From 64e0f66acbd8b134359e19b06e518ceb2734de14 Mon Sep 17 00:00:00 2001
From: Shohei Ueda <30958501+peaceiris@users.noreply.github.com>
Date: Sun, 10 May 2026 18:21:41 +0900
Subject: [PATCH] ci: harden workflows and update Node.js (#686)

---
 .github/workflows/codeql-analysis.yml         | 14 +++--
 .github/workflows/dependency-review.yml       |  7 +--
 .github/workflows/dev-image.yml               |  7 ++-
 .github/workflows/label-commenter.yml         | 10 ++--
 .../workflows/purge-readme-image-cache.yml    | 15 +++---
 .github/workflows/release.yml                 |  7 ++-
 .github/workflows/test-action.yml             |  9 ++--
 .github/workflows/test.yml                    | 21 ++++----
 .github/workflows/update-major-tag.yml        |  7 ++-
 .nvmrc                                        |  2 +-
 Dockerfile                                    |  4 +-
 package-lock.json                             | 53 ++++++++++---------
 package.json                                  |  8 +--
 src/index.ts                                  |  3 +-
 14 files changed, 97 insertions(+), 70 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index dd9f075..ade5012 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,17 +8,21 @@ on:
 
 jobs:
   CodeQL-Build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4
         with:
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 9fe7f7e..035a0ce 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -10,7 +10,8 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/.github/workflows/dev-image.yml b/.github/workflows/dev-image.yml
index c7b10cf..a638ac0 100644
--- a/.github/workflows/dev-image.yml
+++ b/.github/workflows/dev-image.yml
@@ -23,9 +23,12 @@ on:
 
 jobs:
   dev-image-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - run: make build
       - run: make cirun cmd="npm ci"
       # - run: make ciall
diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml
index a99466e..e3d37b3 100644
--- a/.github/workflows/label-commenter.yml
+++ b/.github/workflows/label-commenter.yml
@@ -12,14 +12,18 @@ on:
 
 jobs:
   comment:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      issues: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: main
 
       - name: Label Commenter
-        uses: peaceiris/actions-label-commenter@v1.10.0
+        uses: peaceiris/actions-label-commenter@f0dbbef043eb1b150b566db36b0bdc8b7f505579 # v1.10.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           # config_file: .github/label-commenter-config.yml
diff --git a/.github/workflows/purge-readme-image-cache.yml b/.github/workflows/purge-readme-image-cache.yml
index a0b3df7..d930458 100644
--- a/.github/workflows/purge-readme-image-cache.yml
+++ b/.github/workflows/purge-readme-image-cache.yml
@@ -6,11 +6,12 @@ on:
 
 jobs:
   purge:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-slim
+    timeout-minutes: 5
+    permissions: {}
     steps:
-
-    - run: >
-        curl -sL https://github.com/${GITHUB_REPOSITORY} |
-        grep -oE '<img src="https?://camo.githubusercontent.com/[^"]+' |
-        sed -e 's/<img src="//' |
-        xargs -I % curl -sX PURGE %
+      - run: |
+          curl -sL "https://github.com/${GITHUB_REPOSITORY}" |
+          grep -oE '<img src="https?://camo.githubusercontent.com/[^"]+' |
+          sed -e 's/<img src="//' |
+          xargs -r -I % curl -sX PURGE %
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 690049e..fc86289 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,9 +7,12 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Dump GitHub context
         env:
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index 7fce841..6b43249 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -8,16 +8,19 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
     strategy:
       matrix:
         hugo-version: ['latest', '0.160.1']
         extended: [true, false]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Hugo
-        uses: ./
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
           hugo-version: ${{ matrix.hugo-version }}
           extended: ${{ matrix.extended }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0545e8e..1433838 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,19 +13,20 @@ on:
 jobs:
   test:
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         os:
-          - 'ubuntu-22.04'
-          - 'ubuntu-20.04'
-          - 'ubuntu-latest'
+          - 'ubuntu-24.04'
           - 'macos-latest'
           - 'windows-latest'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: '.nvmrc'
           cache: 'npm'
@@ -33,23 +34,23 @@ jobs:
       - run: npm ci
 
