Feature Overview

Add optional --fix and --check when using --verify, so pinact can auto-correct version comments that don’t match the actual commit SHA in the uses line.
The safe approach is to adapt the comment to the hash (not the other way around), so existing pipelines keep using the same ref and don’t break.

Why is the feature needed?

In practice, users (or sometimes even Dependabot) update the hash but forget to update the version comment, so the comment and the ref disagree. Manually fixing many workflow files is tedious and error-prone. The feature is needed so pinact can:

• --verify --fix: Correct the version comment to match the actual SHA and write the file.
• --verify --check: Show what would be corrected (e.g. in CI) without writing, and exit non-zero when corrections would be needed.

Existing behaviour stays the same: pinact run --verify (without --fix/--check) still only reports mismatches and does not modify files.

Example Code

Current behaviour (unchanged): mismatch is reported, no file change.

$ pinact run --verify .github/workflows/ci.yaml
ERRO[...] verify the version annotation: action_version must be equal to commit_hash_of_version_annotation ...

New behaviour with --check (preview, no write):

$ pinact run --verify --check .github/workflows/ci.yaml
WARN[...] version annotation mismatch detected, correcting comment ... correct_version=v2.7.0
# Exit non-zero; file unchanged but would be corrected

New behaviour with --fix (correct comment and write):

$ pinact run --verify --fix .github/workflows/ci.yaml
WARN[...] version annotation mismatch detected, correcting comment ... correct_version=v2.7.0
# File is updated: comment changed from # v3.5.1 to # v2.7.0 to match the SHA