chore: pin package versions to git SHAs in GitHub Actions

Rel1cx · Rel1cx · commit 44d479db5436 · 2025-09-20T19:22:54.000+08:00
This commit pins the GitHub Actions package versions to their specific git SHAs rather than using version tags, following security best practices. It also standardizes the runners to ubuntu-24.04-arm.
diff --git a/.github/workflows/check-provenance.yml b/.github/workflows/check-provenance.yml
@@ -13,9 +13,9 @@ permissions:
   contents: read
 jobs:
   check-provenance:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
       - name: Check provenance downgrades
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -13,9 +13,9 @@ jobs:
   check:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
       - name: Enable Corepack
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -21,9 +21,9 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,9 +14,9 @@ jobs:
   test:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup node@24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 24
       - name: Enable Corepack
@@ -28,7 +28,7 @@ jobs:
       - name: Test on node@24
         run: pnpm run test
       - name: Setup node@20
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 20
       - name: Enable Corepack
diff --git a/.pkgs/configs/package.json b/.pkgs/configs/package.json
@@ -19,18 +19,18 @@
     "lint:ts": "tsc --noEmit"
   },
   "dependencies": {
-    "@eslint/js": "^9.35.0",
-    "@stylistic/eslint-plugin": "^5.3.1",
+    "@eslint/js": "^9.36.0",
+    "@stylistic/eslint-plugin": "^5.4.0",
     "eslint-plugin-de-morgan": "^1.3.1",
-    "eslint-plugin-function": "^0.0.29",
-    "eslint-plugin-jsdoc": "^59.0.2",
+    "eslint-plugin-function": "^0.0.30",
+    "eslint-plugin-jsdoc": "^60.0.0",
     "eslint-plugin-perfectionist": "^4.15.0",
     "eslint-plugin-regexp": "^2.10.0",
     "eslint-plugin-unicorn": "^61.0.2",
     "typescript-eslint": "^8.44.0"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   }
 }
diff --git a/.pkgs/eslint-plugin-local/package.json b/.pkgs/eslint-plugin-local/package.json
@@ -26,14 +26,14 @@
     "@eslint-react/kit": "workspace:*",
     "@eslint-react/shared": "workspace:*",
     "@eslint-react/var": "workspace:*",
-    "@eslint/js": "^9.35.0",
-    "@stylistic/eslint-plugin": "^5.3.1",
+    "@eslint/js": "^9.36.0",
+    "@stylistic/eslint-plugin": "^5.4.0",
     "@typescript-eslint/scope-manager": "^8.44.0",
     "@typescript-eslint/type-utils": "^8.44.0",
     "@typescript-eslint/types": "^8.44.0",
     "@typescript-eslint/utils": "^8.44.0",
     "eslint-plugin-de-morgan": "^1.3.1",
-    "eslint-plugin-jsdoc": "^59.0.2",
+    "eslint-plugin-jsdoc": "^60.0.0",
     "eslint-plugin-perfectionist": "^4.15.0",
     "eslint-plugin-regexp": "^2.10.0",
     "eslint-plugin-unicorn": "^61.0.2",
@@ -44,10 +44,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "engines": {
diff --git a/apps/website/package.json b/apps/website/package.json
@@ -17,19 +17,19 @@
     "bsky-react-post": "^0.1.7",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "effect": "^3.17.13",
-    "fumadocs-core": "15.7.12",
+    "effect": "^3.17.14",
+    "fumadocs-core": "15.7.13",
     "fumadocs-docgen": "3.0.0",
-    "fumadocs-mdx": "11.10.0",
+    "fumadocs-mdx": "12.0.0",
     "fumadocs-twoslash": "3.1.7",
     "fumadocs-typescript": "4.0.8",
-    "fumadocs-ui": "15.7.12",
+    "fumadocs-ui": "15.7.13",
     "lucide-react": "^0.544.0",
     "next": "^15.5.3",
     "next-view-transitions": "^0.3.4",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
-    "shiki": "^3.12.2",
+    "shiki": "^3.13.0",
