From f75e825431ed99eb0687dc5f2c47b6610473f957 Mon Sep 17 00:00:00 2001
From: k-asm <kosuke.asami@mixi.co.jp>
Date: Sun, 24 May 2026 10:14:07 +0900
Subject: [PATCH 1/2] chore: harden supply chain in CI

---
 .github/workflows/ci.yml | 9 ++++++---
 mix.exs                  | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fc3160d..c7ec3b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,9 @@
 name: CI
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and test
@@ -34,12 +37,12 @@ jobs:
           - elixir: 1.15.x
             otp: 24.x
     steps:
-      - uses: actions/checkout@v4
-      - uses: erlef/setup-beam@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.24.0
         with:
           elixir-version: ${{ matrix.elixir }}
           otp-version: ${{ matrix.otp }}
-      - run: mix deps.get
+      - run: mix deps.get --check-locked --only test
       - run: mix deps.compile
       - run: mix compile --warnings-as-errors
         if: ${{ matrix.lint }}
diff --git a/mix.exs b/mix.exs
index d2a3e19..5f6ebd5 100644
--- a/mix.exs
+++ b/mix.exs
@@ -54,7 +54,7 @@ defmodule Params.Mixfile do
   defp deps do
     [
       {:ecto, "~> 2.0 or ~> 3.0"},
-      {:ex_doc, ">= 0.0.0", only: :dev, runtime: false},
+      {:ex_doc, "~> 0.34", only: :dev, runtime: false},
       {:dialyxir, "~> 0.5", only: :dev, runtime: false}
     ]
   end

From fcef224e5b9f87e60ec24eb6990053ea31174b1e Mon Sep 17 00:00:00 2001
From: k-asm <kosuke.asami@mixi.co.jp>
Date: Sun, 24 May 2026 10:19:12 +0900
Subject: [PATCH 2/2] ci: keep dev dependencies available for lock checks

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7ec3b6..edf72e5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,7 @@ jobs:
         with:
           elixir-version: ${{ matrix.elixir }}
           otp-version: ${{ matrix.otp }}
-      - run: mix deps.get --check-locked --only test
+      - run: mix deps.get --check-locked
       - run: mix deps.compile
       - run: mix compile --warnings-as-errors
         if: ${{ matrix.lint }}