chore(ci): replace ratchet with pinact for GitHub Actions SHA pinning

This replaces the ratchet tool with pinact for managing GitHub Actions SHA pinning across all workflow files. The changes include: - Remove ratchet-update.yml and ratchet-verify.yml workflows - Add new pinact.yml workflow for automated SHA pinning - Update all workflow files to use pinact-style comments (# v1.2.3 instead of # ratchet:action@v1) - Add .pinact.yaml configuration file with ignore rules for Homebrew actions and local actions - Update package.json scripts to use pinact commands instead of ratchet Pinact provides more reliable SHA pinning with better GitHub Actions integration.
2025-12-16 12:00:13 +01:00 · 2025-09-23 23:18:06 +09:00
parent ddb2131267
commit cd185a1ea3
17 changed files with 96 additions and 146 deletions
--- a/.github/actions/repomix/action.yml
+++ b/.github/actions/repomix/action.yml
@@ -43,7 +43,7 @@ runs:
  using: "composite"
  steps:
    - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: "24"
        cache: "npm"
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@@ -12,10 +12,10 @@ jobs:
  autofix:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -52,4 +52,4 @@ jobs:
          npm run lint
        continue-on-error: true

-      - uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # ratchet:autofix-ci/action@v1.3.2
+      - uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # v1.3.2
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -25,8 +25,8 @@ jobs:
      run:
        working-directory: scripts/memory
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -63,7 +63,7 @@ jobs:

      # Upload memory test results if available
      - name: Upload memory test results
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: memory-test-results-${{ github.run_id }}
@@ -80,8 +80,8 @@ jobs:
      run:
        working-directory: scripts/memory
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -115,7 +115,7 @@ jobs:

      # Upload detailed memory test results
      - name: Upload detailed memory test results
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: memory-test-results-full-${{ github.run_id }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -26,8 +26,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -38,8 +38,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -51,8 +51,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -64,8 +64,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -81,8 +81,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -98,8 +98,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -117,8 +117,8 @@ jobs:
    name: Lint GitHub Actions
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: rhysd/actionlint@4e683ab8014a63fafa117492a0c6053758e6d593 # ratchet:rhysd/actionlint@v1.7.3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: rhysd/actionlint@4e683ab8014a63fafa117492a0c6053758e6d593 # v1.7.3
        with:
          args: "-color"

@@ -126,8 +126,8 @@ jobs:
    name: Check typos
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: crate-ci/typos@2abc5d928aaa84e3a901dda4f148299486dcd818 # ratchet:crate-ci/typos@master
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: crate-ci/typos@85f62a8a84f939ae994ab3763f01a0296d61a7ee # v1.36.2

  test:
    name: Test
@@ -137,9 +137,9 @@ jobs:
        node-version: [20.x, 22.x, 24.x]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
@@ -156,9 +156,9 @@ jobs:
        bun-version: [latest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Bun ${{ matrix.bun-version }}
-        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
        with:
          bun-version: ${{ matrix.bun-version }}
      - run: bun install
@@ -170,8 +170,8 @@ jobs:
    name: Test coverage
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -179,11 +179,11 @@ jobs:
      - run: npm run test-coverage -- --reporter=verbose
        env:
          CI_OS: ${{ runner.os }}
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: test-coverage
          path: coverage/
-      - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
+      - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        with:
          fail_ci_if_error: true
          directory: ./coverage
@@ -195,8 +195,8 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
@@ -218,9 +218,9 @@ jobs:
        node-version: [20.x, 22.x, 24.x]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
@@ -232,7 +232,7 @@ jobs:
      - run: node bin/repomix.cjs --version
      - run: node bin/repomix.cjs --help
      - name: Upload build artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: repomix-output-${{ matrix.os }}-${{ matrix.node-version }}.txt
          path: repomix-output.txt
@@ -245,9 +245,9 @@ jobs:
        bun-version: [latest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Bun ${{ matrix.bun-version }}
-        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
        with:
          bun-version: ${{ matrix.bun-version }}
      - run: bun install
@@ -258,7 +258,7 @@ jobs:
      - run: bun bin/repomix.cjs --version
      - run: bun bin/repomix.cjs --help
      - name: Upload build artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: repomix-output-bun-${{ matrix.os }}-${{ matrix.bun-version }}.txt
          path: repomix-output.txt
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -13,12 +13,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1

      - name: Auto review PR
-        uses: anthropics/claude-code-action@93028b410ecfe1d5beca3c0196363bbb7c31167b # ratchet:anthropics/claude-code-action@main
+        uses: anthropics/claude-code-action@7ed3b616d54fd445625b77b219342949146bae9e # v1.0.8
        with:
          direct_prompt: |
            Please review this PR. Look at the changes and provide thoughtful feedback on:
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -25,12 +25,12 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 1

      - name: Run Claude Code
        id: claude
-        uses: anthropics/claude-code-action@93028b410ecfe1d5beca3c0196363bbb7c31167b # ratchet:anthropics/claude-code-action@main
+        uses: anthropics/claude-code-action@7ed3b616d54fd445625b77b219342949146bae9e # v1.0.8
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,11 +26,11 @@ jobs:
            build-mode: none
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c # ratchet:github/codeql-action/init@v3
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
@@ -46,6 +46,6 @@ jobs:
          exit 1

