Pin commit hash of github actions to avoid supply chain attacks (#680)

## Changes
To avoid supply chain attacks, specify actions in GitHub Actions
workflows using commit hashes instead of version numbers. Pinact-action
will fail the CI job if this is not done. Renovate already supports
updates in the commit hash state, so there is no issue.

## References
- https://github.com/suzuki-shunsuke/pinact-action
- does pinact-action verify the checksum of the version of aqua it is
using? Yes!:
- https://github.com/suzuki-shunsuke/pinact

## Other repositories
- line/line-bot-sdk-python
line/line-bot-sdk-python#772
- line/line-bot-sdk-php
#680
- line/line-bot-sdk-nodejs
line/line-bot-sdk-nodejs#1201
- line/line-bot-sdk-java
line/line-bot-sdk-java#1576
- line/line-bot-sdk-go line/line-bot-sdk-go#555
- line/line-bot-sdk-ruby
line/line-bot-sdk-ruby#405
- line/line-openapi line/line-openapi#90

Author: Yang-33

.github/workflows/check-eol-newrelease.yml

@@ -15,10 +15,10 @@ jobs:
     if: github.repository == 'line/line-bot-sdk-php'
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run EoL & NewRelease check
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const checkEolAndNewReleases = require('.github/scripts/check-eol-newrelease.cjs');

.github/workflows/close-issue.yml

@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
     if: github.repository == 'line/line-bot-sdk-php'
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           days-before-issue-stale: 14
           days-before-issue-close: 0

.github/workflows/generate-code.yml

@@ -17,22 +17,22 @@ jobs:
       pull-requests: write
     steps:
       # Setup
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
       - name: Update submodules
         run: git submodule update --remote --recursive
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         id: setup_node_id
         with:
           node-version: 18
-      - uses: shivammathur/setup-php@v2
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: 8.2
 
       # Install openapi-generator-cli
       - run: echo "OPENAPI_GENERATOR_VERSION=7.11.0" >> $GITHUB_ENV
-      - uses: actions/cache@v4
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         id: openapi-generator-cache
         env:
           cache-name: openapi-generator-cache

.github/workflows/php-checks.yml

@@ -27,17 +27,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
       - name: Set up PHP ${{ matrix.php }}
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: ${{ matrix.php }}
 
       - name: Install openapi-generator-cli
         run: echo "OPENAPI_GENERATOR_VERSION=7.11.0" >> $GITHUB_ENV
-      - uses: actions/cache@v4
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         id: openapi-generator-cache
         env:
           cache-name: openapi-generator-cache
@@ -62,15 +62,15 @@ jobs:
         run: |
           echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           key: ${{ runner.os }}-php-${{ matrix.php }}-${{ hashFiles('**/composer.lock') }}
           restore-keys: |
             ${{ runner.os }}-php-${{ matrix.php }}-
 
       - name: Install dependencies with Composer
-        uses: ramsey/composer-install@v2
+        uses: ramsey/composer-install@a2636af0004d1c0499ffca16ac0b4cc94df70565 # 3.1.0
 
       - name: Check copyrights
         if: matrix.analysis
@@ -91,3 +91,14 @@ jobs:
       - name: Run unit tests
         if: matrix.analysis
         run: ./vendor/bin/phpunit --test-suffix=Test.php --testdox
+
+  pinact:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run pinact
+        uses: suzuki-shunsuke/pinact-action@a6896d13d22e2bf108a78b0c52d3f867c1f41b34 # v0.2.1
+        with:
+          skip_push: "true"

.github/workflows/release.yml

@@ -25,16 +25,16 @@ jobs:
       issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: 'docs'
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
 
       - name: Create GitHub Issue on Failure
         if: failure()

line-openapi

@@ -2,6 +2,7 @@
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   extends: [
     'config:recommended',
+    'helpers:pinGitHubActionDigestsToSemver'
   ],
   timezone: 'Asia/Tokyo',
   ignorePaths: [