ci: pin TypeScript workflow actions to immutable SHAs

[grtninja]

Summary

• pin the floating actions in .github/workflows/typescript.yml to immutable commit SHAs
• keep the patch scoped to the existing TypeScript workflow only
• preserve the current job matrix, publish flow, and permissions

Why

This workflow handles package publishing and uses NODE_AUTH_TOKEN, so pinning mutable action tags reduces GitHub Actions supply-chain risk without changing behavior.

Validation

• git diff --check
• python -c "import pathlib, yaml; p=pathlib.Path(r'.github/workflows/typescript.yml'); yaml.safe_load(p.read_text(encoding='utf-8')); print('yaml_ok', p)"

Notes

• no workflow logic changes
• no job/permission changes
• no overlap with the repo's current open workflow PRs on other files

[olaservo]

Clean supply-chain security hardening. Both SHAs verified against their respective v6 tags. No workflow logic changes.

---

This review was assisted by Claude Code.

[cliffhall]

@claude review

[claude]

Claude finished @cliffhall's task in 1m 11s —— View job

---

PR Review: ci: pin TypeScript workflow actions to immutable SHAs

• Gather context
• Read changed file and diff
• Check for unpinned actions in other workflow files
• Provide review feedback

---

Summary

This is a clean, focused supply-chain hardening change. All 7 action references in .github/workflows/typescript.yml are consistently pinned, with no logic changes.

What Changed

actions/checkout@v6 → actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 (4 occurrences — detect-packages, test, build, publish)

actions/setup-node@v6 → actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 (3 occurrences — test, build, publish)

Observations

Correct and complete within scope. All action uses in the file are pinned — none were missed. The # v6 inline comment is the standard convention and preserves human-readable version intent.

Most sensitive job is covered. The publish job, which uses NODE_AUTH_TOKEN and id-token: write, is protected by both pins. This is the primary motivation for the PR and it's addressed.

Other workflow files still use mutable tags. Scanning the repo's remaining workflows reveals unpinned actions in several files:

File	Unpinned Actions
python.yml	checkout@v6, setup-uv@v3, setup-python@v6, upload-artifact@v6, download-artifact@v7, pypa/gh-action-pypi-publish@release/v1
release.yml	checkout@v6, setup-uv@v5, setup-python@v6, setup-node@v6, upload-artifact@v6, download-artifact@v7, pypa/gh-action-pypi-publish@release/v1
readme-pr-check.yml	github-script@v8

release.yml is particularly worth a follow-up — it handles both npm and PyPI publishing and has the same risk profile as the TypeScript workflow addressed here. pypa/gh-action-pypi-publish is a third-party action that also warrants pinning.

Verdict

LGTM. The change is correct, consistent, and purposefully scoped to the TypeScript workflow as described. No issues found. The follow-up items above are out of scope for this PR but worth tracking.

---