From a254d87ac5fda64f1170f41f18976e9f5488b27f Mon Sep 17 00:00:00 2001
From: Junhao Liao <junhao@junhao.ca>
Date: Fri, 3 Apr 2026 16:25:11 -0400
Subject: [PATCH 1/2] fix(ci): Replace `npm install -g @go-task/cli` with
 `go-task/setup-task` action to eliminate npm supply-chain risk.

---
 .github/workflows/lint.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 86faf87..2634eb1 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -22,8 +22,9 @@ jobs:
           go-version: "${{ matrix.go }}"
 
       - name: "Install task"
-        shell: "bash"
-        run: "npm install -g @go-task/cli"
+        uses: "go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44"  # v2.0.0
+        with:
+          version: "3.48.0"
 
       - name: "Install uv"
         shell: "bash"

From dbe3a987709a9be161e9baa3a6283ba4a8cb8d83 Mon Sep 17 00:00:00 2001
From: Junhao Liao <junhao@junhao.ca>
Date: Wed, 8 Apr 2026 11:56:28 -0400
Subject: [PATCH 2/2] fix(ci): Use reusable CI actions from `yscope-dev-utils`;
 Bump `actions/checkout` to v6.0.2.

---
 .github/workflows/build.yaml |  6 +++---
 .github/workflows/lint.yaml  | 11 ++++-------
 tools/yscope-dev-utils       |  2 +-
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 1ace9b3..0f0cd55 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -20,7 +20,7 @@ jobs:
             runner: "ubuntu-24.04-arm"
             manylinux: "quay.io/pypa/manylinux_2_28_aarch64"
     steps:
-      - uses: "actions/checkout@v4"
+      - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"  # v6.0.2
         with:
           submodules: "recursive"
 
@@ -92,7 +92,7 @@ jobs:
     permissions:
       contents: "write"
     steps:
-      - uses: "actions/checkout@v4"
+      - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"  # v6.0.2
 
       - name: "Download merged artifacts"
         uses: "actions/download-artifact@v4"
@@ -128,7 +128,7 @@ jobs:
             image: "fluent-bit-clp-s3-v2"
             platforms: "linux/amd64,linux/arm64"
     steps:
-      - uses: "actions/checkout@v4"
+      - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"  # v6.0.2
         with:
           submodules: "recursive"
 
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 2634eb1..8f748e6 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -13,7 +13,7 @@ jobs:
         os: ["ubuntu-latest", "macos-latest"]
     runs-on: "${{ matrix.os }}"
     steps:
-      - uses: "actions/checkout@v4"
+      - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"  # v6.0.2
         with:
           submodules: "recursive"
 
@@ -21,14 +21,11 @@ jobs:
         with:
           go-version: "${{ matrix.go }}"
 
-      - name: "Install task"
-        uses: "go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44"  # v2.0.0
-        with:
-          version: "3.48.0"
+      - name: "Install go-task"
+        uses: "./tools/yscope-dev-utils/exports/github/actions/install-go-task"
 
       - name: "Install uv"
-        shell: "bash"
-        run: "curl --fail --location --silent --show-error https://astral.sh/uv/install.sh | sh"
+        uses: "./tools/yscope-dev-utils/exports/github/actions/install-uv"
 
       - name: "Run linting checks"
         run: "task lint:check"
diff --git a/tools/yscope-dev-utils b/tools/yscope-dev-utils
index 82cf408..38bf51e 160000
--- a/tools/yscope-dev-utils
+++ b/tools/yscope-dev-utils
@@ -1 +1 @@
-Subproject commit 82cf40887b0b1c23610f82046d2549314fb4a780
+Subproject commit 38bf51effc500a528c37052345c141a65ea88447