chore: use branch for referencing called workflows instead of commit sha

[shark0der]

We still may push to workflows, this is more flexible up until we merge that PR.

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD workflow configurations to use consistent versioning references across release preparation and publishing pipelines.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b890ba6-6836-46fc-99a7-67e10de876b9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request updates GitHub Actions workflow files to reference reusable workflows using the chore/pnpm-setup branch ref instead of pinned commit SHAs. Changes span three workflow files: version preparation pipelines and release automation scripts.

Changes

Workflow reusable ref updates to chore/pnpm-setup

Layer / File(s)	Summary
Preparation workflow refs .github/workflows/prep-latest.yml, .github/workflows/prep-next.yml	Five jobs in prep-latest.yml (version-bump checking, master fast-forward, version bump, git tagging, dev rebase) and two jobs in prep-next.yml (version-bump checking, RC version determination) update uses: references from commit hashes to chore/pnpm-setup ref.
Release workflow ref .github/workflows/release.yml	The sdk-bump-prs job's open-pr.yml reusable workflow reference is updated from a specific commit SHA to the chore/pnpm-setup ref.

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• NexusMutual/sdk#514: Updates the same reusable-workflow pipeline files as part of trusted publishing/OIDC restructuring.
• NexusMutual/sdk#512: Modifies GitHub Actions workflow uses: references including release.yml's sdk-bump-prs job.
• NexusMutual/sdk#506: Directly overlaps with ref-switching of reusable workflow calls in release.yml and prep-* workflows to chore/pnpm-setup.

Suggested reviewers

• rackstar
• valentinludu

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change across all three modified workflow files: updating reusable workflow references from commit SHAs to a branch name.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/npm-oicd-use-branch-name

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/npm-oicd-use-branch-name

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying sdk with    Cloudflare Pages

Latest commit:	7bc794a
Status:	✅  Deploy successful!
Preview URL:	https://8ed53988.sdk-9yp.pages.dev
Branch Preview URL:	https://feat-npm-oicd-use-branch-nam.sdk-9yp.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/prep-next.yml:
- Line 34: The workflow uses a mutable branch ref for the reusable workflow
(uses:
NexusMutual/workflows/.github/workflows/check-version-bump.yml@chore/pnpm-setup),
which must be pinned to an immutable commit SHA; update that `uses:` value to
reference the exact commit SHA of the NexusMutual/workflows repo (replace
`@chore/pnpm-setup` with `@<commit-sha>`) and make the same replacement for the
second occurrence in this file so both references are pinned to immutable SHAs.

In @.github/workflows/release.yml:
- Line 100: The workflow currently references the downstream template by branch:
the line using
"NexusMutual/workflows/.github/workflows/open-pr.yml@chore/pnpm-setup" should be
pinned to a specific commit SHA instead of a branch name; update that reference
to use the exact commit SHA of the intended open-pr.yml commit and (optionally)
add a comment indicating the corresponding release tag or version for
maintainability so future readers know which tag the SHA belongs to.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca980c2e-ce8f-4907-8396-30054f982815

📥 Commits

Reviewing files that changed from the base of the PR and between 4d653d2 and 344f294.

📒 Files selected for processing (3)

• .github/workflows/prep-latest.yml
• .github/workflows/prep-next.yml
• .github/workflows/release.yml