ci(sec): publish.yml actions 全部 SHA 固定到 node24

[wisdommen]

把 publish.yml 里那四个 Actions 都从浮动 tag 改成了完整 commit SHA 固定，跟之前 ci-workflows 那边一样的做法，CVE-2025-30066 那次浮动 tag 被投毒的事之后就该全 SHA 了。

四个改动：

• actions/checkout@v4 → @93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
• actions/setup-java@v4 → @be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
• SpraxDev/Action-SpigotMC@v5 → @6419bc4cdfb60d37bd3f541f6c8d5be60e6e0933 # v5.3.0
• actions/setup-node@v4 → @a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0

四个 SHA 都已经核对过对应的 tag、并且 action.yml 都是 using: node24。只动了 uses: 这四行，with: 输入（fetch-depth、java 21、versions 1.21.1 remapped、node 20）全都没碰。

publish.yml 是 push-to-master + workflow_dispatch 触发的，PR 不会跑它，所以这个 PR 上只有 maven-ci.yml 会跑（走 ci-workflows@v1），用来证明仓库还能正常构建。

Summary by CodeRabbit

• Chores
  • Updated build infrastructure to use pinned dependency versions for improved stability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The publish workflow pins four third-party GitHub Actions to specific commit SHAs instead of floating tag references. This hardens the workflow against unexpected upstream changes while maintaining identical input configuration for each action.

Changes

Workflow Actions Pinning

Layer / File(s)	Summary
Pin third-party actions to commit SHAs .github/workflows/publish.yml	actions/checkout, actions/setup-java, SpraxDev/Action-SpigotMC, and actions/setup-node are updated from tag-based v* references to specific commit SHAs, securing the workflow build, test, and publish pipeline.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through workflows with glee,
Pinning SHAs for security free,
No floating tags to cause surprise—
Each action locked, steady and wise! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is partially related to the changeset - it correctly identifies the main change (pinning GitHub Actions to SHA) but is somewhat unclear due to mixed language and the mention of 'node24' which appears to be a secondary detail rather than the primary focus.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/sec-publish-sha-pin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 22-24: The checkout step in publish.yml uses actions/checkout (the
job step with "uses: actions/checkout@93cb6efe18208431c...") but only sets
fetch-depth: 0; add the option persist-credentials: false to that checkout step
to prevent the GITHUB_TOKEN from being written to local git config and persisted
for later steps (modify the actions/checkout step to include
persist-credentials: false alongside fetch-depth: 0).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2d5f2f43-c6a9-40ff-8509-14288f9f5aa6

📥 Commits

Reviewing files that changed from the base of the PR and between 63ffb9f and f0a7184.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout hardening across workflows (read-only)
rg -n --iglob '.github/workflows/*.yml' 'uses:\s*actions/checkout@' -A6 -B1

Repository: UltiKits/UltiBot

Length of output: 209

---

Harden actions/checkout by disabling credential persistence in publish.yml.

The checkout step only sets fetch-depth: 0; add persist-credentials: false to prevent the GitHub token from being persisted in local git config for later steps.

Suggested patch

       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
	with:
	fetch-depth: 0
	- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
	with:
	fetch-depth: 0
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 22-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 22 - 24, The checkout step in
publish.yml uses actions/checkout (the job step with "uses:
actions/checkout@93cb6efe18208431c...") but only sets fetch-depth: 0; add the
option persist-credentials: false to that checkout step to prevent the
GITHUB_TOKEN from being written to local git config and persisted for later
steps (modify the actions/checkout step to include persist-credentials: false
alongside fetch-depth: 0).