From e4ba21c1503440aabcf7b6deb956c94e306c575e Mon Sep 17 00:00:00 2001
From: YasunoriMATSUOKA <yasunori.matsuoka@gmail.com>
Date: Mon, 8 Jun 2026 23:29:59 +0900
Subject: [PATCH] ci(security): add pinact config and a workflow to verify
 pinned actions

We pinned all GitHub Actions to full commit SHAs manually, but nothing enforced
it going forward. Add pinact so CI rejects any unpinned action or a version
comment that does not match its SHA.

- .pinact.yaml (schema v3): file patterns for workflow / composite action files.
- .github/workflows/pinact.yml: runs suzuki-shunsuke/pinact-action on pull
  requests in check-only mode (fix: false, verify: true) using the default
  GITHUB_TOKEN; it never modifies files, only fails CI on violations. Its own
  actions are SHA-pinned too. Dependabot (github-actions) keeps the pins fresh.

Verified locally with `pinact run --check --verify`: all workflows pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/pinact.yml | 22 ++++++++++++++++++++++
 .pinact.yaml                 |  6 ++++++
 2 files changed, 28 insertions(+)
 create mode 100644 .github/workflows/pinact.yml
 create mode 100644 .pinact.yaml

diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
new file mode 100644
index 0000000..fa94308
--- /dev/null
+++ b/.github/workflows/pinact.yml
@@ -0,0 +1,22 @@
+name: Pinact
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  pinact:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - name: Verify GitHub Actions are pinned to full commit SHAs
+        uses: suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a # v3.0.0
+        with:
+          # Check-only: fail CI if any action is unpinned or a version comment
+          # does not match its SHA. Never modify files.
+          fix: "false"
+          verify: "true"
diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..c25f675
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,6 @@
+version: 3
+files:
+  - pattern: .github/workflows/*.yml
+  - pattern: .github/workflows/*.yaml
+  - pattern: .github/actions/*/action.yml
+  - pattern: .github/actions/*/action.yaml