Add setup-buildx-action to release workflow; bump action versions + pin

[lackstein]

Our release workflow stopped working, presumably because a newer version of goreleaser started adding the --attest=type=sbom flag to the docker build command which requires Docker Buildx.

Other actions in our workflows have also been updated and pinned.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b22d3ecb-5508-4d6a-9018-9d2b68f56c08

📥 Commits

Reviewing files that changed from the base of the PR and between 654e86a and e8ad90f.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

---

Walkthrough

The pull request updates GitHub Actions workflows to pin several actions to specific commit SHAs instead of tag-based versions. In the release workflow, actions including setup-go, docker/setup-qemu-action, docker/login-action, actions/checkout, and goreleaser-action are replaced with commit-pinned references and a docker/setup-buildx-action step is added between QEMU setup and registry login. In the test workflow, setup-go, checkout, and cache actions are similarly pinned to exact commits. Workflow structure and conditional logic remain unchanged; inline comments record prior tag versions.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: adding setup-buildx-action to the release workflow and pinning/bumping action versions.
Description check	✅ Passed	The description explains the problem (goreleaser requiring Docker Buildx due to --attest=type=sbom flag) and describes the solution (adding setup-buildx-action and pinning actions).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 43-46: The workflow currently pins the action by commit but passes
"version: latest" to the goreleaser action, which makes releases
non-deterministic; update the "with: version" value used with
goreleaser/goreleaser-action (the entry that currently reads version: latest) to
a fixed release tag or a semver constraint (e.g., a specific tag like v2.12.0 or
a constraint such as "~> v2.12.0") so the GoReleaser binary is pinned and builds
are reproducible.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 38542e71-77e5-4e56-a231-cbdff7ec4826

📥 Commits

Reviewing files that changed from the base of the PR and between d2b2af6 and 654e86a.

📒 Files selected for processing (2)

• .github/workflows/release.yaml
• .github/workflows/test.yaml