Release 2.70.2

.github/workflows/ci.yml

@@ -51,7 +51,8 @@ jobs:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
       security-events: write # for github/codeql-action/*
-    secrets: inherit
+    secrets:
+      PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
 
   test:
     strategy:
@@ -99,7 +100,11 @@ jobs:
       - run: rm -- Cargo.toml
       - name: Generate tool list
         id: tool-list
-        run: tools/ci/tool-list.sh "${{ matrix.tool }}" "${{ matrix.os }}" "${{ matrix.bash }}" >>"${GITHUB_OUTPUT}"
+        run: tools/ci/tool-list.sh "${TOOL}" "${OS}" "${BASH}" >>"${GITHUB_OUTPUT}"
+        env:
+          TOOL: ${{ matrix.tool }}
+          OS: ${{ matrix.os }}
+          BASH: ${{ matrix.bash }}
       - run: |
           printf '%s\n' 'C:\msys64\mingw32\bin' >>"${GITHUB_PATH}"
           printf '%s\n' 'C:\msys64\usr\bin' >>"${GITHUB_PATH}"
@@ -264,7 +269,7 @@ jobs:
           sed -i /etc/yum.repos.d/*.repo -e 's!^mirrorlist!#mirrorlist!' \
             -e 's!^#baseurl=http://mirror.centos.org/!baseurl=https://vault.centos.org/!'
           sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
-          if [[ "${{ matrix.container }}" == "centos:6" ]]; then
+          if [[ "${CONTAINER}" == "centos:6" ]]; then
             # CentOS 6's curl (7.19.7) has no curl has no --proto/--tlsv1.2.
             yum install -y gcc openssl-devel
             curl -fsSL --retry 10 https://curl.se/download/curl-7.34.0.tar.gz | tar xzf -
@@ -278,13 +283,17 @@ jobs:
               https://vault.ius.io/el6/x86_64/packages/p/perl-Git18-1.8.5.5-4.ius.el6.noarch.rpm \
               https://vault.ius.io/el6/x86_64/packages/g/git18-1.8.5.5-4.ius.el6.x86_64.rpm
           fi
+        env:
+          CONTAINER: ${{ matrix.container }}
         if: startsWith(matrix.container, 'centos')
       - uses: taiki-e/checkout-action@v1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - name: Generate tool list
         id: tool-list
-        run: tools/ci/tool-list.sh "" "${{ matrix.container }}" >>"${GITHUB_OUTPUT}"
+        run: tools/ci/tool-list.sh "" "${CONTAINER}" >>"${GITHUB_OUTPUT}"
+        env:
+          CONTAINER: ${{ matrix.container }}
       # remove bash installed by checkout-action
       - run: apk --no-cache del bash
         shell: sh

.github/workflows/manifest.yml

@@ -37,7 +37,8 @@ jobs:
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve
-    secrets: inherit
+    secrets:
+      PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
     with:
       script: tools/manifest.sh
       commit-script: tools/ci/manifest.sh

.github/workflows/release.yml

@@ -26,6 +26,10 @@ defaults:
   run:
     shell: bash --noprofile --norc -CeEuxo pipefail {0}
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 jobs:
   prepare:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action'
@@ -435,7 +439,8 @@ jobs:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action
       attestations: write # unused (used when options for uploading binaries are set)
-    secrets: inherit
+    secrets:
+      PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
     with:
       version: ${{ inputs.version }}
       tag-prefix: install-action-manifest-schema-

.github/zizmor.yml

@@ -2,7 +2,7 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  secrets-inherit: { disable: true }
+  anonymous-definition: { disable: true }
   unpinned-uses:
     config:
       policies:

CHANGELOG.md

@@ -10,6 +10,12 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.70.2] - 2026-03-30
+
+- Update `vacuum@latest` to 0.25.3.
+
+- Update `tombi@latest` to 0.9.11.
+
 ## [2.70.1] - 2026-03-29
 
 - Update `cargo-insta@latest` to 1.47.1.
@@ -6065,7 +6071,8 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.70.1...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.70.2...HEAD
+[2.70.2]: https://github.com/taiki-e/install-action/compare/v2.70.1...v2.70.2
 [2.70.1]: https://github.com/taiki-e/install-action/compare/v2.70.0...v2.70.1
 [2.70.0]: https://github.com/taiki-e/install-action/compare/v2.69.14...v2.70.0
 [2.69.14]: https://github.com/taiki-e/install-action/compare/v2.69.13...v2.69.14

manifests/tombi.json

@@ -22,10 +22,36 @@
   },
   "license_markdown": "[MIT](https://github.com/tombi-toml/tombi/blob/main/LICENSE)",
   "latest": {
-    "version": "0.9.10"
+    "version": "0.9.11"
   },
   "0.9": {
-    "version": "0.9.10"
+    "version": "0.9.11"
+  },
+  "0.9.11": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE8D9EC510FD7C",
+      "hash": "a26165a20198b7af772c1abafebac31fe70ea76de438cdc14975d451ef9282a3"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE8D9EC4ABF6BC",
+      "hash": "80c70ef17dc76a0f997d8284911a178f90d4c3d04354eaa653b5dd3e15efff44"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE8D9EC53C498A",
+      "hash": "f073c5aa5cfdf291023207a58390a4593b7774ccd8a49d12fdefa2d859285f95"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE8D9EC4A89F22",
+      "hash": "1a4cdb63e5ab57d0eb12f170493a7902c3244572b6a3052ae894d06c082d4ddc"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE8D9EC4AC1DA5",
+      "hash": "1c3b3335f3feeda3f7676d90ffb6463ee2bca5a5393b1bbae76926e3fdb2b514"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE8D9EC4BA8C4E",
+      "hash": "85624e7e2f0bac43d8267c88a767afbb18ca338b72cf45c879046fc3a23a2e89"
+    }
   },
   "0.9.10": {
     "x86_64_linux_musl": {

