chore(ci): pin third-party GitHub Actions to full commit SHAs

[ruflin]

Summary

Floating tags such as actions/checkout@v4 can be silently re-pointed
by the publisher (or by a compromised maintainer account, cf. the
March 2025 `tj-actions/changed-files` supply-chain incident).
Pin every third-party action used by this repository to a full commit
SHA, with a trailing comment recording the human-readable version so
Dependabot's GHA ecosystem (added in #2306) can keep them up to date
safely.

Pinned versions:

Action	Version	SHA
actions/checkout	v4.3.1	34e114876b0b11c390a56381ad16ebd13914f8d5
shivammathur/setup-php	2.37.0	accd6127cb78bee3e8082180cb391013d204ef9f
ramsey/composer-install	3.2.1	a8d0d959dab41457692a5e2041bd9b757a119e3f
codecov/codecov-action	v2.1.0	f32b3a3741e1053eb607407145bc9619351dc93b
anthropics/claude-code-action	beta @ 2026-04-30	28f83620103c48a57093dcc2837eec89e036bb9f

`codecov/codecov-action` is intentionally left at v2 in this PR so it
can be diffed in isolation. The major bump to v5 lands in #2307.

Identified during a P0/P1 code-review pass.

Test plan

• CI matrix (PHP 8.1–8.5) runs successfully against the SHA-pinned
  actions.
• `grep -rn 'uses:' .github/workflows/` shows no remaining
  tag-only references for third-party actions.

Summary by CodeRabbit

• Chores
  • CI/CD workflows now use pinned GitHub Actions versions instead of floating tags for improved build consistency and security.
  • Enhanced infrastructure reliability and reproducibility across automated processes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ccd9f3a0-b8f5-4a12-8431-34f9610ac115

📥 Commits

Reviewing files that changed from the base of the PR and between bbd7828 and 683c8cd.

📒 Files selected for processing (4)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• .github/workflows/continuous-integration.yaml
• CHANGELOG.md

---

📝 Walkthrough

Walkthrough

GitHub Actions across three CI/CD workflows are pinned to specific commit SHAs instead of floating version tags for reproducibility and security. The change is documented in CHANGELOG.md under an "Unreleased Security" entry.

Changes

Cohort / File(s)	Summary
GitHub Workflows - Action Pinning .github/workflows/claude-code-review.yml, .github/workflows/claude.yml, .github/workflows/continuous-integration.yaml	Pinned GitHub Actions (actions/checkout, shivammathur/setup-php, ramsey/composer-install, codecov/codecov-action, anthropics/claude-code-action) from floating tags to immutable commit SHAs with inline version comments.
Documentation CHANGELOG.md	Added Unreleased Security entry documenting the pinning of key CI Actions to commit SHAs for reproducibility and security.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With SHAs pinned tight, no drifts in the night,
Our workflows stay steady, our CI stays right,
No tag-chasing games, just commits we can trace,
Security strengthened across every case! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: pinning third-party GitHub Actions to specific commit SHAs across multiple workflow files for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-actions-by-sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 2/8 reviews remaining, refill in 44 minutes and 50 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Pins all third-party GitHub Actions used in this repository’s workflows to full commit SHAs (with version comments) to reduce supply-chain risk from mutable tags.

Changes:

• Replace floating action tags (e.g., @v4, @v2, @beta) with full commit SHAs in CI and Claude workflows.
• Add an Unreleased changelog entry documenting the security hardening change.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
CHANGELOG.md	Documents the SHA-pinning security improvement in the Unreleased section.
.github/workflows/continuous-integration.yaml	Pins checkout/setup-php/composer-install/codecov actions to specific SHAs.
.github/workflows/claude.yml	Pins checkout + anthropics/claude-code-action to specific SHAs.
.github/workflows/claude-code-review.yml	Pins checkout + anthropics/claude-code-action to specific SHAs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.