fix(maru): address PR 3126 workflow follow-ups

[gauravahuja]

#2540

Summary

Follow-up cleanup from #3126 for items 1, 3, 7, and 9:

• Pin Maru workflow third-party actions to immutable SHAs.
• Remove --rerun-tasks from maru-testing.yml and drop the flaky-debug comment.
• Remove the stale percentileBuckets comment from ConsensusMetrics.
• Pin Socket-reported and adjacent imported Maru workflow actions.

Validation

• git diff --check
• ./gradlew :maru:app:compileKotlin

---

Note

Low Risk
Low risk because changes are limited to CI workflow hygiene (pinning third-party actions) and minor test job behavior changes (removing --rerun-tasks), without impacting runtime or protocol logic.

Overview
CI hardening: Pins several third-party actions in Maru workflows to immutable SHAs (e.g., azure/setup-helm, lhotari/action-upterm, softprops/action-gh-release, codecov/test-results-action, and actions/upload-artifact) to satisfy supply-chain/security guidance.

Workflow behavior tweaks: Removes --rerun-tasks (and the related flaky-test debug comment) from maru-testing.yml, and does small YAML hygiene fixes (newline/whitespace).

Cleanup: Deletes a stale comment in ConsensusMetrics.kt about unsupported percentileBuckets in the histogram API.

^{Reviewed by Cursor Bugbot for commit e70b551. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

coordinator Changelog Preview (informational)

[Unreleased] diff (commits touching coordinator/** since latest releases/coordinator/v* tag)

[unreleased]

_{Generated by git-cliff-action using cliff.toml. This comment is informational and does not gate the PR.}

[github-actions]

linea-besu Changelog Preview (informational)

[Unreleased] diff (commits touching linea-besu/** since latest releases/linea-besu/v* tag)

[unreleased]

🐛 Bug Fixes

• (sequencer) Bypass background scheduler collision in buildNewBlockAndWait(Long) (fix(sequencer): bypass bg scheduler collision in buildNewBlockAndWait(Long) #3072)
• (tracer) No parallelism ([ZkTracer] fix(ref test): no parallelism #2957)

⚙️ Miscellaneous Tasks

• (linea-besu) Move besu project under nested directory (chore(linea-besu): move besu project under nested directory #3063)
• (linea-besu) Move linea-besu-package into linea-besu/package (chore(linea-besu): move linea-besu-package into linea-besu/package #3069)
• (linea-besu) Move besu-plugins into linea-besu/plugins (chore(linea-besu): move besu-plugins into linea-besu/plugins #3075)

_{Generated by git-cliff-action using cliff.toml. This comment is informational and does not gate the PR.}

[github-actions]

postman Changelog Preview (informational)

[Unreleased] diff (commits touching postman/** since latest releases/postman/v* tag)

[unreleased]

_{Generated by git-cliff-action using cliff.toml. This comment is informational and does not gate the PR.}

[github-actions]

tx-exclusion-api Changelog Preview (informational)

[Unreleased] diff (commits touching tx-exclusion-api/** since latest releases/tx-exclusion-api/v* tag)

[unreleased]

_{Generated by git-cliff-action using cliff.toml. This comment is informational and does not gate the PR.}

[github-actions]

prover Changelog Preview (informational)

[Unreleased] diff (commits touching prover/** since latest releases/prover/v* tag)

[unreleased]

_{Generated by git-cliff-action using cliff.toml. This comment is informational and does not gate the PR.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e70b551. Configure here.}

[cursor]

Silent major version bump v4 to v7 for upload-artifact

Medium Severity

The "Store reports" step's actions/upload-artifact was silently upgraded from @v4 to @043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 — a major version bump from v4 to v7. The second upload-artifact instance (Jacoco data) was already on @v7, so its pin is correct. However, upgrading the first instance across three major versions while the PR describes only "pinning" actions risks introducing breaking behavioral changes (e.g., different upload merge strategies, changed default inputs) without the team's awareness.

 

^{Reviewed by Cursor Bugbot for commit e70b551. Configure here.}