From 2438243e4c5d4f3fb78e5a07c18bd71d8e3ad218 Mon Sep 17 00:00:00 2001 From: Taiki Endo Date: Tue, 7 Apr 2026 23:08:37 +0900 Subject: [PATCH] Enable "Require actions to be pinned to a full-length commit SHA" actions policy --- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/manifest.yml | 2 +- .github/workflows/release.yml | 12 ++++++------ .github/zizmor.yml | 4 ---- 4 files changed, 15 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 320b6bc0..bef91ca9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,20 +33,20 @@ concurrency: jobs: miri: - uses: taiki-e/github-actions/.github/workflows/miri.yml@main + uses: taiki-e/github-actions/.github/workflows/miri.yml@606d6c78d69927c489d319133073a03157928a7a # main with: # NB: sync with test job's --exclude option args: --exclude install-action-internal-codegen msrv: - uses: taiki-e/github-actions/.github/workflows/msrv.yml@main + uses: taiki-e/github-actions/.github/workflows/msrv.yml@606d6c78d69927c489d319133073a03157928a7a # main test-manifest-schema: - uses: taiki-e/github-actions/.github/workflows/test.yml@main + uses: taiki-e/github-actions/.github/workflows/test.yml@606d6c78d69927c489d319133073a03157928a7a # main with: # NB: sync with miri job's --exclude option test-args: --exclude install-action-internal-codegen no-std: false tidy: - uses: taiki-e/github-actions/.github/workflows/tidy.yml@main + uses: taiki-e/github-actions/.github/workflows/tidy.yml@606d6c78d69927c489d319133073a03157928a7a # main permissions: contents: write # for creating branch for pr pull-requests: write # unused (used in `codegen-automerge: true` case) @@ -95,7 +95,7 @@ jobs: runs-on: ${{ matrix.os }} timeout-minutes: 60 steps: - - uses: taiki-e/checkout-action@v1 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 # cross attempts to install rust-src when Cargo.toml is available even if `cross --version` - run: rm -- Cargo.toml - name: Generate tool list @@ -154,7 +154,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: taiki-e/checkout-action@v1 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 # cross attempts to install rust-src when Cargo.toml is available even if `cross --version` - run: rm -- Cargo.toml - run: env @@ -187,7 +187,7 @@ jobs: runs-on: ubuntu-24.04-arm timeout-minutes: 60 steps: - - uses: taiki-e/checkout-action@v1 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 # cross attempts to install rust-src when Cargo.toml is available even if `cross --version` - run: rm -- Cargo.toml - run: env @@ -298,7 +298,7 @@ jobs: env: CONTAINER: ${{ matrix.container }} if: startsWith(matrix.container, 'centos') - - uses: taiki-e/checkout-action@v1 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 # cross attempts to install rust-src when Cargo.toml is available even if `cross --version` - run: rm -- Cargo.toml - name: Generate tool list diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml index 7767bbed..e6f1b649 100644 --- a/.github/workflows/manifest.yml +++ b/.github/workflows/manifest.yml @@ -33,7 +33,7 @@ concurrency: jobs: manifest: - uses: taiki-e/github-actions/.github/workflows/gen.yml@main + uses: taiki-e/github-actions/.github/workflows/gen.yml@606d6c78d69927c489d319133073a03157928a7a # main permissions: contents: write # for creating branch for pr pull-requests: write # for gh pr review --approve diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 083d2b4d..0b858fb7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,8 +38,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: taiki-e/checkout-action@v1 - - uses: taiki-e/install-action@v2 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 + - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8 with: tool: parse-changelog fallback: none @@ -207,8 +207,8 @@ jobs: permissions: contents: write # for taiki-e/create-gh-release-action steps: - - uses: taiki-e/checkout-action@v1 - - uses: taiki-e/install-action@v2 + - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1 + - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8 with: tool: parse-changelog fallback: none @@ -423,7 +423,7 @@ jobs: PREPARE_REV: ${{ needs.prepare.outputs.rev }} # Note that if we use secrets.GITHUB_TOKEN, the pushed commit/tag cannot trigger other workflows. PUSH_TOKEN: ${{ steps.push-token.outputs.token }} - - uses: taiki-e/create-gh-release-action@v1 + - uses: taiki-e/create-gh-release-action@c5baa0b5dc700cf06439d87935e130220a6882d9 # v1.9.3 with: changelog: CHANGELOG.md title: $version @@ -432,7 +432,7 @@ jobs: release-manifest-schema: if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema' - uses: taiki-e/github-actions/.github/workflows/rust-release.yml@main + uses: taiki-e/github-actions/.github/workflows/rust-release.yml@606d6c78d69927c489d319133073a03157928a7a # main permissions: contents: write # for taiki-e/create-gh-release-action id-token: write # for rust-lang/crates-io-auth-action diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 1f9c1f9a..09fee698 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -4,7 +4,3 @@ rules: anonymous-definition: { disable: true } dependabot-cooldown: { config: { days: 14 } } - unpinned-uses: - config: - policies: - taiki-e/*: any