ci: pin actions/checkout and shivammathur/setup-php action to specific commit

[shimomo]

セキュリティ強化のために actions/checkout と shivammathur/setup-php のバージョンを特定のコミット SHA に固定しました。

Summary by CodeRabbit

• チョア
  • CI ワークフローの外部アクションをコミットに固定し、ビルドの再現性と安定性を向上。定期実行・セキュリティ検査・テストの各パイプラインに適用。ユーザー向けの機能や挙動の変更はありません。

[coderabbitai]

Walkthrough

.github/workflows の3つのワークフロー（cron.yml, security.yml, test.yml）で、actions/checkout と shivammathur/setup-php の参照をタグから特定のコミットSHAに固定。手順内容や順序、制御フロー自体の変更はなし。

Changes

Cohort / File(s)	Summary
Workflows: pin external actions .github/workflows/cron.yml, .github/workflows/security.yml, .github/workflows/test.yml	actions/checkout@v5 → actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493、shivammathur/setup-php@v2 → shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4。その他の定義・手順は無変更。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

ぴょんと跳ねてSHAを刻印、
風まかせタグは今日はおやすみ。
夜空のCI、星座のように固定して、
兎の耳でログを聴く。
明日は安定、月も微笑む。 🐇🌙

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/pin-specific-commit

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/test.yml (1)

27-27: commit SHA へのピン留めは妥当です（setup-php）

再現性とサプライチェーン耐性が向上します。定期的なローテーション運用（Dependabot など）も合わせて検討してください。

依頼があれば .github/dependabot.yml の雛形を提案します。

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e884d37 and 7adbb27.

📒 Files selected for processing (3)

• .github/workflows/cron.yml (1 hunks)
• .github/workflows/security.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)

🔇 Additional comments (4)

.github/workflows/test.yml (1)

33-33: 承認: SHA は検証済みです
actions/checkout@ff7abcd0c3… と shivammathur/setup-php@ec406be512… は公式リポジトリ由来かつ署名検証済みのコミットであり、後者はタグ v2 (2.35.4) に含まれています。

.github/workflows/security.yml (2)

25-25: commit SHA へのピン留めは妥当です（setup-php）

セキュリティ観点での意図に合致しています。

---

30-30: commit SHA へのピン留めは妥当です（checkout）

このジョブでは push を行わないため、現状のパラメータで問題ありません。

.github/workflows/cron.yml (1)

18-18: commit SHA へのピン留めは妥当です（setup-php）

OK です。他ワークフローと SHA を統一できており良いです。

[coderabbitai]

🛠️ Refactor suggestion

push／rebase を行うジョブなので fetch-depth: 0 を必須指定してください

浅い履歴（デフォルト depth=1）のまま git pull --rebase を行うと失敗・コンフリクト発生時の復旧不可リスクがあります。

適用例:

-      - name: Checkout Code
-        uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+      - name: Checkout Code
+        uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
+        with:
+          fetch-depth: 0
+          # （任意）運用上 gh-pages 固定が安全なら明示:
+          # ref: gh-pages

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
	- name: Checkout Code
	uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
	with:
	fetch-depth: 0
	# （任意）運用上 gh-pages 固定が安全なら明示:
	# ref: gh-pages

🤖 Prompt for AI Agents

.github/workflows/cron.yml around line 23: the actions/checkout step is using
the default shallow clone which risks failing or making rebases unrecoverable;
update the checkout action to perform a full clone by adding a with:
fetch-depth: 0 block for that step so subsequent git pull --rebase or
push/rebase jobs have full history available and can recover from conflicts.

[shimomo]

別のPRで対応します。

[coderabbitai]

@shimomo 了解しました。別のPRでの対応で問題ありません！

現在のPRはアクションの固定に集中しているので、fetch-depthの件は分けて対応するのが適切ですね。

🐰
o_o
( )
^^^