From 53496a9fbd952c4e68ea613524e124c98c75d7dd Mon Sep 17 00:00:00 2001 From: Masataka Pocke Kuwabara Date: Mon, 29 Jun 2026 10:52:16 +0900 Subject: [PATCH] Pin GitHub Actions to commit hashes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run pinact to replace mutable tag references (e.g. actions/checkout@v7) with their corresponding full commit SHAs, keeping the version tag as a trailing comment. Pinning to immutable SHAs prevents a compromised or retagged action from silently changing behavior in CI. Generated with: pinact run (pinact v4.1.0) ハッシュ固め夜半の月さえ動かさず --- .github/workflows/bundle-update.yml | 4 ++-- .github/workflows/c-check.yml | 4 ++-- .github/workflows/comments.yml | 4 ++-- .github/workflows/dependabot.yml | 2 +- .github/workflows/jruby.yml | 6 +++--- .github/workflows/milestone.yml | 4 ++-- .github/workflows/ruby.yml | 12 ++++++------ .github/workflows/rust.yml | 24 ++++++++++++------------ .github/workflows/truffleruby.yml | 4 ++-- .github/workflows/typecheck.yml | 4 ++-- .github/workflows/wasm.yml | 6 +++--- .github/workflows/windows.yml | 4 ++-- 12 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/bundle-update.yml b/.github/workflows/bundle-update.yml index 1c59dac0b..2f2d05834 100644 --- a/.github/workflows/bundle-update.yml +++ b/.github/workflows/bundle-update.yml @@ -11,10 +11,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: '4.0' diff --git a/.github/workflows/c-check.yml b/.github/workflows/c-check.yml index 6aca37ddc..e115affac 100644 --- a/.github/workflows/c-check.yml +++ b/.github/workflows/c-check.yml @@ -14,8 +14,8 @@ jobs: format-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: "4.0" bundler-cache: none diff --git a/.github/workflows/comments.yml b/.github/workflows/comments.yml index abe0a1b76..23485c070 100644 --- a/.github/workflows/comments.yml +++ b/.github/workflows/comments.yml @@ -13,8 +13,8 @@ jobs: # env: # RUBY_COMMIT: v4.0.0-preview2 steps: - - uses: actions/checkout@v7 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: "4.0.1" bundler: none diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index fe5d67a3e..9780fd4cc 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -17,7 +17,7 @@ jobs: uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 id: metadata - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Abort if blocker files are changed diff --git a/.github/workflows/jruby.yml b/.github/workflows/jruby.yml index c9131094f..43f03afff 100644 --- a/.github/workflows/jruby.yml +++ b/.github/workflows/jruby.yml @@ -31,13 +31,13 @@ jobs: name: jruby runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* # Build the .wasm and fetch the Chicory jars with CRuby + the WASI SDK, # then run RBS itself on JRuby against those artifacts. - name: Set up Ruby (to assemble the WebAssembly runtime) - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -57,7 +57,7 @@ jobs: run: bundle exec rake wasm:jruby_setup - name: Set up JRuby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: jruby bundler: none diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 0a4b8697b..8e8373382 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Extract RBS::Version id: version @@ -30,7 +30,7 @@ jobs: echo "RBS::VERSION = $version (major=$major, minor=$minor, patch=$patch)" - name: Check milestone - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const pr = context.payload.pull_request; diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml index dd4b86da0..9a250cfe0 100644 --- a/.github/workflows/ruby.yml +++ b/.github/workflows/ruby.yml @@ -40,8 +40,8 @@ jobs: env: RANDOMIZE_STDLIB_TEST_ORDER: "true" steps: - - uses: actions/checkout@v7 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -90,11 +90,11 @@ jobs: matrix: ruby: ['4.0', head] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install dependencies run: | brew install ruby-build - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ${{ matrix.ruby }} bundler: none @@ -127,11 +127,11 @@ jobs: matrix: ruby: ['4.0', head] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install dependencies run: | brew install ruby-build - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ${{ matrix.ruby }} bundler: none diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index d871f1bbb..86193f14f 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -24,10 +24,10 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -43,7 +43,7 @@ jobs: run: | rustup update --no-self-update stable rustup default stable - - uses: actions/cache@v5 + - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5.1.0 with: path: | ~/.cargo/registry @@ -62,14 +62,14 @@ jobs: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up git identity run: | git config user.name "GitHub Actions" git config user.email "actions@github.com" - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -85,7 +85,7 @@ jobs: run: | rustup update --no-self-update stable rustup default stable - - uses: actions/cache@v5 + - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5.1.0 with: path: | ~/.cargo/registry @@ -104,14 +104,14 @@ jobs: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up git identity run: | git config user.name "GitHub Actions" git config user.email "actions@github.com" - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -127,7 +127,7 @@ jobs: run: | rustup update --no-self-update stable rustup default stable - - uses: actions/cache@v5 + - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5.1.0 with: path: | ~/.cargo/registry @@ -145,10 +145,10 @@ jobs: name: cargo:lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -165,7 +165,7 @@ jobs: rustup update --no-self-update stable rustup default stable rustup component add --toolchain stable clippy rustfmt - - uses: actions/cache@v5 + - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5.1.0 with: path: | ~/.cargo/registry diff --git a/.github/workflows/truffleruby.yml b/.github/workflows/truffleruby.yml index d58de2f58..7f23f7191 100644 --- a/.github/workflows/truffleruby.yml +++ b/.github/workflows/truffleruby.yml @@ -24,8 +24,8 @@ jobs: # TruffleRuby warns and falls back to US-ASCII unless the locale is UTF-8. LANG: "en_US.UTF-8" steps: - - uses: actions/checkout@v7 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ${{ matrix.ruby }} bundler: none diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index 299928bd9..3e82b110a 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -16,8 +16,8 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v7 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: "3.4" bundler: none diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml index 2d1f95713..091d9f7cb 100644 --- a/.github/workflows/wasm.yml +++ b/.github/workflows/wasm.yml @@ -26,10 +26,10 @@ jobs: name: wasm:check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ruby bundler: none @@ -46,7 +46,7 @@ jobs: curl -sSL "$url" | tar xz --strip-components=1 -C "$HOME/wasi-sdk" echo "WASI_SDK_PATH=$HOME/wasi-sdk" >> "$GITHUB_ENV" - name: Install wasmtime - uses: bytecodealliance/actions/wasmtime/setup@v1 + uses: bytecodealliance/actions/wasmtime/setup@9152e710e9f7182e4c29ad218e4f335a7b203613 # v1.1.3 with: version: ${{ env.WASMTIME_VERSION }} - name: Build and smoke-test the WebAssembly module diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index faf63ffde..ae9b97a3d 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -18,9 +18,9 @@ jobs: matrix: ruby: ['3.4', ucrt, mswin] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: load ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0 with: ruby-version: ${{ matrix.ruby }}