fix: security updates for GitHub actions are completed

.github/actions/check-core-team/action.yml

@@ -16,10 +16,12 @@ runs:
   steps:
     - name: Check membership
       id: check
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+      env:
+        PR_AUTHOR: ${{ inputs.pr-author }}
       with:
         script: |
-          const author = '${{ inputs.pr-author }}';
+          const author = process.env.PR_AUTHOR;
           try {
             const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
               owner: context.repo.owner,

.github/actions/setup-node-deps/action.yml

@@ -4,10 +4,10 @@ runs:
   using: "composite"
   steps:
     - name: Setup Node & Cache
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: 24.11.0
         cache: 'npm'
     - name: Install deps
-      run: npm ci
+      run: npm ci --ignore-scripts
       shell: bash

.github/workflows/auto-assign.yml

@@ -12,7 +12,7 @@ jobs:
   assign-and-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           persist-credentials: 'false'
 
@@ -24,4 +24,4 @@ jobs:
 
       - name: Assign PR to author
         if: steps.check_team.outputs.is-internal == 'true'
-        uses: toshimaru/auto-author-assign@v3.0.1
+        uses: toshimaru/auto-author-assign@4d585cc37690897bd9015942ed6e766aa7cdb97f # v3.0.1

.github/workflows/auto-label.yml

@@ -15,7 +15,7 @@ jobs:
   auto_label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           persist-credentials: 'false'
 
@@ -26,7 +26,7 @@ jobs:
           pr-author: ${{ github.event.pull_request.user.login || github.event.issue.user.login }}
 
       - name: Apply triage label
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           IS_INTERNAL: ${{ steps.check_team.outputs.is-internal }}
         with:

.github/workflows/build-storybook.yml

@@ -0,0 +1,33 @@
+name: Build Storybook
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          persist-credentials: 'false'
+
+      - uses: ./.github/actions/setup-node-deps
+
+      - name: Build Storybook
+        run: npm run build:storybook
+
+      - name: Upload Storybook artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: storybook-static
+          path: storybook-static/
+          retention-days: 1

.github/workflows/chromatic-ui.yml

@@ -16,17 +16,25 @@ jobs:
     continue-on-error: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
           persist-credentials: 'false'
 
-      - uses: ./.github/actions/setup-node-deps
+      - name: Setup Node & Cache
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 24.11.0
+          cache: 'npm'
+
+      - name: Install deps
+        run: npm ci --ignore-scripts
+        shell: bash
 
       - name: Run Chromatic
-        uses: chromaui/action@latest
+        uses: chromaui/action@7804f34e4e59c0d9b3c856848f46ad96d7897429 # v17.5.0
         with:
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
           onlyChanged: true

.github/workflows/code-validator.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}

.github/workflows/pr-validator.yml

@@ -17,7 +17,7 @@ jobs:
     name: PR Compliance Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
@@ -33,7 +33,7 @@ jobs:
 
       # 2. LINT PR TITLE
       - name: Validate PR title
-        uses: amannn/action-semantic-pull-request@v5
+        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -53,7 +53,7 @@ jobs:
 
       # 3. SYNC RELEASE LABELS
       - name: Sync release labels
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const title = context.payload.pull_request.title;
@@ -93,7 +93,7 @@ jobs:
       # 4. CHECK INTERNAL ISSUE REFERENCE
       - name: Check internal issue reference
         if: steps.team-check.outputs.is-internal == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const prBody = context.payload.pull_request.body || '';

.github/workflows/publish.yml

@@ -16,12 +16,12 @@ jobs:
     steps:
       - name: Generate bot app token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
         with:
           app-id: ${{ secrets.RELEASER_ID }}
           private-key: ${{ secrets.RELEASER_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}
@@ -96,7 +96,7 @@ jobs:
         run: npm publish --provenance --access public
 
       - name: Deploy Storybook
-        uses: cloudflare/wrangler-action@v3.14.1
+        uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

.github/workflows/release-drafter.yml

@@ -16,6 +16,6 @@ jobs:
     name: Update Draft Release
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/workflow-protection.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
 
       - name: Check for unauthorized .github/ changes
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             let page = 1;