     "tailwind-merge": "^3.3.1",
     "twoslash": "^0.3.4"
   },
@@ -38,7 +38,7 @@
     "@eslint-react/eslint-plugin": "workspace:*",
     "@eslint-react/kit": "workspace:*",
     "@eslint-react/shared": "workspace:*",
-    "@eslint/js": "^9.35.0",
+    "@eslint/js": "^9.36.0",
     "@eslint/markdown": "^7.2.0",
     "@local/configs": "workspace:*",
     "@mdx-js/mdx": "^3.1.1",
@@ -54,7 +54,7 @@
     "@types/react-dom": "^19.1.9",
     "autoprefixer": "^10.4.21",
     "dedent": "^1.7.0",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-de-morgan": "^1.3.1",
     "eslint-plugin-fast-import": "^1.4.3",
     "eslint-plugin-perfectionist": "^4.15.0",
diff --git a/examples/next/package.json b/examples/next/package.json
@@ -16,16 +16,16 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@next/eslint-plugin-next": "^15.5.3",
     "@tsconfig/next": "^2.0.3",
     "@tsconfig/node22": "^22.0.2",
     "@tsconfig/strictest": "^2.0.5",
     "@types/node": "^24.5.2",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-config-flat-gitignore": "^2.1.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
diff --git a/examples/react-dom-js/package.json b/examples/react-dom-js/package.json
@@ -16,12 +16,12 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "globals": "^16.4.0",
diff --git a/examples/react-dom/package.json b/examples/react-dom/package.json
@@ -16,15 +16,15 @@
   },
   "devDependencies": {
     "@eslint-react/eslint-plugin": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@tsconfig/node22": "^22.0.2",
     "@tsconfig/strictest": "^2.0.5",
     "@tsconfig/vite-react": "^7.0.1",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "typescript": "^5.9.2",
diff --git a/examples/with-babel-eslint-parser/package.json b/examples/with-babel-eslint-parser/package.json
@@ -19,14 +19,14 @@
     "@babel/eslint-parser": "^7.28.4",
     "@babel/preset-env": "^7.28.3",
     "@babel/preset-react": "^7.27.1",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@types/babel__core": "~7.20.5",
     "@types/babel__preset-env": "~7.10.0",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-debug": "workspace:*",
     "eslint-plugin-react-dom": "workspace:*",
     "eslint-plugin-react-hooks": "^5.2.0",
diff --git a/examples/with-ts-blank-eslint-parser/package.json b/examples/with-ts-blank-eslint-parser/package.json
@@ -18,15 +18,15 @@
     "@eslint-react/eslint-plugin": "workspace:*",
     "@eslint-react/kit": "workspace:*",
     "@eslint-react/shared": "workspace:*",
-    "@eslint/config-inspector": "^1.2.0",
-    "@eslint/js": "^9.35.0",
+    "@eslint/config-inspector": "^1.3.0",
+    "@eslint/js": "^9.36.0",
     "@tsconfig/node22": "^22.0.2",
     "@tsconfig/strictest": "^2.0.5",
     "@tsconfig/vite-react": "^7.0.1",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@vitejs/plugin-react": "^5.0.3",
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
     "eslint-plugin-react-refresh": "^0.4.20",
     "globals": "^16.4.0",
diff --git a/package.json b/package.json
@@ -55,7 +55,7 @@
     "@effect/language-service": "^0.40.0",
     "@effect/platform": "^0.90.10",
     "@effect/platform-node": "^0.96.1",
-    "@eslint/config-inspector": "^1.2.0",
+    "@eslint/config-inspector": "^1.3.0",
     "@eslint/markdown": "^7.2.0",
     "@local/configs": "workspace:*",
     "@local/eslint-plugin-local": "workspace:*",
@@ -71,8 +71,8 @@
     "ansis": "^4.1.0",
     "dedent": "^1.7.0",
     "dprint": "^0.50.2",
-    "effect": "^3.17.13",
-    "eslint": "^9.35.0",
+    "effect": "^3.17.14",
+    "eslint": "^9.36.0",
