From 85bcc55ee589420b9a9a26102c3c8ca633fec054 Mon Sep 17 00:00:00 2001
From: Kaze <230549489+kaze-cow@users.noreply.github.com>
Date: Tue, 7 Apr 2026 15:14:55 +0900
Subject: [PATCH] ci: pin actions to commit hashes

Replaces mutable version tags with locked commit SHAs to prevent
supply chain attacks from compromised or force-pushed tags.
---
 .github/workflows/CI.yml      | 6 +++---
 .github/workflows/deploy.yml  | 6 +++---
 .github/workflows/publish.yml | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 9682675a..9ec7b911 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -13,17 +13,17 @@ jobs:
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10
         with:
           version: v1.5.1
-      - uses: actions/setup-node@v1
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
         with:
           node-version: ${{ matrix.node }}
       - id: yarn-cache
         run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ${{ steps.yarn-cache.outputs.dir }}
           key: ${{ matrix.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1e18ca4c..e8c53e16 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -7,8 +7,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
         with:
           node-version: 14.x
       - run: yarn --frozen-lockfile
@@ -18,7 +18,7 @@ jobs:
           ETHERSCAN_API_KEY: ${{ secrets.ETHERSCAN_API_KEY }}
           INFURA_KEY: ${{ secrets.INFURA_KEY }}
           PK: ${{ secrets.PK }}
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           # https://octokit.github.io/rest.js/v18#pulls-create
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 20c416ec..617b611b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,8 +7,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
         with:
           node-version: 14.x
       - run: yarn --frozen-lockfile