chore: harden supply chain in CI

k-asm · k-asm · commit f75e825431ed · 2026-05-24T10:14:07.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,9 @@
 name: CI
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and test
@@ -34,12 +37,12 @@ jobs:
           - elixir: 1.15.x
             otp: 24.x
     steps:
-      - uses: actions/checkout@v4
-      - uses: erlef/setup-beam@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.24.0
         with:
           elixir-version: ${{ matrix.elixir }}
           otp-version: ${{ matrix.otp }}
-      - run: mix deps.get
+      - run: mix deps.get --check-locked --only test
       - run: mix deps.compile
       - run: mix compile --warnings-as-errors
         if: ${{ matrix.lint }}
diff --git a/mix.exs b/mix.exs
@@ -54,7 +54,7 @@ defmodule Params.Mixfile do
   defp deps do
     [
       {:ecto, "~> 2.0 or ~> 3.0"},
-      {:ex_doc, ">= 0.0.0", only: :dev, runtime: false},
+      {:ex_doc, "~> 0.34", only: :dev, runtime: false},
       {:dialyxir, "~> 0.5", only: :dev, runtime: false}
     ]
   end

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ defmodule Params.Mixfile do`
`54`	`54`	`defp deps do`
`55`	`55`	`[`
`56`	`56`	`{:ecto, "~> 2.0 or ~> 3.0"},`
`57`		`- {:ex_doc, ">= 0.0.0", only: :dev, runtime: false},`
	`57`	`+ {:ex_doc, "~> 0.34", only: :dev, runtime: false},`
`58`	`58`	`{:dialyxir, "~> 0.5", only: :dev, runtime: false}`
`59`	`59`	`]`
`60`	`60`	`end`