From 20edaaffbd18f254f275f728e59347d26abf9a9e Mon Sep 17 00:00:00 2001
From: TomeHirata <tomu.hirata@gmail.com>
Date: Sat, 4 Apr 2026 14:57:20 +0900
Subject: [PATCH 1/2] chore: pin GitHub Actions to commit SHAs for security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin all GitHub Actions to full commit hashes instead of version tags
to prevent supply chain attacks. Also upgrade to latest versions:

- actions/checkout: v4 → v4.3.1
- actions/setup-python: v4 → v5.6.0
- astral-sh/setup-uv: v4 → v8.0.0
- peaceiris/actions-gh-pages: v4 → v4.0.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/build-doc.yml | 8 ++++----
 .github/workflows/build.yml     | 6 +++---
 .github/workflows/publish.yml   | 6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build-doc.yml b/.github/workflows/build-doc.yml
index ca6cddd..4472e38 100644
--- a/.github/workflows/build-doc.yml
+++ b/.github/workflows/build-doc.yml
@@ -10,15 +10,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: '3.11'
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v4
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
         version: "latest"
 
@@ -32,7 +32,7 @@ jobs:
         uv run make html
 
     - name: Deploy to GitHub Pages
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./docs/build/html
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d5fc831..d50c584 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,15 +15,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ matrix.python-version }}
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v4
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
         version: "latest"
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e2ae0d7..6c9955d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,15 +10,15 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.11'
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: "latest"
 

From 945436ed52e7507d6dfa16cacf6dd5293c0fb72f Mon Sep 17 00:00:00 2001
From: TomeHirata <tomu.hirata@gmail.com>
Date: Sat, 4 Apr 2026 15:07:55 +0900
Subject: [PATCH 2/2] Address review comments and add more supply chain
 protections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pin uv version to 0.7.13 instead of "latest" in all workflows
- Pin pre-commit hooks to commit SHAs for ruff, pre-commit-hooks, and typos
- Add github-actions ecosystem to Dependabot for automated updates

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/dependabot.yml          | 8 ++++++--
 .github/workflows/build-doc.yml | 2 +-
 .github/workflows/build.yml     | 2 +-
 .github/workflows/publish.yml   | 2 +-
 .pre-commit-config.yaml         | 6 +++---
 5 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9d866e3..fd39620 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,11 @@
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "weekly"
diff --git a/.github/workflows/build-doc.yml b/.github/workflows/build-doc.yml
index 4472e38..09f040e 100644
--- a/.github/workflows/build-doc.yml
+++ b/.github/workflows/build-doc.yml
@@ -20,7 +20,7 @@ jobs:
     - name: Install uv
       uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d50c584..eeb51b4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,7 +25,7 @@ jobs:
     - name: Install uv
       uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       with:
-        version: "latest"
+        version: "0.7.13"
 
     - name: Install dependencies
       run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6c9955d..d3b55f3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
-          version: "latest"
+          version: "0.7.13"
 
       - name: Install build dependencies
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b66bed4..792faab 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.7
+    rev: 4cbc74d53fe5634e58e0e65db7d28939c9cec3f7 # v0.12.7
     hooks:
       - id: ruff
         name: ruff (linter)
@@ -8,7 +8,7 @@ repos:
       - id: ruff-format
         name: ruff (formatter)
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -16,7 +16,7 @@ repos:
       - id: check-yaml
       - id: check-toml
   - repo: https://github.com/crate-ci/typos
-    rev: v1.28.1
+    rev: 7735742fe15f92eb88e4660c70ae0184c4a57502 # v1.28.1
     hooks:
       - id: typos
         args: [--write-changes]