From ca077a809848722860cb2ad33c5dbd2aade80ede Mon Sep 17 00:00:00 2001
From: Xaver Loppenstedt <xaver@loppenstedt.de>
Date: Fri, 5 Dec 2025 13:11:13 +0100
Subject: [PATCH 1/4] Use pinact for GitHub Action dependency management

---
 .pinact.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .pinact.yaml

diff --git a/.pinact.yaml b/.pinact.yaml
new file mode 100644
index 0000000..5c100ff
--- /dev/null
+++ b/.pinact.yaml
@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# pinact - https://github.com/suzuki-shunsuke/pinact
+version: 3
+# files:
+#   - pattern: action.yaml
+#   - pattern: */action.yaml
+
+ignore_actions:
+# - name: slsa-framework/slsa-github-generator/\.github/workflows/generator_generic_slsa3\.yml
+#   ref: v\d+\.\d+\.\d+
+# - name: actions/.*
+#   ref: main
+# - name: suzuki-shunsuke/.*
+#   ref: release-.*

From e2702e882cc29fbf7c383fe02dcf01e23ec04891 Mon Sep 17 00:00:00 2001
From: Xaver Loppenstedt <xaver@loppenstedt.de>
Date: Fri, 5 Dec 2025 13:15:12 +0100
Subject: [PATCH 2/4] Use SHA for GitHub Action references

---
 .github/workflows/ci.yml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7c74bb2..910fbe3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,14 +14,14 @@ jobs:
       - name: install dependencies
         run: sudo apt update -qq && sudo apt -y install libxml2-utils
       - name: Check out repository code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Install PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # master
         with:
           php-version: '8.1'
           coverage: 'none'
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: '~/.cache/composer'
           key: "cache-composer-${{ hashFiles('composer.json') }}"
@@ -63,15 +63,15 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
       - name: Check out repository code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Install PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # master
         with:
           coverage: 'xdebug'
           php-version: ${{ matrix.php_version }}
           extensions: ast-1.1.1
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: '~/.cache/composer'
           key: "cache-composer-${{ hashFiles('composer.json') }}"
@@ -101,17 +101,17 @@ jobs:
         run: php vendor/bin/phpunit --coverage-clover=coverage.xml --coverage-cobertura=cobertura.xml --log-junit=junit.xml
       - name: Upload coverage to Codecov
         if: ${{ matrix.os != 'windows-latest' && matrix.php_version == '8.1' && matrix.dependencies_level != '--prefer-lowest' }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Upload test results to Codecov
         if: ${{ matrix.os != 'windows-latest' && matrix.php_version == '8.1' && matrix.dependencies_level != '--prefer-lowest' }}
-        uses: codecov/test-results-action@v1
+        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Upload coverage to Qlty
         if: ${{ matrix.os != 'windows-latest' && matrix.php_version == '8.1' && matrix.dependencies_level != '--prefer-lowest' }}
-        uses: qltysh/qlty-action/coverage@v1
+        uses: qltysh/qlty-action/coverage@a2277a908db90c4c868832fb9204521fb940fdb4 # v1
         with:
           token: ${{ secrets.QLTY_COVERAGE_TOKEN }}
           files: cobertura.xml
@@ -125,10 +125,10 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     steps:
-      - uses: technote-space/workflow-conclusion-action@v3
+      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
       - name: Post to a Slack channel
         id: slack
-        uses: slackapi/slack-github-action@v1.23.0
+        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
         with:
           # Slack channel id, channel name, or user id to post a message.
           # See also: https://api.slack.com/methods/chat.postMessage#channels

From 1a5712afbbf939fad2691812a80cfe283f82e6c5 Mon Sep 17 00:00:00 2001
From: Xaver Loppenstedt <xaver@loppenstedt.de>
Date: Fri, 5 Dec 2025 13:16:28 +0100
Subject: [PATCH 3/4] Update GitHub Actions with pinact run --update

---
 .github/workflows/ci.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 910fbe3..e5b6349 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,14 +14,14 @@ jobs:
       - name: install dependencies
         run: sudo apt update -qq && sudo apt -y install libxml2-utils
       - name: Check out repository code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Install PHP
         uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # master
         with:
           php-version: '8.1'
           coverage: 'none'
       - name: Cache dependencies
-        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: '~/.cache/composer'
           key: "cache-composer-${{ hashFiles('composer.json') }}"
@@ -63,7 +63,7 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
       - name: Check out repository code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Install PHP
         uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # master
         with:
@@ -71,7 +71,7 @@ jobs:
           php-version: ${{ matrix.php_version }}
           extensions: ast-1.1.1
       - name: Cache dependencies
-        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: '~/.cache/composer'
           key: "cache-composer-${{ hashFiles('composer.json') }}"
@@ -111,7 +111,7 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Upload coverage to Qlty
         if: ${{ matrix.os != 'windows-latest' && matrix.php_version == '8.1' && matrix.dependencies_level != '--prefer-lowest' }}
-        uses: qltysh/qlty-action/coverage@a2277a908db90c4c868832fb9204521fb940fdb4 # v1
+        uses: qltysh/qlty-action/coverage@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0
         with:
           token: ${{ secrets.QLTY_COVERAGE_TOKEN }}
           files: cobertura.xml
@@ -128,7 +128,7 @@ jobs:
       - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
       - name: Post to a Slack channel
         id: slack
-        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           # Slack channel id, channel name, or user id to post a message.
           # See also: https://api.slack.com/methods/chat.postMessage#channels

From d1a353b98c767c5e9b23dba5de51ae34a6b08e5a Mon Sep 17 00:00:00 2001
From: Xaver Loppenstedt <xaver@loppenstedt.de>
Date: Tue, 9 Dec 2025 21:03:52 +0100
Subject: [PATCH 4/4] Remove Slack notification

---
 .github/workflows/ci.yml | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e5b6349..bc7a054 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -120,20 +120,3 @@ jobs:
         env:
           QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_COVERAGE_TOKEN }}
 
-  slack-notify:
-    needs: [run-tests, style-checks]
-    if: always()
-    runs-on: ubuntu-latest
-    steps:
-      - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
-      - name: Post to a Slack channel
-        id: slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-        with:
-          # Slack channel id, channel name, or user id to post a message.
-          # See also: https://api.slack.com/methods/chat.postMessage#channels
-          channel-id: '#mo4'
-          # For posting a simple plain text message
-          slack-message: "GitHub build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}