       - name: Run prettier
-        if: startsWith(matrix.os, 'ubuntu-22.04')
+        if: matrix.os == 'ubuntu-24.04'
         run: npm run format:check
 
       - name: Run eslint
-        if: startsWith(matrix.os, 'ubuntu-22.04')
+        if: matrix.os == 'ubuntu-24.04'
         run: npm run lint
 
       - name: Run ncc
-        if: startsWith(matrix.os, 'ubuntu-22.04')
+        if: matrix.os == 'ubuntu-24.04'
         run: npm run build
 
       - run: npm test
 
       - name: Upload test coverage as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: coverage-${{ matrix.os }}
           path: coverage
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
diff --git a/.github/workflows/update-major-tag.yml b/.github/workflows/update-major-tag.yml
index 8a9f250..3ad3872 100644
--- a/.github/workflows/update-major-tag.yml
+++ b/.github/workflows/update-major-tag.yml
@@ -6,9 +6,12 @@ on:
 
 jobs:
   update:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Update major tag
         run: |
diff --git a/.nvmrc b/.nvmrc
index 2dbbe00..5bf4400 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-20.11.1
+24.15.0
diff --git a/Dockerfile b/Dockerfile
index d83d7e1..edf186c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
-ARG NODE_VERSION
+ARG NODE_VERSION=24.15.0
 
-FROM node:${NODE_VERSION}-buster-slim
+FROM node:${NODE_VERSION}-bookworm-slim
 
 SHELL ["/bin/bash", "-l", "-c"]
 
