diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index 436849f31b..fbd81257b9 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -34,11 +34,12 @@ jobs: outputs: VERSION: ${{ steps.set-version.outputs.VERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 @@ -53,7 +54,9 @@ jobs: echo "VERSION=${CURRENT_VERSION}.dev${TIMESTAMP}" >> "$GITHUB_OUTPUT" - name: Debug version - run: echo "Publishing version ${{ steps.set-version.outputs.VERSION }}" + run: echo "Publishing version ${STEPS_SET_VERSION_OUTPUTS_VERSION}" + env: + STEPS_SET_VERSION_OUTPUTS_VERSION: ${{ steps.set-version.outputs.VERSION }} nightly-build: needs: set-version @@ -74,7 +77,7 @@ jobs: steps: - name: Download all the artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: merge-multiple: true path: dist/ @@ -83,7 +86,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true diff --git a/.github/workflows/pypi-build-artifacts.yml b/.github/workflows/pypi-build-artifacts.yml index ca254e6224..134fe32eb6 100644 --- a/.github/workflows/pypi-build-artifacts.yml +++ b/.github/workflows/pypi-build-artifacts.yml @@ -39,11 +39,12 @@ jobs: os: [ ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-15-intel, macos-latest ] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: | 3.10 @@ -57,7 +58,7 @@ jobs: - name: Set version with RC env: VERSION: ${{ inputs.VERSION }} - run: uv version "${{ env.VERSION }}" + run: uv version "$VERSION" # Publish the source distribution with the version that's in # the repository, otherwise the tests will fail @@ -86,7 +87,7 @@ jobs: if: matrix.os == 'ubuntu-latest' run: ls -lah dist/* && cp dist/* wheelhouse/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: "pypi-release-candidate-${{ matrix.os }}" path: ./wheelhouse/* @@ -97,7 +98,7 @@ jobs: - pypi-build-artifacts steps: - name: Merge Artifacts - uses: actions/upload-artifact/merge@v4 + uses: actions/upload-artifact/merge@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: "pypi-release-candidate-${{ inputs.VERSION }}" pattern: pypi-release-candidate* diff --git a/.github/workflows/python-release-docs.yml b/.github/workflows/python-release-docs.yml index d996efdc4b..a5b20076dd 100644 --- a/.github/workflows/python-release-docs.yml +++ b/.github/workflows/python-release-docs.yml @@ -35,8 +35,10 @@ jobs: contents: write steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 - name: Install UV diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml index 266aa1e0b3..3a56456428 100644 --- a/.github/workflows/python-release.yml +++ b/.github/workflows/python-release.yml @@ -62,8 +62,8 @@ jobs: fi else echo "Workflow triggered manually via workflow_dispatch." - VERSION="${{ github.event.inputs.version }}" - RC="${{ github.event.inputs.rc }}" + VERSION="${GITHUB_EVENT_INPUTS_VERSION}" + RC="${GITHUB_EVENT_INPUTS_RC}" # Validate version (e.g., 1.0.0) if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then @@ -81,27 +81,36 @@ jobs: # Export variables for future steps echo "VERSION=$VERSION" >> $GITHUB_OUTPUT echo "RC=$RC" >> $GITHUB_OUTPUT + env: + GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }} + GITHUB_EVENT_INPUTS_RC: ${{ github.event.inputs.rc }} - name: Display Extracted Version and RC run: | - echo "Using Version: ${{ steps.validate-inputs.outputs.VERSION }}" - echo "Using RC: ${{ steps.validate-inputs.outputs.RC }}" + echo "Using Version: ${STEPS_VALIDATE_INPUTS_OUTPUTS_VERSION}" + echo "Using RC: ${STEPS_VALIDATE_INPUTS_OUTPUTS_RC}" + env: + STEPS_VALIDATE_INPUTS_OUTPUTS_VERSION: ${{ steps.validate-inputs.outputs.VERSION }} + STEPS_VALIDATE_INPUTS_OUTPUTS_RC: ${{ steps.validate-inputs.outputs.RC }} validate-library-version: runs-on: ubuntu-latest needs: - validate-inputs steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 - name: Install UV uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 + with: + enable-cache: false - name: Validate current pyiceberg version env: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index d48e0363da..050fdc2724 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -32,7 +32,7 @@ jobs: if: github.repository_owner == 'apache' runs-on: ubuntu-latest steps: - - uses: actions/stale@v10.2.0 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: # stale issues stale-issue-label: 'stale,security' diff --git a/.github/workflows/svn-build-artifacts.yml b/.github/workflows/svn-build-artifacts.yml index 0f90beb1d6..820f62cba5 100644 --- a/.github/workflows/svn-build-artifacts.yml +++ b/.github/workflows/svn-build-artifacts.yml @@ -39,11 +39,12 @@ jobs: os: [ ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-15-intel, macos-latest ] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: | 3.10 @@ -78,7 +79,7 @@ jobs: if: matrix.os == 'ubuntu-latest' run: ls -lah dist/* && cp dist/* wheelhouse/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: "svn-release-candidate-${{ matrix.os }}" path: ./wheelhouse/* @@ -89,7 +90,7 @@ jobs: - svn-build-artifacts steps: - name: Merge Artifacts - uses: actions/upload-artifact/merge@v4 + uses: actions/upload-artifact/merge@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: "svn-release-candidate-${{ inputs.VERSION }}" pattern: svn-release-candidate*