diff --git a/.editorconfig b/.editorconfig
index 98bc8985..17aaa0c2 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -11,7 +11,7 @@ indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 
-[*.{css,html,json,md,rb,sh,yml,yaml}]
+[*.{css,html,json,md,rb,ps1,sh,yml,yaml}]
 indent_size = 2
 
 [*.{js,yml,yaml}]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 98086942..9c9cbd6e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,20 +32,20 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     with:
       # NB: sync with test job's --exclude option
       args: --exclude install-action-internal-codegen
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
   test-manifest-schema:
-    uses: taiki-e/github-actions/.github/workflows/test.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/test.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     with:
       # NB: sync with miri job's --exclude option
       test-args: --exclude install-action-internal-codegen
       no-std: false
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
@@ -257,7 +257,8 @@ jobs:
       - name: Install requirements (old debian)
         run: |
           # In Debian, the old repositories is removed from the main mirrors some time after EoL.
-          codename=$(grep -E '^VERSION_CODENAME=' /etc/os-release | cut -d= -f2)
+          # shellcheck source=/dev/null
+          codename=$(. /etc/os-release; printf '%s\n' "${VERSION_CODENAME}")
           sed -i /etc/apt/sources.list -e 's/deb.debian.org/archive.debian.org/g' \
             -e 's|security.debian.org|archive.debian.org/|g' \
             -e "/${codename}-updates/d"
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
index 8b5aa368..4b0e42a8 100644
--- a/.github/workflows/manifest.yml
+++ b/.github/workflows/manifest.yml
@@ -13,26 +13,13 @@ on:
     - cron: '0 0,3,6,9,12,15,18,21 * * *'
   workflow_dispatch:
 
-env:
-  CARGO_INCREMENTAL: 0
-  CARGO_NET_GIT_FETCH_WITH_CLI: true
-  CARGO_NET_RETRY: 10
-  CARGO_TERM_COLOR: always
-  RUST_BACKTRACE: 1
-  RUSTFLAGS: -D warnings
-  RUSTUP_MAX_RETRIES: 10
-
-defaults:
-  run:
-    shell: bash --noprofile --norc -CeEuxo pipefail {0}
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 jobs:
   manifest:
-    uses: taiki-e/github-actions/.github/workflows/gen.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/gen.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve
@@ -44,6 +31,5 @@ jobs:
       title: Update manifest
       branch: update-manifest
       automerge: true
-      install-rust: true
       install-cosign: true
       install-parse-changelog: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d3e86cd7..a53a92bf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,10 +21,6 @@ on:
           - minor
           - major
 
-defaults:
-  run:
-    shell: bash --noprofile --norc -CeEuo pipefail {0}
-
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
@@ -32,7 +28,7 @@ concurrency:
 jobs:
   release:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action'
-    uses: taiki-e/github-actions/.github/workflows/action-release.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/action-release.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
     secrets:
@@ -44,7 +40,7 @@ jobs:
 
   release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@931686d4e4cf88b13e790040727ccde2dba8ec62 # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action
diff --git a/tools/tidy.sh b/tools/tidy.sh
index 7577a5df..e8c1c102 100755
--- a/tools/tidy.sh
+++ b/tools/tidy.sh
@@ -37,10 +37,10 @@ image='ghcr.io/taiki-e/tidy'
 if [[ -n "${TIDY_DEV:-}" ]]; then
   image+=':latest'
 else
-  image+='@sha256:4d7ec52a86bd3c0a2d96627b0ec3aa534afc02c2d56fc9a898df64e29aa03312'
+  image+='@sha256:1d3a5d57c486cbac02ef3d8ee29bb0768ebd1fbffef61a61d282215464e2551d'
 fi
 user="$(id -u):$(id -g)"
-workdir=$(pwd)
+workdir="${PWD}"
 tmp=$(mktemp -d)
 trap -- 'rm -rf -- "${tmp:?}"' EXIT
 mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
@@ -111,7 +111,9 @@ while IFS= read -r path; do
 done < <(git status --porcelain --ignored | grep -E '^!!' | cut -d' ' -f2)
 
 docker_run() {
-  "${docker}" "${common_args[@]}" "$@"
+  local script="$1"
+  shift
+  "${docker}" "${common_args[@]}" "$@" "${image}" /checks/"${script}"
   code2="$?"
   if [[ ${code} -eq 0 ]] && [[ ${code2} -ne 0 ]]; then
     code="${code2}"
@@ -119,29 +121,23 @@ docker_run() {
 }
 
 set +e
-docker_run \
+docker_run offline.sh \
   --mount "type=bind,source=${workdir},target=${workdir}" --workdir "${workdir}" \
   --mount "type=bind,source=${workdir}/.git,target=${workdir}/.git,readonly" \
   --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
   --mount "type=bind,source=${tmp}/pwsh-cache,target=/.cache/powershell" \
   --mount "type=bind,source=${tmp}/pwsh-local,target=/.local/share/powershell" \
-  --network=none \
-  "${image}" \
-  /checks/offline.sh
+  --network=none
 # Some good audits requires access to GitHub API.
-docker_run \
+docker_run zizmor.sh \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
   --mount "type=bind,source=${tmp}/zizmor-cache,target=/.cache/zizmor" \
-  --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN \
-  "${image}" \
-  /checks/zizmor.sh
+  --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN
 # We use remote dictionary.
-docker_run \
+docker_run cspell.sh \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
   --mount "type=bind,source=${workdir}/.github/.cspell/project-dictionary.txt,target=${workdir}/.github/.cspell/project-dictionary.txt" \
   --mount "type=bind,source=${workdir}/.github/.cspell/rust-dependencies.txt,target=${workdir}/.github/.cspell/rust-dependencies.txt" \
-  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
-  "${image}" \
-  /checks/cspell.sh
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy"
 
 exit "${code}"