ci: use sha pinning to mitigate (#613)

kenhys · web-flow · commit 5e91743a3cd7 · 2026-03-04T17:12:00.000+09:00
Lower risk about supply chain attack even though matched tag was compromised.

Signed-off-by: Kentaro Hayashi &lt;hayashi@clear-code.com&gt;
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -10,7 +10,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@v1.0.2
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/fluent/projects/4
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -13,8 +13,8 @@ jobs:
     name: check spelling with codespell
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.13'
       - name: Install codespell
