CI hardening: pin GitHub Actions to SHAs and define explicit job permissions

[SuyashJain17]

Proposed change

Resolves #3166

This PR hardens the CI/CD workflow by aligning it with GitHub Actions security best practices.

Summary of changes

• Pin GitHub Actions to specific commit SHAs to reduce supply-chain risk
• Define explicit job-level permissions to enforce least-privilege access and improve clarity

Notes

• No functional or behavioral changes to the workflow
• Improves security, maintainability, and auditability
• Follows existing CI hardening patterns already used in the repository

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Bug Fixes
  • Fixed theme persistence to prevent invalid theme values from being applied, ensuring consistent theme behavior across sessions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

This PR makes two targeted improvements: CI/CD hardening in .github/workflows/run-ci-cd.yaml by pinning the pre-commit cache action to a commit SHA, adding explicit permissions to the set-release-version job, and fixing a typo; and frontend bug fix in frontend/src/wrappers/provider.tsx that sanitizes invalid persisted theme data from localStorage.

Changes

Cohort / File(s)	Summary
CI workflow security hardening .github/workflows/run-ci-cd.yaml	Pinned actions/cache from v5 tag to specific commit hash; added explicit empty permissions: {} block to set-release-version job; corrected job name typo ("Denendencies" → "Dependencies").
Frontend theme persistence fix frontend/src/wrappers/provider.tsx	Added sanitization logic to remove theme values containing spaces from localStorage before initialization; added blank line after 'use client' directive for formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• OWASP/Nest#3118: Modifies the same set-release-version job to define explicit per-job permissions, directly overlapping on permissions management.
• OWASP/Nest#1216: Updates multiple GitHub Action SHAs in the same CI workflow file for consistent action pinning practices.
• OWASP/Nest#1195: Pins GitHub Actions from version tags to specific commit hashes in the same workflow, including pre-commit/cache action.

Suggested labels

ci

Suggested reviewers

• arkid15r
• kasya

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Changes to frontend/src/wrappers/provider.tsx introducing NextThemes localStorage sanitization are out of scope and unrelated to the CI hardening objectives in issue #3166.	Remove unrelated frontend changes to provider.tsx; the PR should focus solely on CI/CD workflow hardening as specified in issue #3166.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'CI hardening: pin GitHub Actions to SHAs and define explicit job permissions' directly and concisely summarizes the main changes in the changeset.
Description check	✅ Passed	The PR description is clearly related to the changeset, explaining the security improvements and linking to issue #3166 which motivates the changes.
Linked Issues check	✅ Passed	All coding requirements from issue #3166 are met: GitHub Actions are pinned to commit SHAs (actions/cache@v5 replaced), explicit job permissions added to set-release-version, and no behavioral changes introduced.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

frontend/src/wrappers/provider.tsx (1)

22-28: Consider guarding the cleanup to run only once.

The localStorage cleanup logic is correct and prevents NextThemes from applying an invalid theme class. However, it currently executes on every render of the Providers component. While the performance impact is minimal since this component typically mounts once, you could add a guard to ensure it runs only once:

🔎 Optional refactor to run cleanup once

+import React, { Suspense, useRef } from 'react'

 export function Providers({ children }: { children: React.ReactNode }) {
+  const hasCleanedTheme = useRef(false)
+  
   // Prevent next-themes from applying an invalid persisted theme class
-  if (typeof globalThis !== 'undefined' && 'localStorage' in globalThis) {
+  if (!hasCleanedTheme.current && typeof globalThis !== 'undefined' && 'localStorage' in globalThis) {
     const stored = globalThis.localStorage.getItem('theme')
     if (stored?.includes(' ')) {
       globalThis.localStorage.removeItem('theme')
     }
+    hasCleanedTheme.current = true
   }

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d41170 and f04f7e0.

📒 Files selected for processing (2)

• .github/workflows/run-ci-cd.yaml
• frontend/src/wrappers/provider.tsx

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

📚 Learning: 2025-07-13T11:29:25.245Z

Learnt from: Rajgupta36
Repo: OWASP/Nest PR: 1717
File: frontend/src/app/mentorship/programs/page.tsx:59-61
Timestamp: 2025-07-13T11:29:25.245Z
Learning: In Next.js 13+ app router, components with the 'use client' directive run entirely on the client side and don't require window object existence checks or SSR hydration considerations. Direct access to window.location and other browser APIs is safe in client components.

Applied to files:

• frontend/src/wrappers/provider.tsx

🧬 Code graph analysis (1)

frontend/src/wrappers/provider.tsx (1)

frontend/src/hooks/useDjangoSession.ts (1)

• useDjangoSession (10-83)

🔇 Additional comments (3)

.github/workflows/run-ci-cd.yaml (3)

131-131: LGTM! Typo fixed.

Good catch fixing "Denendencies" to "Dependencies" in the job name.

---

253-253: LGTM! Explicit permissions follow least-privilege principle.

Adding an empty permissions block to the set-release-version job is the correct approach. This job only executes shell commands and sets output variables, requiring no special GitHub token permissions. This change enhances security by making permissions explicit and preventing any unintended access.

---

46-46: SHA pinning is correct.

The pinned SHA 9255dc7a253b0ccc959486e2bca901246202afeb corresponds to actions/cache v5.0.1, a stable release. This follows security best practices and is consistent with other actions pinned in the workflow.

[SuyashJain17]

Closing this PR as it was unintentionally based on a feature branch, which pulled in unrelated commits.
Reopened with a clean branch based on main containing only the CI hardening change for #3166.