chore: GitHub Actions を commit SHA でピン留め

[nanasess]

概要

supply-chain 対策として、すべての GitHub Actions を mutable なタグ参照から不変の commit SHA 参照に切り替えます。あわせて Dependabot 設定を追加し、ピン留め後も継続的にアップデートされる運用にします。

変更内容

• .github/workflows/ci.yml / publish.yml の uses: を owner/repo@<40文字SHA> # vX.Y.Z 形式に変換（pinact 3.9.0 で自動生成）
• .github/dependabot.yml を新規作成
  • github-actions: 月曜 09:00 JST / PR 上限 5
  • npm: 水曜 09:00 JST / PR 上限 5

動機

• タグ（@v4 等）は mutable で、Action 作者アカウント侵害時に @v4 が差し替えられた場合、次回 CI 実行時に汚染コードが取り込まれる
• OpenSSF / GitHub Security hardening guide でもサードパーティ Actions は完全な SHA でピンすることが推奨
• バージョンコメント（# vX.Y.Z）は Dependabot が SHA 自動更新する際の識別子として必要

動作確認

• CI (ci.yml) が緑で通過
• publish.yml はマージ後のリリース時に動作確認予定

関連

EcAuth organization 配下のほかのリポジトリでも同一方針で順次対応します。

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@nanasess has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 8 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 59 minutes and 8 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 81b9c2c8-ac40-4b7f-ba6a-89d591586072

📥 Commits

Reviewing files that changed from the base of the PR and between 8f52fd7 and 3598377.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/publish.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/actions-commit-hash

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a Dependabot configuration to automate updates for GitHub Actions and npm packages. The review feedback suggests utilizing the groups feature for both ecosystems to consolidate multiple updates into single pull requests, preventing the open-pull-requests-limit from being reached quickly. Additionally, it is recommended to remove redundant allow configurations in the npm section to keep the file concise.

[gemini-code-assist]

open-pull-requests-limit: 5 という制限がある中で、GitHub Actions の更新 PR が個別に作成されるとすぐに上限に達してしまいます。groups 設定を追加して複数の更新を 1 つの PR にまとめることで、管理を効率化し、重要な更新が滞るのを防ぐことができます。

    open-pull-requests-limit: 5
    groups:
      actions:
        patterns:
          - "*"

[gemini-code-assist]

npm エコシステムにおいても、groups を活用して dependencies と devDependencies をそれぞれグループ化することを推奨します。これにより、open-pull-requests-limit: 5 の制限に達しにくくなり、重要な更新を見逃すリスクを減らせます。また、allow: - dependency-type: "all" はデフォルトの挙動であり冗長なため、削除して設定を整理しました。

    open-pull-requests-limit: 5
    groups:
      dependencies:
        dependency-type: "production"
      devDependencies:
        dependency-type: "development"
    labels:
      - "dependencies"
      - "npm"
    commit-message:
      prefix: "chore"
      include: "scope"