From 640da7f18fdfe440ab1345075ed543df0c9cc62b Mon Sep 17 00:00:00 2001 From: kitsuyui Date: Sun, 14 Jun 2026 23:43:23 +0900 Subject: [PATCH] fix: pin external references to SHA for supply chain observability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin two mutable external references to specific commit SHAs: 1. `.github/renovate.json5`: `local>kitsuyui/renovate-config` → pin to SHA cdad3c71. Without pinning, Renovate fetches the preset HEAD on every run, making behaviour changes untraceable in this repo's history. 2. `.github/workflows/spellcheck.yml`: `@main` → pin to SHA 8019e658. This aligns with the SHA-pinned convention already used in gh-counter.yml and gitignore-in.yml. Both changes improve supply chain observability: preset/workflow updates become explicit commits in this repo rather than silent side effects. --- .github/renovate.json5 | 2 +- .github/workflows/spellcheck.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 410f603..92952d4 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,6 +1,6 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "local>kitsuyui/renovate-config" + "local>kitsuyui/renovate-config#cdad3c71e34e5abadf909c996906011bbc2b5725" ] } diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml index 1161638..c330203 100644 --- a/.github/workflows/spellcheck.yml +++ b/.github/workflows/spellcheck.yml @@ -5,4 +5,4 @@ permissions: contents: read jobs: check: - uses: kitsuyui/gh-actions-workflows/.github/workflows/spellcheck.yml@main + uses: kitsuyui/gh-actions-workflows/.github/workflows/spellcheck.yml@8019e658f4665c962d0a88eb38b3b6be418e7be8