fix(ci): SHA-pin all GitHub Actions and fix pnpm version conflict

ryota-murakami · ryota-murakami · commit 372053009177 · 2026-01-30T15:01:22.000+09:00
- Remove version: 10 from malware-safe-chain (conflicts with packageManager)
- SHA-pin all checkout, pnpm/action-setup, setup-node, set-timezone actions
- Upgrade to Node 24 in malware-safe-chain
- Add --ignore-scripts protection
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -8,6 +8,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # SHA-pinned actions (prevent tag hijacking)
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/prepare
       - run: pnpm lint
diff --git a/.github/workflows/malware-safe-chain.yml b/.github/workflows/malware-safe-chain.yml
@@ -10,18 +10,17 @@ jobs:
   malware-safe-chain:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      # SHA-pinned actions (prevent tag hijacking)
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22'
+          node-version: '24'
 
       - name: Install safe-chain
         run: curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
 
       - name: Install dependencies with Safe Chain protection
-        run: pnpm install --frozen-lockfile
+        run: pnpm install --frozen-lockfile --ignore-scripts
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,10 +8,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: szenius/set-timezone@v1.2
+      - uses: szenius/set-timezone@ce9c440bc3af4f51b28d7ef7e5c47ee8f26c8dcb # v1.2
         with:
           timezoneLinux: 'Asia/Tokyo'
-      - uses: actions/checkout@v4
+      # SHA-pinned actions (prevent tag hijacking)
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/prepare
       - name: Create .env file
         run: |
