pinactを導入するぞ

.github/composite/build-dev-rust/action.yml

@@ -11,13 +11,13 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/cache/restore@v4
+    - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       id: restore-dev-library
       with:
         path: ${{ inputs.cache-path }}
         key: ${{ inputs.cache-key }}
     - if: ${{ steps.restore-dev-library.outputs.cache-hit != 'true' }}
-      uses: actions-rust-lang/setup-rust-toolchain@v1.14.1
+      uses: actions-rust-lang/setup-rust-toolchain@ac90e63697ac2784f4ecfe2964e1a285c304003a # v1.14.1
       with:
         cache-workspaces: ./binding
     - if: ${{ steps.restore-dev-library.outputs.cache-hit != 'true' }}
@@ -38,7 +38,7 @@ runs:
           fi
         done
     - if: ${{ steps.restore-dev-library.outputs.cache-hit != 'true' }}
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ${{ inputs.cache-path }}
         key: ${{ inputs.cache-key }}

.github/composite/download-openjtalk-dict/action.yml

@@ -11,7 +11,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/cache/restore@v4
+    - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       id: restore-open-jtalk-dictionary
       with:
         path: ${{ inputs.cache-path }}
@@ -20,7 +20,7 @@ runs:
       shell: bash
       run: curl -sSLfo open_jtalk_dic_utf_8-1.11.tar.gz https://jaist.dl.sourceforge.net/project/open-jtalk/Dictionary/open_jtalk_dic-1.11/open_jtalk_dic_utf_8-1.11.tar.gz
     - if: ${{ steps.restore-open-jtalk-dictionary.outputs.cache-hit != 'true' }}
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ${{ inputs.cache-path }}
         key: ${{ inputs.cache-key }}

.github/workflows/csharp_test.yml

@@ -21,7 +21,7 @@ jobs:
       run:
         working-directory: ./binding
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         ref: ${{ inputs.checkout-ref || github.head_ref }}
@@ -36,14 +36,14 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-native-dev-library
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         ref: ${{ inputs.checkout-ref || github.head_ref }}
-    - uses: actions/setup-dotnet@v5
+    - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: 9
-    - uses: actions/cache/restore@v4
+    - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: |
           ./binding/voicevox_core/target/release/libvoicevox_core.so
@@ -67,14 +67,14 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-native-dev-library
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         ref: ${{ inputs.checkout-ref || github.head_ref }}
-    - uses: actions/setup-dotnet@v5
+    - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: 9
-    - uses: actions/cache/restore@v4
+    - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: |
           ./binding/voicevox_core/target/release/libvoicevox_core.so
@@ -100,11 +100,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-native-dev-library
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         ref: ${{ inputs.checkout-ref || github.head_ref }}
-    - uses: actions/setup-dotnet@v5
+    - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: 9
     - run: make format/check

.github/workflows/merge-queue-trigger-handler.yml

@@ -28,11 +28,11 @@
         # if use ACT, uncomment-out the following line
         # with:
         #   required-codeowners: 'false'
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
           ref: ${{ fromJSON(steps.precheck.outputs.base-branch) }}
       - run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           gh pr checkout ${{ github.event.issue.number }}

.github/workflows/submodule_tracker.yml

@@ -13,11 +13,11 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ steps.generate_token.outputs.token }}
           submodules: recursive
@@ -35,7 +35,7 @@ jobs:
             echo submodule_has_update="true" >> $GITHUB_OUTPUT;
           fi
       - if: ${{ steps.submodule-diff.outputs.submodule_has_update == 'true'}}
-        uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+        uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
       - if: ${{ steps.submodule-diff.outputs.submodule_has_update == 'true'}}
         working-directory: ./binding
         run: make generate

.github/workflows/tagged_release_test.yml

@@ -38,20 +38,20 @@ jobs:
     steps:
       # is PR
       - if: needs.parse-tag.outputs.tag != null
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: refs/pull/${{ github.event.issue.number }}/merge
       # is workflow_dispatch
       - if: needs.parse-tag.outputs.release-tag != null
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - if: ${{ github.event.issue.pull_request != null }}
         run: gh pr comment ${PR_NUMBER} -b "Running ${ACTION_URL}"
         env:
           PR_NUMBER: ${{ github.event.issue.number }}
           ACTION_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           GH_TOKEN: ${{ github.token }}
       - id: download-voicevox_core
-        uses: sevenc-nanashi/setup-voicevox@v0.1.1
+        uses: sevenc-nanashi/setup-voicevox@7945c1c225e6f7d65ce1e1f62ec9653ac75c6fbb # v0.1.1
         with:
           download-item: "core"
           path: voicevox_core_resources

.github/workflows/testing-queue.yml

@@ -45,7 +45,7 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}

.pinact.yaml

@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# pinact - https://github.com/suzuki-shunsuke/pinact
+version: 3
+files:
+  - pattern: .github/workflows/*.yml
+  - pattern: .github/composite/*/action.yml
+
+ignore_actions:
+  - name: yamachu/merge-queue-action/.*
+    ref: main
+# - name: slsa-framework/slsa-github-generator/\.github/workflows/generator_generic_slsa3\.yml
+#   ref: v\d+\.\d+\.\d+
+# - name: actions/.*
+#   ref: main
+# - name: suzuki-shunsuke/.*
+#   ref: release-.*