Enable "Require actions to be pinned to a full-length commit SHA"

actions policy

.github/workflows/ci.yml

@@ -33,20 +33,20 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@606d6c78d69927c489d319133073a03157928a7a # main
     with:
       # NB: sync with test job's --exclude option
       args: --exclude install-action-internal-codegen
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@606d6c78d69927c489d319133073a03157928a7a # main
   test-manifest-schema:
-    uses: taiki-e/github-actions/.github/workflows/test.yml@main
+    uses: taiki-e/github-actions/.github/workflows/test.yml@606d6c78d69927c489d319133073a03157928a7a # main
     with:
       # NB: sync with miri job's --exclude option
       test-args: --exclude install-action-internal-codegen
       no-std: false
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
@@ -95,7 +95,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - name: Generate tool list
@@ -154,7 +154,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - run: env
@@ -187,7 +187,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - run: env
@@ -298,7 +298,7 @@ jobs:
         env:
           CONTAINER: ${{ matrix.container }}
         if: startsWith(matrix.container, 'centos')
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - name: Generate tool list

.github/workflows/manifest.yml

@@ -33,7 +33,7 @@ concurrency:
 
 jobs:
   manifest:
-    uses: taiki-e/github-actions/.github/workflows/gen.yml@main
+    uses: taiki-e/github-actions/.github/workflows/gen.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve

.github/workflows/release.yml

@@ -38,8 +38,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
+      - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8
         with:
           tool: parse-changelog
           fallback: none
@@ -207,8 +207,8 @@ jobs:
     permissions:
       contents: write # for taiki-e/create-gh-release-action
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
+      - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8
         with:
           tool: parse-changelog
           fallback: none
@@ -423,7 +423,7 @@ jobs:
           PREPARE_REV: ${{ needs.prepare.outputs.rev }}
           # Note that if we use secrets.GITHUB_TOKEN, the pushed commit/tag cannot trigger other workflows.
           PUSH_TOKEN: ${{ steps.push-token.outputs.token }}
-      - uses: taiki-e/create-gh-release-action@v1
+      - uses: taiki-e/create-gh-release-action@c5baa0b5dc700cf06439d87935e130220a6882d9 # v1.9.3
         with:
           changelog: CHANGELOG.md
           title: $version
@@ -432,7 +432,7 @@ jobs:
 
   release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action

.github/zizmor.yml

@@ -4,7 +4,3 @@
 rules:
   anonymous-definition: { disable: true }
   dependabot-cooldown: { config: { days: 14 } }
-  unpinned-uses:
-    config:
-      policies:
-        taiki-e/*: any