chore: pin GitHub Actions to commit SHAs for security (#96)

TomeHirata · claude · web-flow · commit 6bd34a5a637f · 2026-04-04T15:10:20.000+09:00
* chore: pin GitHub Actions to commit SHAs for security Pin all GitHub Actions to full commit hashes instead of version tags to prevent supply chain attacks. Also upgrade to latest versions: - actions/checkout: v4 → v4.3.1 - actions/setup-python: v4 → v5.6.0 - astral-sh/setup-uv: v4 → v8.0.0 - peaceiris/actions-gh-pages: v4 → v4.0.0 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Address review comments and add more supply chain protections - Pin uv version to 0.7.13 instead of "latest" in all workflows - Pin pre-commit hooks to commit SHAs for ruff, pre-commit-hooks, and typos - Add github-actions ecosystem to Dependabot for automated updates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,11 @@
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "weekly"
diff --git a/.github/workflows/build-doc.yml b/.github/workflows/build-doc.yml
@@ -10,17 +10,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: '3.11'
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v4
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
@@ -32,7 +32,7 @@ jobs:
         uv run make html
 
     - name: Deploy to GitHub Pages
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./docs/build/html
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,17 +15,17 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ matrix.python-version }}
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v4
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,17 +10,17 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.11'
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
-          version: "latest"
+          version: "0.7.13"
 
       - name: Install build dependencies
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,22 +1,22 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.7
+    rev: 4cbc74d53fe5634e58e0e65db7d28939c9cec3f7 # v0.12.7
     hooks:
       - id: ruff
         name: ruff (linter)
         args: [--fix]
       - id: ruff-format
         name: ruff (formatter)
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-merge-conflict
       - id: check-yaml
       - id: check-toml
   - repo: https://github.com/crate-ci/typos
-    rev: v1.28.1
+    rev: 7735742fe15f92eb88e4660c70ae0184c4a57502 # v1.28.1
     hooks:
       - id: typos
         args: [--write-changes]