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c # ratchet:github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -27,11 +27,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Docker metadata
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # ratchet:docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: |
            ghcr.io/yamadashy/repomix
@@ -44,21 +44,21 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # ratchet:docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # ratchet:docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Login to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # ratchet:docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and Publish Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@@ -10,15 +10,15 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/setup-homebrew@master
+        uses: Homebrew/actions/setup-homebrew@main
        with:
          test-bot: false

      - name: Configure Git user
-        uses: Homebrew/actions/git-user-config@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/git-user-config@master
+        uses: Homebrew/actions/git-user-config@main

      - name: Bump packages
-        uses: Homebrew/actions/bump-packages@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/bump-packages@master
+        uses: Homebrew/actions/bump-packages@main
        with:
          token: ${{ secrets.COMMITTER_TOKEN }}
          formulae: repomix
--- a/.github/workflows/pack-repository.yml
+++ b/.github/workflows/pack-repository.yml
@@ -12,15 +12,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Pack repository with Repomix
-        uses: yamadashy/repomix/.github/actions/repomix@dbf406cd7f1651ec410a722eb9ebf2b1a1255b34 # ratchet:yamadashy/repomix/.github/actions/repomix@main
+        uses: yamadashy/repomix/.github/actions/repomix@main
        with:
          output: repomix-output.xml

      - name: Upload Repomix output
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: repomix-output.xml
          path: repomix-output.xml
--- a/.github/workflows/pinact.yml
+++ b/.github/workflows/pinact.yml
@@ -0,0 +1,14 @@
+name: Pinact
+on:
+  pull_request: {}
+jobs:
+  pinact:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Pin actions
+        uses: suzuki-shunsuke/pinact-action@49cbd6acd0dbab6a6be2585d1dbdaa43b4410133 # v1.0.0
--- a/.github/workflows/ratchet-update.yml
+++ b/.github/workflows/ratchet-update.yml
@@ -1,58 +0,0 @@
-name: Ratchet update
-on:
-  schedule:
-    - cron: '0 0 * * 1' # Every Monday at midnight UTC
-  workflow_dispatch: # Allow manual trigger
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5
-        with:
-          go-version: stable
-
-      - name: Install ratchet
-        run: |
-          go install github.com/sethvargo/ratchet@v0.11.3
-          ratchet --version
-
-      - name: Update pinned SHAs
-        run: |
-          ratchet update ".github/workflows/"*.yml
-
-      - name: Check for changes
-        id: changes
-        run: |
-          if git diff --quiet; then
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Create Pull Request
-        if: steps.changes.outputs.has_changes == 'true'
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # ratchet:peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: 'chore(ci): Update pinned GitHub Actions SHAs'
-          title: 'chore(ci): Update pinned GitHub Actions SHAs'
-          body: |
-            ## Summary
-            - Updated pinned GitHub Actions SHAs using ratchet
-
-            ## Changes
-            This PR contains automated updates to the pinned SHAs in GitHub Actions workflows to ensure we're using the latest versions while maintaining security through SHA pinning.
-
-            ## Checklist
-            - [x] Run `npm run test`
-            - [x] Run `npm run lint`
-          branch: chore/update-actions-shas
-          delete-branch: true
--- a/.github/workflows/ratchet-verify.yml
+++ b/.github/workflows/ratchet-verify.yml
@@ -1,18 +0,0 @@
-name: Ratchet verify
-on:
-  pull_request:
-    paths: ['.github/workflows/**']
-jobs:
-  ratchet:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Install ratchet
-        run: |
-          go install github.com/sethvargo/ratchet@v0.11.3
-          ratchet --version
-      - name: Verify pinned SHAs
-        run: ratchet lint .github/workflows/*.yml
--- a/.github/workflows/schema-update.yml
+++ b/.github/workflows/schema-update.yml
@@ -15,16 +15,16 @@ jobs:
    name: Update configuration json schema
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version-file: .tool-versions
          cache: npm
      - run: npm ci
      - run: npm run website-generate-schema
-      - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # ratchet:stefanzweifel/git-auto-commit-action@v4
+      - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0
        with:
          commit_message: 'chore(schema): auto generate schema'
          commit_user_name: "github-actions[bot]"
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -21,7 +21,7 @@ jobs:
          - node-version: 22
            test-case: "full"
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Run Repomix Action (Minimal)
        if: matrix['test-case'] == 'minimal'
@@ -50,7 +50,7 @@ jobs:
          additional-args: "--no-file-summary"

      - name: Upload result
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: repomix-output-node${{ matrix.node-version }}
          path: repomix-*-output.txt
--- a/.pinact.yaml
+++ b/.pinact.yaml
@@ -0,0 +1,12 @@
+version: 3
+files:
+  - pattern: .github/workflows/*.yml
+  - pattern: .github/workflows/*.yaml
+  - pattern: .github/actions/*/action.yml
+  - pattern: .github/actions/*/action.yaml
+
+ignore_actions:
+  - name: Homebrew/actions/.*
+    ref: .*
+  - name: yamadashy/repomix/.github/actions/repomix
+    ref: .*
--- a/package.json
+++ b/package.json
@@ -42,8 +42,8 @@
    "npm-release-patch": "npm version patch && node --run npm-publish",
    "npm-release-minor": "npm version minor && node --run npm-publish",
    "npm-release-prerelease": "npm version prerelease && node --run npm-publish",
-    "ratchet-pin": "ratchet pin .github/workflows/*",
-    "ratchet-update": "ratchet update .github/workflows/*"
+    "pinact-run": "pinact run",
+    "pinact-check": "pinact run --check"
  },
  "keywords": [
    "repository",