ci: bump suzuki-shunsuke/pinact-action from 2.0.0 to 3.0.0

[dependabot]

Bumps suzuki-shunsuke/pinact-action from 2.0.0 to 3.0.0.

Release notes

Sourced from suzuki-shunsuke/pinact-action's releases.

v3.0.0

Issues | Pull Requests | suzuki-shunsuke/pinact-action@v2.0.0...v3.0.0 | Base revision

This release is largely driven by the update to pinact v4.0.0. Please also refer to the pinact v4.0.0 release notes.

⚠️ Breaking Changes

#1065 Upgrade pinact to v4.0.0 #1065 Behavior change when skip_push: true

Behavior change when skip_push: true

Previously, this was equivalent to a -check mode. It has been changed to simply skip committing. By default, a commit is created.

With skip_push: true, fix: true, the code is fixed but not committed. A subsequent step can create the commit on its own. This is useful when you want to bundle the pinact changes with other modifications into a single commit.

With skip_push: true, fix: false, validation is performed just like the previous skip_push: true behavior.

Features

#1065 Added inputs to support more pinact options

• files: lets you specify target files (positional arguments of pinact run)
• fix (--fix option)
• no_api (--no-api option)
• verify_min_age (--verify-min-age option)
• branch_to_tags (--branch-to-tags option)
• config (--config option)
• diff_file (--diff-file option)

Commits

• 896d595 chore: prepare release v3.0.0
• 8d2d695 feat!: update pinact to v4.0.0, expose new run options, honor fix in skip_pus...
• bd33019 chore(deps): lock file maintenance (#1068)
• 9117f4d chore(deps): update node.js to v24.16.0 (#1067)
• 378a2b3 chore(deps): update dependency aquaproj/aqua-registry to v4.516.0 (#1066)
• 5c74c8f chore(deps): update dependency aquaproj/aqua-registry to v4.515.0 (#1064)
• 62745e9 chore(deps): update dependency typescript-eslint to v8.59.4 (#1063)
• 1d5e6d9 chore(deps): update dependency aquaproj/aqua-registry to v4.514.0 (#1062)
• 064e7f1 chore(deps): update dependency aquaproj/aqua-registry to v4.513.1 (#1061)
• 3891c77 chore(deps): update dependency aquaproj/aqua-renovate-config to v2.12.1 (#1060)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Bundle Report

Bundle size has no change ✅

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.40%. Comparing base (1a42785) to head (78d32e3).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #211   +/-   ##
=======================================
  Coverage   99.40%   99.40%           
=======================================
  Files          33       33           
  Lines        1859     1859           
  Branches      513      513           
=======================================
  Hits         1848     1848           
  Misses          9        9           
  Partials        2        2           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1a42785...78d32e3. Read the comment docs.

[klodr]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Dependency Update

• GitHub Actions dependency: Updated suzuki-shunsuke/pinact-action from v2.0.0 to v3.0.0

Breaking Changes

• skip_push: true behavior change: In v3.0.0, skip_push: true now skips committing entirely (instead of functioning as a check-only mode). The workflow is configured with this setting, but no configuration changes were needed as the current usage remains compatible.

Security Impact

The pinact-action validates that GitHub Actions references are pinned to specific commit SHAs rather than floating tags, preventing potential supply chain attacks through action updates.

Walkthrough

Updates the pinned GitHub Actions reference for suzuki-shunsuke/pinact-action from v2.0.0 to v3.0.0 in the workflow configuration, changing one commit SHA to another with no other workflow logic modifications.

Changes

GitHub Actions Version Update

Layer / File(s)	Summary
Pinact action version bump .github/workflows/actions-pinned.yml	Updates the uses: pin for suzuki-shunsuke/pinact-action from the v2.0.0 commit SHA to the v3.0.0 commit SHA.

Possibly related PRs

• klodr/gmail-mcp#163: Introduced the actions-pinned.yml workflow and initially pinned suzuki-shunsuke/pinact-action to v2.0.0.

Suggested labels

Review effort 2/5

Suggested reviewers

• klodr

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci' type and imperative mood subject, is 58 characters (well under 72 limit), and accurately describes the main change of updating the pinact-action dependency.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed information about the dependency bump including release notes, breaking changes, new features, and commit history.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/actions-pinned.yml (1)

25-30: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set fix: "false" for pinact-action v3.0.0 to keep the pinned-actions gate failing on unpinned actions

The workflow pins suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a (v3.0.0) but only sets skip_push: "true". In v3, skip_push: true is validate-only only when paired with fix: false; otherwise it applies fixes in-place (without creating a commit), so the “actions pinned” gate can pass even if actions are unpinned.

🛡️ Proposed fix

       - uses: suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a # v3.0.0
         with:
           # `version` was removed in pinact-action v2: the pinact binary
           # is now bundled with the action tag, so the action SHA above
           # is the only thing pinning the pinact version.
+          # `fix: false` keeps this a validate-only gate: in v3 a bare
+          # `skip_push: true` now fixes files in-place and passes instead
+          # of failing when an action is unpinned.
+          fix: "false"
           skip_push: "true"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/actions-pinned.yml around lines 25 - 30, The pinact-action
is configured with skip_push: "true" but not fix, so v3 will apply fixes instead
of only validating; update the action invocation for
suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a (v3.0.0)
to include fix: "false" alongside skip_push: "true" (ensure both keys are
strings consistent with the YAML style) so the action runs in validate-only mode
and the "actions pinned" gate will catch unpinned actions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/actions-pinned.yml:
- Around line 25-30: The pinact-action is configured with skip_push: "true" but
not fix, so v3 will apply fixes instead of only validating; update the action
invocation for
suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a (v3.0.0)
to include fix: "false" alongside skip_push: "true" (ensure both keys are
strings consistent with the YAML style) so the action runs in validate-only mode
and the "actions pinned" gate will catch unpinned actions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d642f7da-90f1-4b24-b554-7a06ab3729f0

📥 Commits

Reviewing files that changed from the base of the PR and between 1a42785 and 78d32e3.

📒 Files selected for processing (1)

• .github/workflows/actions-pinned.yml