update action versions and SHA pinning

tomoyamachi · tomoyamachi · commit 2b814ce3786b · 2026-04-02T13:14:42.000+09:00
diff --git a/.github/workflows/build-scan-on-push.yml b/.github/workflows/build-scan-on-push.yml
@@ -1,16 +1,19 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-scan:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - run: docker build . -t ${{ github.sha }}
-    - uses: Azure/container-scan@v0
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
       with:
-        image-name: ${{ github.sha }}
-        severity-threshold: CRITICAL
-      env:
-        TRIVY_IGNORE_UNFIXED: true
-        DOCKLE_HOST: "unix:///var/run/docker.sock"
+        image-ref: ${{ github.sha }}
+        severity: CRITICAL
+        ignore-unfixed: true
+        exit-code: '1'
diff --git a/.github/workflows/releasebuild.yml b/.github/workflows/releasebuild.yml
@@ -6,43 +6,41 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build-and-release:
     runs-on: ubuntu-latest
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version-file: 'go.mod'
-      - uses: actions/cache@v3.2.2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
       - run: |
           go test ./...
         env:
           CGO_ENABLED: 0
       - name: Login to docker.io registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to ghcr.io registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: goodwithtech
           password: ${{ secrets.GH_PAT }}
       -
         name: Run GoReleaser
         if: success() && startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           distribution: goreleaser
           version: "~> v2"
@@ -53,4 +51,4 @@ jobs:
         name: Clear
         if: always() && startsWith(github.ref, 'refs/tags/v')
         run: |
-          rm -f ${HOME}/.docker/config.json
+          rm -f ${HOME}/.docker/config.json
