From fa80ca16e8c28a7f5d1ba513f31c3651a5314a18 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Wed, 26 Mar 2025 16:58:24 +0900 Subject: [PATCH 1/4] NO-ISSUE Run pinact --- .github/workflows/gradle.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index b77441a76..985b9d2fd 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -42,3 +42,12 @@ jobs: - run: cd generator && mvn package && cd .. - run: python3 generate-code.py - run: ./gradlew build + + pinact: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Run pinact + uses: suzuki-shunsuke/pinact-action@a6896d13d22e2bf108a78b0c52d3f867c1f41b34 # v0.2.1 + with: + skip_push: "true" From 91322aa2ab245b838107d6c0a6f774cd1c6dca64 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Wed, 26 Mar 2025 16:58:39 +0900 Subject: [PATCH 2/4] NO-ISSUE Apply pinact --- .github/workflows/check-eol-newrelease.yml | 4 ++-- .github/workflows/close-issue.yml | 2 +- .github/workflows/create-draft-release.yml | 8 ++++---- .github/workflows/generate-code.yml | 6 +++--- .github/workflows/gradle.yml | 4 ++-- .github/workflows/pom-validation.yml | 4 ++-- .github/workflows/publish.yml | 6 +++--- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/check-eol-newrelease.yml b/.github/workflows/check-eol-newrelease.yml index bc78643a5..6c179faac 100644 --- a/.github/workflows/check-eol-newrelease.yml +++ b/.github/workflows/check-eol-newrelease.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run EoL & NewRelease check - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const checkEolAndNewReleases = require('.github/scripts/check-eol-newrelease.cjs'); diff --git a/.github/workflows/close-issue.yml b/.github/workflows/close-issue.yml index 781b5ea06..31e4ad3a3 100644 --- a/.github/workflows/close-issue.yml +++ b/.github/workflows/close-issue.yml @@ -12,7 +12,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: days-before-issue-stale: 14 days-before-issue-close: 0 diff --git a/.github/workflows/create-draft-release.yml b/.github/workflows/create-draft-release.yml index 95c4b4658..75165a83b 100644 --- a/.github/workflows/create-draft-release.yml +++ b/.github/workflows/create-draft-release.yml @@ -43,10 +43,10 @@ jobs: needs: validate-input steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch Latest Release id: get-latest-release - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const latestRelease = await github.rest.repos.getLatestRelease({ @@ -62,7 +62,7 @@ jobs: - name: Calculate New Version id: calculate-version - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const latestTag = '${{ steps.get-latest-release.outputs.latest_tag }}'; @@ -83,7 +83,7 @@ jobs: - name: Generate Release Notes id: generate-release-notes - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { data: releaseNotes } = await github.rest.repos.generateReleaseNotes({ diff --git a/.github/workflows/generate-code.yml b/.github/workflows/generate-code.yml index b4b859c2c..4df341193 100644 --- a/.github/workflows/generate-code.yml +++ b/.github/workflows/generate-code.yml @@ -13,18 +13,18 @@ jobs: steps: - name: Setup - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - name: Update submodules run: git submodule update --remote --recursive - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: 'temurin' java-version: 17 architecture: x64 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 - name: Generate code run: | python generate-code.py diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 985b9d2fd..d0b0498c8 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -27,12 +27,12 @@ jobs: - '21' steps: - name: actions/setup-java@v3 (JDK ${{ matrix.java }}) - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} architecture: x64 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - run: | diff --git a/.github/workflows/pom-validation.yml b/.github/workflows/pom-validation.yml index 286b8cdb7..7f38438b3 100644 --- a/.github/workflows/pom-validation.yml +++ b/.github/workflows/pom-validation.yml @@ -11,12 +11,12 @@ jobs: java: [ '17' ] # We want to test on LTSs. steps: - name: actions/setup-java@v3 (JDK ${{ matrix.java }}) - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} architecture: x64 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5e1f179ca..4f4a7bc2b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,12 +13,12 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: '17' distribution: 'temurin' @@ -58,7 +58,7 @@ jobs: - name: Create GitHub Issue on Failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { owner, repo } = context.repo; From cd92fc7875b31c9d6410110e9b1b11c49d7a1c53 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Wed, 26 Mar 2025 16:59:12 +0900 Subject: [PATCH 3/4] NO-ISSUE Renovate --- renovate.json5 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json5 b/renovate.json5 index cd50949d5..7a930a768 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,7 +1,8 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended" + "config:recommended", + "helpers:pinGitHubActionDigestsToSemver" ], "timezone": "Asia/Tokyo", "automerge": true, From 9ae69420ed81b1f811bdf03709d73106d02a53c5 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Wed, 26 Mar 2025 18:41:40 +0900 Subject: [PATCH 4/4] NO-ISSUE Grant minimum permission to a job --- .github/workflows/gradle.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index d0b0498c8..bd7e9d607 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -45,6 +45,8 @@ jobs: pinact: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run pinact