Fix github action version by hash

[atm-snag2]

What

• Fix version of github actions by hash

Refs

• https://docs.github.com/ja/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

How

Why

Refs

[gemini-code-assist]

Hello @atm-snag2, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello! I'm gemini-code-assist, here to provide a summary of this pull request. This PR, authored by atm-snag2, aims to enhance the security and stability of the CI/CD workflow by pinning a GitHub Action to a specific commit hash rather than a major version tag. This practice, recommended for security hardening, ensures that the workflow uses an immutable version of the action, preventing unexpected changes or potential supply chain risks if the version tag were updated. The change involves modifying the actions/publish/action.yml file to update the reference for the actions/setup-node action.

Highlights

• Security Hardening: The primary goal is to improve workflow security by replacing a version tag (v4) with a specific commit hash (49933ea5288caeca8642d1e84afbd3f7d6820020) for the actions/setup-node action.
• Workflow Configuration Update: The change is implemented in the actions/publish/action.yml file, specifically updating the uses line for the node setup step.

Changelog

• actions/publish/action.yml
  • Updated the actions/setup-node reference from v4 to the specific commit hash 49933ea5288caeca8642d1e84afbd3f7d6820020 (corresponding to v4.4.0) for improved security and stability.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Pin action version,
Hash keeps workflow stable,
Security is key.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR updates the GitHub Actions workflows to use specific commit hashes for actions in order to enhance security. Key changes include replacing semantic version tags for actions/setup-node and actions/checkout with fixed commit hashes across three workflow files.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
actions/publish/action.yml	Fixed actions/setup-node to a commit hash corresponding to v4.4.0
.github/workflows/test.yml	Updated actions/checkout and actions/setup-node to commit hashes for v4.2.2 and v4.4.0 respectively
.github/workflows/publish-package.yml	Replaced semantic tags with commit hashes for actions/checkout and actions/setup-node to enforce version stability

Comments suppressed due to low confidence (5)

actions/publish/action.yml:21

• Verify that the commit hash for actions/setup-node corresponds to the intended stable release and document the update strategy for future maintenance.

- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

.github/workflows/test.yml:31

• Ensure that the commit hash for actions/checkout is up-to-date and backed by appropriate documentation for its version lock rationale.

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/test.yml:32

• Confirm that the commit hash for actions/setup-node reflects the intended stable version and update documentation as necessary.

- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

.github/workflows/publish-package.yml:19

• Verify that the specified commit hash for actions/checkout is the correct stable release and consider referencing the rationale for using fixed hashes in project documentation.

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/publish-package.yml:20

• Confirm that this commit hash for actions/setup-node is maintained and backed by official release notes to ensure ongoing security.

- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

[gemini-code-assist]

Code Review

This pull request introduces an important security enhancement by pinning the actions/setup-node GitHub Action to a specific commit hash. This is a commendable practice as it improves the security and predictability of the CI workflow by preventing unintended updates from the action's v4 tag. The change is well-aligned with GitHub's security hardening recommendations.

Summary of Findings

• Incorrect version comment for pinned GitHub Action: In actions/publish/action.yml, the actions/setup-node action is pinned to commit hash 49933ea.... The comment states this is # v4.4.0, but the hash actually corresponds to v4.0.0. This should be corrected for clarity and accuracy.

Merge Readiness

This pull request significantly improves security by pinning a GitHub Action version. There is one medium-severity issue identified: an incorrect version number in a comment, which could lead to confusion. I recommend addressing this by correcting the comment before merging the pull request. As an AI reviewer, I am not authorized to approve pull requests; please ensure this change is also reviewed and approved by the appropriate team members.

[gemini-code-assist]

Pinning the actions/setup-node action to a specific commit hash (49933ea5288caeca8642d1e84afbd3f7d6820020) is a great step for security!

However, there appears to be a small discrepancy in the accompanying version comment. The comment # v4.4.0 suggests this hash corresponds to version 4.4.0 of actions/setup-node. Upon checking, the commit 49933ea5288caeca8642d1e84afbd3f7d6820020 is actually tagged as v4.0.0 in the actions/setup-node repository (see actions/setup-node@v4.0.0).

An accurate version comment is important for future maintainability and understanding. Could you please verify this and update the comment to # v4.0.0?

Also, note that the @v4 tag currently points to a newer version (e.g., v4.0.2). If your intention was to pin to the latest stable v4 release, you might consider using the hash for that version. However, pinning to v4.0.0 is perfectly valid; the main point here is to ensure the comment accurately reflects the pinned version.

    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.0.0

[kimkim0814]

SHA指定により、アクションのバージョンが厳密に固定され、セキュリティ・安全性が向上させている。

---

LGTMです！