Actionsのバージョンをコミットハッシュで固定する

.github/workflows/add-to-task-list.yml

@@ -15,11 +15,11 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v1.11.0
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         with:
           app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }}
           private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }}
-      - uses: dev-hato/actions-add-to-projects@v0.0.83
+      - uses: dev-hato/actions-add-to-projects@fd5b783f40eca48aaee26b62b3df0c1606e845dc # v0.0.83
         with:
           github-token: ${{steps.generate_token.outputs.token}}
           project-url: https://github.com/orgs/dev-hato/projects/1

.github/workflows/codeql.yml

@@ -41,10 +41,10 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3
       # - run: |
       #     echo "Run, Build Application using script"
       #     ./location_of_script_within_repo/buildscript.sh
@@ -66,6 +66,6 @@ jobs:
 
         #   If the Autobuild fails above, remove it and uncomment the following three lines.
         #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/create-release.yml

@@ -14,8 +14,8 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
-      - uses: dev-hato/actions-create-release@v0.0.38
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: dev-hato/actions-create-release@c2a40c5aa1affd28467f9d85ab21730396b96167 # v0.0.38
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
 concurrency:

.github/workflows/format-json-yml.yml

@@ -19,17 +19,17 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v1.11.0
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         with:
           app-id: ${{ secrets.PROJECT_AUTOMATION_APP_ID }}
           private-key: ${{ secrets.PROJECT_AUTOMATION_PRIVATE_KEY }}
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{steps.generate_token.outputs.token}}
-      - uses: dev-hato/actions-format-json-yml@v0.0.74
+      - uses: dev-hato/actions-format-json-yml@fb4529a3bce610d82460527c56ff354ed545d1a1 # v0.0.74
         with:
           github-token: ${{steps.generate_token.outputs.token}}
 concurrency:

.github/workflows/github-actions-cache-cleaner.yml

@@ -17,7 +17,7 @@ jobs:
   github-actions-cache-cleaner:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: ./
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}

.github/workflows/super-linter.yml

@@ -39,20 +39,20 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v4.2.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           # Full git history is needed to get a proper list
           # of changed files within `super-linter`
           fetch-depth: 0
-      - uses: actions/setup-node@v4.0.4
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           cache: npm
       - run: bash "${GITHUB_WORKSPACE}/scripts/super_linter/build/set_path.sh"
       ################################
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: super-linter/super-linter/slim@v7.1.0
+        uses: super-linter/super-linter/slim@b92721f792f381cedc002ecdbb9847a15ece5bb8 # v7.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DEFAULT_BRANCH: main

.github/workflows/update-gitleaks.yml

@@ -17,19 +17,19 @@ jobs:
   update-gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-node@v4.0.4
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           cache: npm
       - name: Install packages
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         run: npm ci
-      - uses: dev-hato/actions-update-gitleaks@v0.0.79
+      - uses: dev-hato/actions-update-gitleaks@0e9a2d1c25c0acc3108157714109d94ebecbf7cf # v0.0.79
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
 concurrency:

.github/workflows/update-package.yml

@@ -18,18 +18,18 @@ jobs:
   update-package:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-node@v4.0.4
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           cache: npm
       - if: github.event_name != 'pull_request' || github.event.action != 'closed'
         run: npm install
-      - uses: dev-hato/actions-diff-pr-management@v1.2.0
+      - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           branch-name-prefix: fix-package

.github/workflows/update-readme.yml

@@ -17,12 +17,12 @@ jobs:
   update-readme:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4.2.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
-      - uses: actions/setup-node@v4.0.4
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
         with:
           cache: npm
@@ -31,7 +31,7 @@ jobs:
       - name: Get inputs markdown
         id: get_inputs_markdown
         if: github.event_name != 'pull_request' || github.event.action != 'closed'
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           HEAD_REF: ${{github.event.pull_request.head.ref || github.head_ref}}
         with:
@@ -46,7 +46,7 @@ jobs:
         run: bash "${GITHUB_WORKSPACE}/scripts/update_readme/update_readme/update_readme.sh"
       - if: github.event_name != 'pull_request' || github.event.action != 'closed'
         run: npx prettier --write .
-      - uses: dev-hato/actions-diff-pr-management@v1.2.0
+      - uses: dev-hato/actions-diff-pr-management@e5c78b251a69f44f93b2f1398e06b129bcf151ec # v1.2.0
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           branch-name-prefix: fix-readme

action.yml

@@ -8,7 +8,7 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@v7.0.1
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         github-token: ${{inputs.github-token}}
         script: |

package.json

@@ -3,7 +3,7 @@
     "@proofdict/textlint-rule-proofdict": "3.1.2",
     "@textlint-ja/textlint-rule-no-insert-dropping-sa": "2.0.1",
     "js-yaml": "4.1.0",
-    "prettier": "^3.3.3",
+    "prettier": "3.3.3",
     "textlint": "14.2.1",
     "textlint-filter-rule-comments": "1.2.2",
     "textlint-rule-abbr-within-parentheses": "1.0.2",

scripts/super_linter/build/set_path.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 npm ci
-action="$(yq '.jobs.build.steps[-1].uses' .github/workflows/super-linter.yml)"
-PATH="$(docker run --rm --entrypoint '' "ghcr.io/${action//\/slim@/:slim-}" /bin/sh -c 'echo $PATH')"
+tag_name="$(yq '.jobs.build.steps[-1].uses' .github/workflows/super-linter.yml | sed -e 's;/slim@.*;:slim;g')"
+tag_version="$(yq '.jobs.build.steps[-1].uses | line_comment' .github/workflows/super-linter.yml)"
+PATH="$(docker run --rm --entrypoint '' "ghcr.io/${tag_name}-${tag_version}" /bin/sh -c 'echo $PATH')"
 echo "PATH=/github/workspace/node_modules/.bin:${PATH}" >>"$GITHUB_ENV"