fix(ci): replace fake action SHA pins with version-faithful real SHAs (#17)

hyperpolymath · web-flow · commit bfc02256271d · 2026-05-30T23:18:29.000+01:00
These pins were partial-prefix-corruption fakes — fabricated SHAs that share a prefix with a real version's SHA but have fabricated suffixes, slipping past visual review. Verified fake via `gh api commits/<sha> -> 422`. The fix preserves the version the author originally intended (read from the `# vX.Y.Z` comment alongside each pin), rather than blindly bumping to latest. This is important for actions where check-name reporting can differ between major versions (e.g. CodeQL) — keeping the same major preserves any branch-protection contexts that reference check names. Substitutions applied (those present in this repo only — see diff): goto-bus-stop/setup-zig v2.2.1 abea47f85e... erlef/setup-beam v1.24.0 fc68ffb904... erlef/setup-beam v1.18.2 5304e04ea2... erlef/setup-beam v1.19.0 8aa8a857c6... denoland/setup-deno v2.0.4 667a34cdef... denoland/setup-deno v2.0.2 909cc5acb0... denoland/setup-deno v1.1.4 041b854f97... haskell-actions/setup v2.11.0 cd0d9bdd65... actions/upload-artifact v4.6.2 ea165f8d65b6e75b... actions/setup-node v4.4.0 49933ea5288caeca8642d1e84afbd3f7d6820020 actions/setup-node v4.2.0 1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a trufflesecurity/trufflehog v3.95.3 37b77001d0... trufflesecurity/trufflehog v3.82.13 1aa1871f9a... trufflesecurity/trufflehog v3.63.6 f699f60e89... github/codeql-action/* v3.36.0 03e4368ac7... github/codeql-action/* v3.31.10 4bdb89f480... github/codeql-action/* v3.28.0 48ab28a6f5... github/codeql-action/* v4.36.0 7211b7c807... Swatinem/rust-cache v2.7.8 9d47c6ad4b... gitleaks/gitleaks-action v2.3.7 83373cf2f8... Verified real via `gh api repos/<org>/<action>/commits/<sha>`. Provenance: [[project_estate_fake_action_sha_punch_list_2026_05_30]]; caught during the estate audit triggered by hyperpolymath/snifs#30.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
           #   mix release
 
       # TODO: Upload build artifacts if needed
-      # - uses: actions/upload-artifact@ea165f8d65b6db9a8b71b5c2d1a090c0daf9c8bb # v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       #   with:
       #     name: release-artifacts
       #     path: target/release/
