ci: harden workflow (#669)

sapphi-red · web-flow · commit 80bcd7eb6eda · 2025-09-19T14:18:47.000+09:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -28,7 +28,10 @@ jobs:
         with:
           node-version: lts/*
           registry-url: https://registry.npmjs.org/
-          cache: "pnpm"
+          # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning)
+
+      - name: Disallow installation scripts
+        run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml
 
       - name: Install deps
         run: pnpm install
diff --git a/.github/workflows/release-continuous.yml b/.github/workflows/release-continuous.yml
@@ -17,7 +17,10 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
-          cache: pnpm
+          # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning)
+
+      - name: Disallow installation scripts
+        run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml
 
       - name: Install dependencies
         run: pnpm install
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -34,7 +34,7 @@ jobs:
 
       - name: Create Release for Tag
         id: release_tag
-        uses: yyx990803/release-tag@master
+        uses: yyx990803/release-tag@8cccf7c5aa332d71d222df46677f70f77a8d2dc0 # v1.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
