update outdated URLs for security guide in documents

docs/checks.md

@@ -2941,13 +2941,13 @@ Note that `steps` in Composite action's metadata is not checked at this point. I
 [dependabot-doc]: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
 [credentials-doc]: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainercredentials
 [actions-cache]: https://github.com/actions/cache
-[permissions-doc]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+[permissions-doc]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
 [perm-config-doc]: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions
 [generate-webhook-events]: https://github.com/rhysd/actionlint/tree/main/scripts/generate-webhook-events
 [generate-popular-actions]: https://github.com/rhysd/actionlint/tree/main/scripts/generate-popular-actions
 [issue-25]: https://github.com/rhysd/actionlint/issues/25
 [issue-40]: https://github.com/rhysd/actionlint/issues/40
-[security-doc]: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+[security-doc]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
 [reusable-workflow-doc]: https://docs.github.com/en/actions/learn-github-actions/reusing-workflows
 [create-reusable-workflow-doc]: https://docs.github.com/en/actions/learn-github-actions/reusing-workflows#creating-a-reusable-workflow
 [reusable-workflow-call-keys]: https://docs.github.com/en/actions/learn-github-actions/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow

docs/reference.md

@@ -1,17 +1,17 @@
 References
 ==========
 
-This document describes links to resources.
+This document describes links to resources related to actionlint and GitHub Actions.
 
 - Repository: https://github.com/rhysd/actionlint
 - Playground: https://rhysd.github.io/actionlint/
 - GitHub Actions official documentations
-  - Workflow syntax: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
-  - Expression syntax: https://docs.github.com/en/actions/learn-github-actions/expressions
-  - Built-in functions: https://docs.github.com/en/actions/learn-github-actions/expressions#functions
-  - Webhook events: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#webhook-events
-  - Self-hosted runner: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
-  - Security: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+  - Workflow syntax: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
+  - Expression syntax: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions
+  - Built-in functions: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#functions
+  - Webhook events: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#webhook-events
+  - Self-hosted runner: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners
+  - Security: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
 - CRON syntax: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07
 - shellcheck: https://github.com/koalaman/shellcheck
 - pyflakes: https://github.com/PyCQA/pyflakes

playground/index.html

@@ -63,7 +63,7 @@ <h2><i id="res-icon" class="devicon-githubactions-plain"></i>Resources</h2>
               <li><a class="has-text-link-my-light" target="_blank" rel="noopener" href="https://github.com/rhysd/actionlint/blob/v1.7.4/docs/checks.md">Checks by actionlint</a></li>
               <li><a class="has-text-link-my-light" target="_blank" rel="noopener" href="https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions">Workflow syntax for GitHub Actions</a></li>
               <li><a class="has-text-link-my-light" target="_blank" rel="noopener" href="https://docs.github.com/en/actions/learn-github-actions/contexts">Available contexts in workflow</a></li>
-              <li><a class="has-text-link-my-light" target="_blank" rel="noopener" href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a></li>
+              <li><a class="has-text-link-my-light" target="_blank" rel="noopener" href="https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a></li>
             </ul>
           </p>
         </div>

scripts/generate-actionlint-matcher/test/escape.txt

@@ -1,4 +1,4 @@
-./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details [expression]
+./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details [expression]
   |
 6 |       - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
   |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

scripts/generate-actionlint-matcher/test/no_escape.txt

@@ -1,4 +1,4 @@
-./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details [expression]
+./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details [expression]
   |
 6 |       - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
   |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

scripts/generate-actionlint-matcher/test/want.json

@@ -1 +1 @@
-[{"message":"\"github.event.head_commit.message\" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details","filepath":"./testdata/err/one_error.yaml","line":6,"column":41,"kind":"expression","snippet":"      - run: echo \"Checking commit '${{ github.event.head_commit.message }}'\"\n                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~","end_column":72}]
+[{"message":"\"github.event.head_commit.message\" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details","filepath":"./testdata/err/one_error.yaml","line":6,"column":41,"kind":"expression","snippet":"      - run: echo \"Checking commit '${{ github.event.head_commit.message }}'\"\n                                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~","end_column":72}]