fix(ci): pin GitHub Actions to commit SHAs

[jiridanek]

Description

Pin unpinned action tag references to full commit SHAs in two downstream-only workflow files, fixing the GitHub Actions SHA pinning CI check which fails on both main and rhoai-3.4.

These files (gemini-pr-review.yml, notebook-digest-updater.yaml) do not exist in opendatahub-io/notebooks, so this fix must go directly into rhds/notebooks.

Changes

File	Action	Old	New
gemini-pr-review.yml:161	google-github-actions/run-gemini-cli	@v0	@f77273f4... (v0.1.22)
notebook-digest-updater.yaml:32,64,159,236	actions/checkout	@v4	@34e11487... (v4.3.1)
notebook-digest-updater.yaml:239	repo-sync/pull-request	@v2	@7e79a9f5... (v2.12.1)

Generated with pinact run.

How Has This Been Tested?

• pinact run --check passes locally
• The CI output from previous runs already identifies these exact SHAs

Self checklist (all need to be checked):

• Ensure that you have run make test (gmake on macOS) before asking for review
• Changes to everything except Dockerfile.konflux files should be done in odh/notebooks and automatically synced to rhds/notebooks. For Konflux-specific changes, modify Dockerfile.konflux files directly in rhds/notebooks as these require special attention in the downstream repository and flow to the upcoming RHOAI release.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Made with Cursor

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jiridanek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows are updated to pin their action dependencies to specific commit SHAs instead of using moving semantic version tags. This ensures reproducible CI runs by locking action versions against unintended updates.

Changes

GitHub Actions Version Pinning

Layer / File(s)	Summary
Workflow Configuration .github/workflows/gemini-pr-review.yml, .github/workflows/notebook-digest-updater.yaml	google-github-actions/run-gemini-cli@v0 is pinned to commit f77273f4c914e4bf38440cf36a0369cb64a37489 (v0.1.22). actions/checkout@v4 is pinned to commit 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1) across four jobs. repo-sync/pull-request@v2 is pinned to commit 7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 (v2.12.1).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood ('fix'), includes scope ('ci'), and clearly describes the main change (pinning GitHub Actions to commit SHAs).
Description check	✅ Passed	Description includes all required template sections: detailed description of changes, testing methodology, and complete self-checklist with all items marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Branch Prefix Policy	✅ Passed	PR title 'fix(ci): pin GitHub Actions to commit SHAs' targets main branch and correctly omits any branch prefix like [release-...] or [rhoai-...], complying with policy requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pin-gha-actions

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

There is a problem with the Gemini CLI PR review. Please check the action logs for details.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/notebook-digest-updater.yaml (1)

32-32: Consider aligning actions/checkout version with other workflows in this repository.

This file pins actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1) at lines 32, 64, 159, and 236, while notebooks-digest-updater.yaml and sec-scan.yml both use de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2). Since the file is already being updated for SHA pinning, consolidating on the newer version would reduce inconsistency across workflows with minimal effort.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/notebook-digest-updater.yaml at line 32, Replace the
pinned actions/checkout SHA used in this workflow: find the occurrences of
"uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" and update
them to the newer SHA "de0fac2e4500dabe0009e67214ff5f5447ce83dd" (v6.0.2) so the
workflow aligns with the other repository workflows; ensure you change every
instance in the file (all occurrences of the actions/checkout pin) to the new
SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/notebook-digest-updater.yaml:
- Line 32: Replace the pinned actions/checkout SHA used in this workflow: find
the occurrences of "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" and update them to
the newer SHA "de0fac2e4500dabe0009e67214ff5f5447ce83dd" (v6.0.2) so the
workflow aligns with the other repository workflows; ensure you change every
instance in the file (all occurrences of the actions/checkout pin) to the new
SHA.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f94b083-15cd-4954-9928-ab3934b1da85

📥 Commits

Reviewing files that changed from the base of the PR and between 24776c2 and 2655d5d.

📒 Files selected for processing (2)

• .github/workflows/gemini-pr-review.yml
• .github/workflows/notebook-digest-updater.yaml