Merge pull request #1294 from peacock0803sz/pinact

peacock0803sz · web-flow · commit 4255e9ad6589 · 2025-11-24T20:33:27.000+09:00
feat(gha): Enforce commit-ish references in the GitHub Actions
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -12,7 +12,7 @@ jobs:
     if: github.actor == 'dependabot[bot]'
     steps:
       - id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
diff --git a/.github/workflows/check-and-build.yml b/.github/workflows/check-and-build.yml
@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4.2.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
       - name: Install dependencies
         run: pnpm i --frozen-lockfile
       - name: Run ESLint
diff --git a/.github/workflows/check-article.yml b/.github/workflows/check-article.yml
@@ -16,11 +16,11 @@ jobs:
     permissions:
       issues: 'write'
     steps:
-      - uses: 'actions/checkout@v5'
+      - uses: 'actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd' # v5.0.1
         with:
           ref: 'main'
       - name: 'Report'
-        uses: 'actions/github-script@v8'
+        uses: 'actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd' # v8.0.0
         env:
           DATE: '${{ inputs.date }}'
         with:
diff --git a/.github/workflows/check-pinact.yml b/.github/workflows/check-pinact.yml
@@ -0,0 +1,21 @@
+on:
+  pull_request:
+    paths:
+      - ".github/**/*.yml"
+      - ".github/**/*.yaml"
+
+permissions:
+  pull-requests: write
+
+jobs:
+  pinact:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
+
+      - name: Check GitHub Actions with pinact
+        uses: suzuki-shunsuke/pinact-action@49cbd6acd0dbab6a6be2585d1dbdaa43b4410133 # v1.0.0
+        with:
+          skip_push: "true"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout your repository using git
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       - name: Install, build, and upload your site
-        uses: withastro/action@v5
+        uses: withastro/action@9811f9299d5d37ca0416ca85cee333c7c9485cd1 # v5.0.1
         env:
           TZ: 'Asia/Tokyo'
 
@@ -32,4 +32,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/retry-update-article.yml b/.github/workflows/retry-update-article.yml
@@ -13,7 +13,7 @@ jobs:
     permissions:
       actions: 'write'
     steps:
-      - uses: 'actions/github-script@v8'
+      - uses: 'actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd' # v8.0.0
         with:
           script: |
             github.rest.actions.reRunWorkflowFailedJobs({
diff --git a/.github/workflows/update-article.yml b/.github/workflows/update-article.yml
@@ -19,11 +19,11 @@ jobs:
     permissions:
       issues: 'write'
     steps:
-      - uses: 'actions/checkout@v5'
+      - uses: 'actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd' # v5.0.1
         with:
           ref: 'main'
           ssh-key: '${{ secrets.ARTICLE_DEPLOY_KEY }}'
-      - uses: 'denoland/setup-deno@v2'
+      - uses: 'denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb' # v2.0.3
         with:
           deno-version: 'v2.0.0'
       - name: 'Run script'
@@ -52,7 +52,7 @@ jobs:
           echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "${GITHUB_OUTPUT}"
           git push
       - name: 'Report'
-        uses: 'actions/github-script@v8'
+        uses: 'actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd' # v8.0.0
         env:
           SCRIPT_RESULT: '${{ steps.script.outputs.RESULT }}'
           COMMIT_HASH: '${{ steps.push.outputs.COMMIT_HASH }}'
@@ -102,7 +102,7 @@ jobs:
     permissions:
       actions: 'write'
     steps:
-      - uses: 'actions/github-script@v8'
+      - uses: 'actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd' # v8.0.0
         with:
           script: |
             github.rest.actions.createWorkflowDispatch({