diff --git a/package-lock.json b/package-lock.json
index 6647a60..570449c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -18,7 +18,7 @@
       },
       "devDependencies": {
         "@types/jest": "^26.0.20",
-        "@types/node": "~20",
+        "@types/node": "~24",
         "@types/node-fetch": "^2.5.8",
         "@typescript-eslint/eslint-plugin": "^4.16.1",
         "@typescript-eslint/parser": "^4.16.1",
@@ -33,11 +33,11 @@
         "prettier": "2.2.1",
         "standard-version": "^9.1.1",
         "ts-jest": "^26.5.3",
-        "typescript": "^4.2.3"
+        "typescript": "^4.9.5"
       },
       "engines": {
-        "node": ">=20.10.0",
-        "npm": ">=10.2.3"
+        "node": ">=24.15.0",
+        "npm": ">=11.12.1"
       }
     },
     "node_modules/@actions/core": {
@@ -1740,12 +1740,13 @@
       "dev": true
     },
     "node_modules/@types/node": {
-      "version": "20.10.5",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.10.5.tgz",
-      "integrity": "sha512-nNPsNE65wjMxEKI93yOP+NPGGBJz/PoN3kZsVLee0XMiJolxSekEVD8wRwBUBqkwc7UWop0edW50yrCQW4CyRw==",
+      "version": "24.12.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.12.2.tgz",
+      "integrity": "sha512-A1sre26ke7HDIuY/M23nd9gfB+nrmhtYyMINbjI1zHJxYteKR6qSMX56FsmjMcDb3SMcjJg5BiRRgOCC/yBD0g==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "undici-types": "~5.26.4"
+        "undici-types": "~7.16.0"
       }
     },
     "node_modules/@types/node-fetch": {
@@ -11913,10 +11914,11 @@
       }
     },
     "node_modules/typescript": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.2.3.tgz",
-      "integrity": "sha512-qOcYwxaByStAWrBf4x0fibwZvMRG+r4cQoTjbPtUlrWjBHbmCAww1i448U0GJ+3cNNEtebDteo/cHOR3xJ4wEw==",
+      "version": "4.9.5",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.9.5.tgz",
+      "integrity": "sha512-1FXk9E2Hm+QzZQ7z+McJiHL4NW1F2EzMu9Nq9i3zAaGqibafqYwCVU6WyWAuyQRRzOlxou8xZSyXLEN8oKj24g==",
       "dev": true,
+      "license": "Apache-2.0",
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -11939,10 +11941,11 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "5.26.5",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
-      "dev": true
+      "version": "7.16.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
+      "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
+      "dev": true,
+      "license": "MIT"
     },
     "node_modules/union-value": {
       "version": "1.0.1",
@@ -13897,12 +13900,12 @@
       "dev": true
     },
     "@types/node": {
-      "version": "20.10.5",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.10.5.tgz",
-      "integrity": "sha512-nNPsNE65wjMxEKI93yOP+NPGGBJz/PoN3kZsVLee0XMiJolxSekEVD8wRwBUBqkwc7UWop0edW50yrCQW4CyRw==",
+      "version": "24.12.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.12.2.tgz",
+      "integrity": "sha512-A1sre26ke7HDIuY/M23nd9gfB+nrmhtYyMINbjI1zHJxYteKR6qSMX56FsmjMcDb3SMcjJg5BiRRgOCC/yBD0g==",
       "dev": true,
       "requires": {
-        "undici-types": "~5.26.4"
+        "undici-types": "~7.16.0"
       }
     },
     "@types/node-fetch": {
@@ -21897,9 +21900,9 @@
       }
     },
     "typescript": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.2.3.tgz",
-      "integrity": "sha512-qOcYwxaByStAWrBf4x0fibwZvMRG+r4cQoTjbPtUlrWjBHbmCAww1i448U0GJ+3cNNEtebDteo/cHOR3xJ4wEw==",
+      "version": "4.9.5",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.9.5.tgz",
+      "integrity": "sha512-1FXk9E2Hm+QzZQ7z+McJiHL4NW1F2EzMu9Nq9i3zAaGqibafqYwCVU6WyWAuyQRRzOlxou8xZSyXLEN8oKj24g==",
       "dev": true
     },
     "uglify-js": {
@@ -21910,9 +21913,9 @@
       "optional": true
     },
     "undici-types": {
-      "version": "5.26.5",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
+      "version": "7.16.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
+      "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
       "dev": true
     },
     "union-value": {
diff --git a/package.json b/package.json
index e9ea025..d838884 100644
--- a/package.json
+++ b/package.json
@@ -4,8 +4,8 @@
   "description": "GitHub Actions for Hugo",
   "main": "lib/index.js",
   "engines": {
-    "node": ">=20.10.0",
-    "npm": ">=10.2.3"
+    "node": ">=24.15.0",
+    "npm": ">=11.12.1"
   },
   "scripts": {
     "all": "npm run format:check && npm run lint && npm test",
@@ -55,7 +55,7 @@
   },
   "devDependencies": {
     "@types/jest": "^26.0.20",
-    "@types/node": "~20",
+    "@types/node": "~24",
     "@types/node-fetch": "^2.5.8",
     "@typescript-eslint/eslint-plugin": "^4.16.1",
     "@typescript-eslint/parser": "^4.16.1",
@@ -70,6 +70,6 @@
     "prettier": "2.2.1",
     "standard-version": "^9.1.1",
     "ts-jest": "^26.5.3",
-    "typescript": "^4.2.3"
+    "typescript": "^4.9.5"
   }
 }
diff --git a/src/index.ts b/src/index.ts
index 24a628b..e8daa19 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -5,6 +5,7 @@ import * as main from './main';
   try {
     await main.run();
   } catch (e) {
-    core.setFailed(`Action failed with error ${e.message}`);
+    const message = e instanceof Error ? e.message : String(e);
+    core.setFailed(`Action failed with error ${message}`);
   }
 })();