diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4c55acb --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +version: 2 +updates: + # SHA 固定した GitHub Actions を自動更新する(go-lint.yml / flutter-lint.yml)。 + # 固定したまま放置すると脆弱性修正を取りこぼすため、その逆リスクを Dependabot で解消する。 + - package-ecosystem: "github-actions" + # "/" を指定すると .github/workflows 配下を走査する。 + directory: "/" + schedule: + # weekly は「PRを毎週出す」ではなく「毎週更新を確認する」間隔。更新が無ければ無音。 + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "Asia/Tokyo" + # bump コミットの接頭辞。手動コミットの ci: と揃える。 + commit-message: + prefix: "ci" + # 複数アクションの更新を1つの PR にまとめてレビュー回数を減らす。 + groups: + github-actions: + patterns: + - "*" + # 公開直後の版は掴まず7日待つ。乗っ取り直後の悪意リリースを避ける猶予。 + cooldown: + default-days: 7 diff --git a/.github/workflows/flutter-lint.yml b/.github/workflows/flutter-lint.yml index 77a5153..2a03f36 100644 --- a/.github/workflows/flutter-lint.yml +++ b/.github/workflows/flutter-lint.yml @@ -15,10 +15,10 @@ jobs: run: working-directory: mobile steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: subosito/flutter-action@v2 + - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: flutter-version: 3.27.3 channel: stable diff --git a/.github/workflows/lint.yml b/.github/workflows/go-lint.yml similarity index 50% rename from .github/workflows/lint.yml rename to .github/workflows/go-lint.yml index 64377b6..9899ff3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/go-lint.yml @@ -1,4 +1,4 @@ -name: lint +name: go-lint on: pull_request: @@ -12,12 +12,14 @@ jobs: golangci: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: stable - name: golangci-lint - uses: golangci/golangci-lint-action@v7 + uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7 with: version: v2.12 working-directory: api