manifests/vacuum.json

@@ -22,10 +22,36 @@
   },
   "license_markdown": "[MIT](https://github.com/daveshanley/vacuum/blob/main/LICENSE)",
   "latest": {
-    "version": "0.25.2"
+    "version": "0.25.3"
   },
   "0.25": {
-    "version": "0.25.2"
+    "version": "0.25.3"
+  },
+  "0.25.3": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE8DEA35C78445",
+      "hash": "dbcd9ea50b0ac74c181d905a1d162e2457f8bbc619d0f8e974ff3b38dcd23384"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE8DEA3675C50B",
+      "hash": "450964b9f2cbe9b63403bfe7b07cd2b3fb16eded4668c9e5749b9b469d288290"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE8DEA35DB442D",
+      "hash": "00a1a230fe2dbd45ee11e579d7d8d00daf83fa83a083fd66044514fdfd73e993"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE8DEA35C7AB2A",
+      "hash": "a2db87faa3e04c2e0f8b5dd2c9162a33829eda0a1196ed49e3562a1a9434d3e0"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE8DEA367A7AB1",
+      "hash": "9ab96a00628c69c6aa4a62fcafb6d8cb8de792db94adb53c00344d19ff0c4af6"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE8DEA36512824",
+      "hash": "ed70ee1e9af46ba69c79b8d4bddea59c0bcc37613f92d12a77fe327f4832089d"
+    }
   },
   "0.25.2": {
     "x86_64_linux_musl": {

tools/tidy.sh

@@ -86,11 +86,6 @@ check_config() {
 check_install() {
   for tool in "$@"; do
     if ! type -P "${tool}" >/dev/null; then
-      if [[ "${tool}" == 'python3' ]]; then
-        if type -P python >/dev/null; then
-          continue
-        fi
-      fi
       error "'${tool}' is required to run this check"
       return 1
     fi
@@ -132,10 +127,6 @@ EOF
   exit 1
 fi
 
-py_suffix=''
-if type -P python3 >/dev/null; then
-  py_suffix=3
-fi
 yq() { uvx yq "$@"; }
 tomlq() { uvx --from yq tomlq "$@"; }
 case "$(uname -s)" in
@@ -700,7 +691,7 @@ elif check_install shellcheck; then
     # Exclude SC2096 due to the way the temporary script is created.
     shellcheck_exclude=SC2096
     info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \`\$(git ls-files '*Dockerfile*')\`"
-    if check_install jq python3 parse-dockerfile; then
+    if check_install jq parse-dockerfile; then
       shellcheck_for_dockerfile() {
         local text=$1
         local shell=$2
@@ -833,7 +824,7 @@ elif check_install shellcheck; then
     # Exclude SC2096 due to the way the temporary script is created.
     shellcheck_exclude=SC2086,SC2096,SC2129
     info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml"
-    if check_install jq python3 uv; then
+    if check_install jq uv; then
       shellcheck_for_gha() {
         local text=$1
         local shell=$2
@@ -846,16 +837,8 @@ elif check_install shellcheck; then
           *) return ;;
         esac
         text="#!/usr/bin/env ${shell%' {0}'}"$'\n'"${text}"
-        # Use python because sed doesn't support .*?.
-        text=$(
-          "python${py_suffix}" - <<EOF
-import re
-text = re.sub(r"\\\${{.*?}}", "\${__GHA_SYNTAX__}", r'''${text}''')
-print(text)
-EOF
-        )
         case "${ostype}" in
-          windows) text=${text//$'\r'/} ;; # Python print emits \r\n.
+          windows) text=${text//$'\r'/} ;; # Parse error on git bash/msys2 bash.
         esac
         local color=auto
         if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
@@ -989,11 +972,11 @@ if [[ ${#zizmor_targets[@]} -gt 0 ]]; then
     warn "this check is skipped on NetBSD/OpenBSD/Dragonfly/illumos/Solaris due to installing zizmor is hard on these platform"
   elif check_install zizmor; then
     # zizmor can also be used via uvx, but old version will be installed if glibc version is old.
-    # Do not use `zizmor -q .` here because it also attempts to check submodules.
+    # Do not use `zizmor .` here because it also attempts to check submodules.
     IFS=' '
-    info "running \`zizmor -q ${zizmor_targets[*]}\`"
+    info "running \`zizmor -q --pedantic ${zizmor_targets[*]}\`"
     IFS=$'\n\t'
-    zizmor -q "${zizmor_targets[@]}"
+    zizmor -q --pedantic "${zizmor_targets[@]}"
   fi
 fi
 printf '\n'