Address review comments and add more supply chain protections

TomeHirata · claude · TomeHirata · commit 945436ed52e7 · 2026-04-04T15:07:55.000+09:00
- Pin uv version to 0.7.13 instead of "latest" in all workflows - Pin pre-commit hooks to commit SHAs for ruff, pre-commit-hooks, and typos - Add github-actions ecosystem to Dependabot for automated updates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,11 @@
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "weekly"
diff --git a/.github/workflows/build-doc.yml b/.github/workflows/build-doc.yml
@@ -20,7 +20,7 @@ jobs:
     - name: Install uv
       uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,7 +25,7 @@ jobs:
     - name: Install uv
       uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
-          version: "latest"
+          version: "0.7.13"
 
       - name: Install build dependencies
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,22 +1,22 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.7
+    rev: 4cbc74d53fe5634e58e0e65db7d28939c9cec3f7 # v0.12.7
     hooks:
       - id: ruff
         name: ruff (linter)
         args: [--fix]
       - id: ruff-format
         name: ruff (formatter)
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-merge-conflict
       - id: check-yaml
       - id: check-toml
   - repo: https://github.com/crate-ci/typos
-    rev: v1.28.1
+    rev: 7735742fe15f92eb88e4660c70ae0184c4a57502 # v1.28.1
     hooks:
       - id: typos
         args: [--write-changes]