     "eslint-config-flat-gitignore": "^2.1.0",
     "eslint-plugin-fast-import": "^1.4.3",
     "eslint-plugin-vitest": "^0.5.4",
@@ -87,11 +87,11 @@
     "sort-package-json": "^3.4.0",
     "tinyglobby": "^0.2.15",
     "ts-pattern": "^5.8.0",
-    "tsdown": "^0.15.2",
+    "tsdown": "^0.15.3",
     "tsx": "^4.20.5",
     "type-fest": "^5.0.1",
     "typedoc": "^0.28.13",
-    "typedoc-plugin-markdown": "^4.8.1",
+    "typedoc-plugin-markdown": "^4.9.0",
     "typedoc-plugin-mdn-links": "^5.0.9",
     "typescript": "^5.9.2",
     "typescript-eslint": "^8.44.0",
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -49,7 +49,7 @@
   },
   "devDependencies": {
     "@local/configs": "workspace:*",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "engines": {
     "node": ">=20.19.0"
diff --git a/packages/plugins/eslint-plugin-react-debug/package.json b/packages/plugins/eslint-plugin-react-debug/package.json
@@ -58,10 +58,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "peerDependenciesMeta": {
diff --git a/packages/plugins/eslint-plugin-react-dom/package.json b/packages/plugins/eslint-plugin-react-dom/package.json
@@ -58,10 +58,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "peerDependenciesMeta": {
diff --git a/packages/plugins/eslint-plugin-react-hooks-extra/package.json b/packages/plugins/eslint-plugin-react-hooks-extra/package.json
@@ -59,7 +59,7 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
     "eslint": "^8.57.0 || ^9.0.0",
diff --git a/packages/plugins/eslint-plugin-react-naming-convention/package.json b/packages/plugins/eslint-plugin-react-naming-convention/package.json
@@ -58,10 +58,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "peerDependenciesMeta": {
diff --git a/packages/plugins/eslint-plugin-react-web-api/package.json b/packages/plugins/eslint-plugin-react-web-api/package.json
@@ -57,10 +57,10 @@
     "@local/configs": "workspace:*",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "peerDependenciesMeta": {
diff --git a/packages/plugins/eslint-plugin-react-x/package.json b/packages/plugins/eslint-plugin-react-x/package.json
@@ -60,10 +60,10 @@
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "ts-api-utils": "^2.1.0",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "ts-api-utils": "^2.1.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
diff --git a/packages/plugins/eslint-plugin/package.json b/packages/plugins/eslint-plugin/package.json
@@ -59,10 +59,10 @@
   },
   "devDependencies": {
     "@local/configs": "workspace:*",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "peerDependencies": {
-    "eslint": "^9.35.0",
+    "eslint": "^9.36.0",
     "typescript": "^4.9.5 || ^5.4.5"
   },
   "peerDependenciesMeta": {
diff --git a/packages/shared/package.json b/packages/shared/package.json
@@ -44,7 +44,7 @@
     "@local/configs": "workspace:*",
     "@tsconfig/node22": "^22.0.2",
     "@types/picomatch": "^4.0.2",
-    "tsdown": "^0.15.2",
+    "tsdown": "^0.15.3",
     "type-fest": "^5.0.1"
   },
   "engines": {
diff --git a/packages/utilities/ast/package.json b/packages/utilities/ast/package.json
@@ -42,7 +42,7 @@
   },
   "devDependencies": {
     "@local/configs": "workspace:*",
-    "tsdown": "^0.15.2"
+    "tsdown": "^0.15.3"
   },
   "engines": {
     "node": ">=20.19.0"
diff --git a/packages/utilities/eff/package.json b/packages/utilities/eff/package.json
diff --git a/packages/utilities/kit/package.json b/packages/utilities/kit/package.json
diff --git a/packages/utilities/var/package.json b/packages/utilities/var/package.json
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
