From 6d6fec86166ab1e435efe920bb5a86f3ae2bf56d Mon Sep 17 00:00:00 2001
From: davidliu <davidliu@deviange.net>
Date: Thu, 7 May 2026 22:36:59 +0900
Subject: [PATCH 1/4] pinact action

---
 .github/workflows/pinact_update.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/pinact_update.yml

diff --git a/.github/workflows/pinact_update.yml b/.github/workflows/pinact_update.yml
new file mode 100644
index 000000000..76c2abe89
--- /dev/null
+++ b/.github/workflows/pinact_update.yml
@@ -0,0 +1,29 @@
+name: Pinact update
+
+on:
+  push:
+    paths:
+      - ".github/workflows/**"
+  schedule:
+    # Weekly on Monday at 00:00 UTC
+    - cron: "0 0 * * 1"
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  pinact:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@6.0.2
+
+      - name: Run pinact (update workflow files)
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with:
+          # Requires repo and workflow:write access to modify workflow files.
+          github_token: ${{ secrets.PINACT_GITHUB_TOKEN }}
+          update: "true"
+          min_age: "30"

From 2b048400811935969cb93abd1850f181f3f8d225 Mon Sep 17 00:00:00 2001
From: davidliu <davidliu@deviange.net>
Date: Thu, 7 May 2026 22:50:22 +0900
Subject: [PATCH 2/4] fix

---
 .github/workflows/pinact_update.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pinact_update.yml b/.github/workflows/pinact_update.yml
index 76c2abe89..992bf0198 100644
--- a/.github/workflows/pinact_update.yml
+++ b/.github/workflows/pinact_update.yml
@@ -2,6 +2,13 @@ name: Pinact update
 
 on:
   push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    branches:
+      - main
     paths:
       - ".github/workflows/**"
   schedule:
@@ -18,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Run pinact (update workflow files)
         uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0

From 9f19777983697d78cf246e5952fcf68e65c90acc Mon Sep 17 00:00:00 2001
From: davidliu <davidliu@deviange.net>
Date: Thu, 7 May 2026 23:07:08 +0900
Subject: [PATCH 3/4] fix

---
 .github/workflows/pinact_update.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pinact_update.yml b/.github/workflows/pinact_update.yml
index 992bf0198..03ca3657c 100644
--- a/.github/workflows/pinact_update.yml
+++ b/.github/workflows/pinact_update.yml
@@ -30,7 +30,18 @@ jobs:
       - name: Run pinact (update workflow files)
         uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
         with:
-          # Requires repo and workflow:write access to modify workflow files.
           github_token: ${{ secrets.PINACT_GITHUB_TOKEN }}
           update: "true"
           min_age: "30"
+          skip_push: "true"
+
+      - name: Create PR (if changes)
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.PINACT_GITHUB_TOKEN }}
+          commit-message: "chore(pinact): pin GitHub Actions"
+          title: "chore(pinact): pin GitHub Actions"
+          body: |
+            Automated update by pinact.
+          branch: "dl/pinact_action"
+          delete-branch: true

From d4ab27bce73aa6091e584143391471ff1a4565b2 Mon Sep 17 00:00:00 2001
From: davidliu <davidliu@deviange.net>
Date: Thu, 7 May 2026 23:20:05 +0900
Subject: [PATCH 4/4] run tool manually

---
 .github/workflows/pinact_update.yml | 34 +++++++++++++++++++----------
 aqua.yaml                           |  6 +++++
 2 files changed, 29 insertions(+), 11 deletions(-)
 create mode 100644 aqua.yaml

diff --git a/.github/workflows/pinact_update.yml b/.github/workflows/pinact_update.yml
index 03ca3657c..dc9d59e03 100644
--- a/.github/workflows/pinact_update.yml
+++ b/.github/workflows/pinact_update.yml
@@ -6,11 +6,6 @@ on:
       - main
     paths:
       - ".github/workflows/**"
-  pull_request:
-    branches:
-      - main
-    paths:
-      - ".github/workflows/**"
   schedule:
     # Weekly on Monday at 00:00 UTC
     - cron: "0 0 * * 1"
@@ -27,13 +22,30 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6.0.2
 
-      - name: Run pinact (update workflow files)
-        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+      - name: Install aqua (installs pinact)
+        uses: aquaproj/aqua-installer@v3
         with:
-          github_token: ${{ secrets.PINACT_GITHUB_TOKEN }}
-          update: "true"
-          min_age: "30"
-          skip_push: "true"
+          aqua_version: v2.56.1
+          aqua_opts: "-c aqua.yaml"
+
+      - name: Run pinact (fix workflow files)
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Keep the job going even if pinact exits non-zero due to changes.
+          set +e
+          aqua exec -- pinact run \
+            --check \
+            --diff \
+            --fix \
+            --update \
+            --min-age "30" \
+            ".github/workflows"
+          exit_code="$?"
+          set -e
+
+          echo "pinact exit code: ${exit_code}"
 
       - name: Create PR (if changes)
         uses: peter-evans/create-pull-request@v6
diff --git a/aqua.yaml b/aqua.yaml
new file mode 100644
index 000000000..b702052d5
--- /dev/null
+++ b/aqua.yaml
@@ -0,0 +1,6 @@
+registries:
+  - type: standard
+    ref: v4.400.0
+
+packages:
+  - name: suzuki-shunsuke/pinact@v3.9.2