for credential isolation.
Release Upload Implementation Change github/workflows/publish-dashboard-ui.yml	Replaced softprops/action-gh-release@v2 with shell invocation of gh release upload CLI command, passing environment variables (GH_TOKEN, REF_NAME) instead of action inputs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

Actions pinned like targets in the night,
Credentials locked down, security tight,
From actions to CLI, we shift the weight,
Determinism and trust—the Shelby way to operate. 🔒

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/harden-github-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}