ci: harden GitHub Actions workflows

Pin workflow actions to commit SHAs, set explicit permissions and timeouts, update Ubuntu runners, and include the generated action bundle. Co-Authored-By: Codex <noreply@openai.com>
2026-06-05 11:08:41 +02:00 · 2026-05-10 01:18:21 +09:00
parent ba5146cb8a
commit 9b7aa41d20
10 changed files with 11797 additions and 50 deletions
@@ -21,11 +21,15 @@ on:
      - 'Dockerfile'
      - 'Makefile'

+permissions:
+  contents: read
+
 jobs:
  dev-image-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - run: make build
      - run: make cirun cmd="npm ci"
      # - run: make ciall