Merge pull request #383 from Cysharp/feature/pin_action

guitarrapc · web-flow · commit 8500dcfab1aa · 2025-03-18T17:22:32.000+09:00
ci: Pinning third party GitHub Actions sha
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,12 @@
+# ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly" # Check for updates to GitHub Actions every week
+    ignore:
+      # I just want update action when major/minor version is updated. patch updates are too noisy.
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-patch
diff --git a/.github/workflows/build-debug.yml b/.github/workflows/build-debug.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: Cysharp/Actions/.github/actions/setup-dotnet@main
       - run: dotnet build -c Debug
       - run: dotnet test -c Debug --no-build
@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: Load secrets
         id: op-load-secret
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0
         with:
           export-env: false
         env:
@@ -39,7 +39,7 @@ jobs:
           UNITY_PASSWORD: "op://${{ vars.OP_VAULT_ACTIONS_PUBLIC }}/UNITY_LICENSE/credential"
           UNITY_SERIAL: "op://${{ vars.OP_VAULT_ACTIONS_PUBLIC }}/UNITY_LICENSE/serial"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # Run SourceGenerater to generate serialization code
       - uses: Cysharp/Actions/.github/actions/setup-dotnet@main
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -28,7 +28,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - run: echo ${{ needs.update-packagejson.outputs.sha }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.update-packagejson.outputs.sha }}
       - uses: Cysharp/Actions/.github/actions/setup-dotnet@main
@@ -52,7 +52,7 @@ jobs:
     steps:
       - name: Load secrets
         id: op-load-secret
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0
         with:
           export-env: false
         env:
@@ -62,7 +62,7 @@ jobs:
           UNITY_SERIAL: "op://${{ vars.OP_VAULT_ACTIONS_PUBLIC }}/UNITY_LICENSE/serial"
 
       - run: echo ${{ needs.update-packagejson.outputs.sha }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.update-packagejson.outputs.sha }}
 
@@ -88,7 +88,7 @@ jobs:
           customParameters: "/headless /ScriptBackend IL2CPP"
 
       # check meta files
-      - uses: Cysharp/Actions/.github/actions/check-metas@main
+      - uses: Cysharp/Actions/.github/actions/check-metas@main # check meta files
         with:
           directory: src/MemoryPack.Unity
 
