chore: pin package versions to git SHAs in GitHub Actions

This commit pins the GitHub Actions package versions to their specific git SHAs rather than using version tags, following security best practices. It also standardizes the runners to ubuntu-24.04-arm.

Author: Rel1cx

.github/workflows/check-provenance.yml

@@ -13,9 +13,9 @@ permissions:
   contents: read
 jobs:
   check-provenance:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
       - name: Check provenance downgrades

.github/workflows/check.yml

@@ -13,13 +13,14 @@ jobs:
   check:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
-      - name: Enable Corepack
-        run: corepack enable
+      - name: Install pnpm
+        run: npm install -g pnpm
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install front-end dependencies
         run: pnpm install
       - name: Build front-end assets

.github/workflows/publish.yml

@@ -21,14 +21,15 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v5
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
-      - name: Enable Corepack
-        run: corepack enable
+      - name: Install pnpm
+        run: npm install -g pnpm
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install dependencies
         run: pnpm install
       - name: Build front-end assets

.github/workflows/test.yml

@@ -14,24 +14,23 @@ jobs:
   test:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
-      - name: Enable Corepack
-        run: corepack enable
+      - name: Install pnpm
+        run: npm install -g pnpm
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install front-end dependencies
         run: pnpm install
       - name: Build front-end assets
         run: pnpm run build
       - name: Test on node@24
         run: pnpm run test
       - name: Setup node@20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 20
-      - name: Enable Corepack
-        run: corepack enable
       - name: Test on node@20
         run: pnpm run test

.pkgs/configs/package.json

@@ -19,18 +19,18 @@
     "lint:ts": "tsc --noEmit"
   },
   "dependencies": {
-    "@eslint/js": "^9.35.0",
-    "@stylistic/eslint-plugin": "^5.3.1",
+    "@eslint/js": "^9.36.0",
+    "@stylistic/eslint-plugin": "^5.4.0",
     "eslint-plugin-de-morgan": "^1.3.1",
-    "eslint-plugin-function": "^0.0.29",
-    "eslint-plugin-jsdoc": "^59.0.2",
+    "eslint-plugin-function": "^0.0.30",
+    "eslint-plugin-jsdoc": "^60.0.0",
     "eslint-plugin-perfectionist": "^4.15.0",
     "eslint-plugin-regexp": "^2.10.0",
     "eslint-plugin-unicorn": "^61.0.2",
     "typescript-eslint": "^8.44.0"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   }
 }

.pkgs/eslint-plugin-local/package.json

@@ -26,14 +26,14 @@
     "@eslint-react/kit": "workspace:*",
     "@eslint-react/shared": "workspace:*",
     "@eslint-react/var": "workspace:*",
-    "@eslint/js": "^9.35.0",
-    "@stylistic/eslint-plugin": "^5.3.1",
+    "@eslint/js": "^9.36.0",
+    "@stylistic/eslint-plugin": "^5.4.0",
     "@typescript-eslint/scope-manager": "^8.44.0",
     "@typescript-eslint/type-utils": "^8.44.0",
     "@typescript-eslint/types": "^8.44.0",
     "@typescript-eslint/utils": "^8.44.0",
     "eslint-plugin-de-morgan": "^1.3.1",
-    "eslint-plugin-jsdoc": "^59.0.2",
+    "eslint-plugin-jsdoc": "^60.0.0",
     "eslint-plugin-perfectionist": "^4.15.0",
     "eslint-plugin-regexp": "^2.10.0",
     "eslint-plugin-unicorn": "^61.0.2",
@@ -44,10 +44,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "engines": {

apps/website/package.json

@@ -17,19 +17,19 @@
     "bsky-react-post": "^0.1.7",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "effect": "^3.17.13",
-    "fumadocs-core": "15.7.12",
+    "effect": "^3.17.14",
+    "fumadocs-core": "15.7.13",
     "fumadocs-docgen": "3.0.0",
-    "fumadocs-mdx": "11.10.0",
+    "fumadocs-mdx": "12.0.0",
     "fumadocs-twoslash": "3.1.7",
     "fumadocs-typescript": "4.0.8",
-    "fumadocs-ui": "15.7.12",
+    "fumadocs-ui": "15.7.13",
     "lucide-react": "^0.544.0",
     "next": "^15.5.3",
     "next-view-transitions": "^0.3.4",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
-    "shiki": "^3.12.2",
+    "shiki": "^3.13.0",
     "tailwind-merge": "^3.3.1",
     "twoslash": "^0.3.4"
   },
@@ -38,7 +38,7 @@
     "@eslint-react/eslint-plugin": "workspace:*",
     "@eslint-react/kit": "workspace:*",
     "@eslint-react/shared": "workspace:*",
-    "@eslint/js": "^9.35.0",
+    "@eslint/js": "^9.36.0",
     "@eslint/markdown": "^7.2.0",
     "@local/configs": "workspace:*",
     "@mdx-js/mdx": "^3.1.1",
@@ -54,7 +54,7 @@
     "@types/react-dom": "^19.1.9",
     "autoprefixer": "^10.4.21",
     "dedent": "^1.7.0",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-de-morgan": "^1.3.1",
     "eslint-plugin-fast-import": "^1.4.3",
     "eslint-plugin-perfectionist": "^4.15.0",

examples/next/package.json

@@ -16,16 +16,16 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@next/eslint-plugin-next": "^15.5.3",
     "@tsconfig/next": "^2.0.3",
     "@tsconfig/node22": "^22.0.2",
     "@tsconfig/strictest": "^2.0.5",
     "@types/node": "^24.5.2",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-config-flat-gitignore": "^2.1.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",

examples/react-dom-js/package.json

@@ -16,12 +16,12 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "globals": "^16.4.0",

examples/react-dom/package.json

@@ -16,15 +16,15 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@tsconfig/node22": "^22.0.2",
     "@tsconfig/strictest": "^2.0.5",
     "@tsconfig/vite-react": "^7.0.1",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "typescript": "^5.9.2",