From 8bca54edfa617dac01a6dcb2a4896d15ab26de49 Mon Sep 17 00:00:00 2001
From: wadackel <wadackel@gmail.com>
Date: Sat, 16 May 2026 22:50:16 +0900
Subject: [PATCH] ci: replace wagoid commitlint action with locally installed
 CLI

Run commitlint via `pnpm exec` after `./.github/actions/setup`, mirroring
the existing ci.yaml pattern (checkout + setup composite + pnpm <step>)
and the local lefthook usage (`pnpm exec commitlint --edit {1}`). This
drops the third-party `wagoid/commitlint-github-action` dependency and
unifies CI / local execution on the already installed `@commitlint/cli`.

The base/head SHAs are passed via `env:` instead of inline `${{ }}`
expansion as a defense-in-depth measure against expression injection.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/commitlint.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index a61eb09..e6c2575 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -18,4 +18,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
+      - uses: ./.github/actions/setup
+
+      - name: Commitlint
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: pnpm exec commitlint --from="$BASE_SHA" --to="$HEAD_SHA" --verbose