diff --git a/.github/actions/code-quality/pre-commit/action.yaml b/.github/actions/code-quality/pre-commit/action.yaml index 7f813725ca..25be4708c2 100644 --- a/.github/actions/code-quality/pre-commit/action.yaml +++ b/.github/actions/code-quality/pre-commit/action.yaml @@ -69,7 +69,7 @@ runs: steps: # Set up Python environment with caching - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ inputs.python-version }} cache: pip # Enable pip caching @@ -77,7 +77,7 @@ runs: # Set up Node.js for JavaScript-related hooks - name: Set up Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: ${{ inputs.node-version }} @@ -92,7 +92,7 @@ runs: - name: Cache pre-commit hooks if: inputs.cache == 'true' id: pre-commit-cache - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5 with: path: ~/.cache/pre-commit # Cache key includes Python and Node versions to ensure correct environment diff --git a/.github/actions/pytest/action.yaml b/.github/actions/pytest/action.yaml index a8218d2909..08a1fee214 100644 --- a/.github/actions/pytest/action.yaml +++ b/.github/actions/pytest/action.yaml @@ -94,14 +94,14 @@ runs: steps: # Set up Python with pip caching - name: Set up Python environment - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ inputs.python-version }} cache: ${{ inputs.enable-cache == 'true' && 'pip' || '' }} cache-dependency-path: ${{ inputs.enable-cache == 'true' && 'pyproject.toml' || '' }} - name: Set up uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 # Create and configure virtual environment - name: Configure virtual environment @@ -189,7 +189,7 @@ runs: - name: Upload test results if: always() && steps.test-execution.outcome == 'failure' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: pytest-results-${{ inputs.test-type }} path: pytest_output.log diff --git a/.github/actions/security/bandit/action.yaml b/.github/actions/security/bandit/action.yaml index d0db996f57..bbf05eafa4 100644 --- a/.github/actions/security/bandit/action.yaml +++ b/.github/actions/security/bandit/action.yaml @@ -88,7 +88,7 @@ runs: using: composite steps: - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.10" @@ -101,7 +101,7 @@ runs: - name: Get changed files if: inputs.scan-scope == 'changed' id: changed-files - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 with: files: | **/*.py @@ -163,13 +163,13 @@ runs: # Upload results after full scope analysis - name: Upload reports if: hashFiles('bandit-report.*') != '' # if any report is available - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: bandit-results path: bandit-report.* retention-days: 7 - name: Upload sarif if: hashFiles('bandit-report.sarif') != '' # if SARIF is available, upload it - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: bandit-report.sarif diff --git a/.github/actions/security/clamav/action.yaml b/.github/actions/security/clamav/action.yaml index 7fb7005e43..97d19bca1a 100644 --- a/.github/actions/security/clamav/action.yaml +++ b/.github/actions/security/clamav/action.yaml @@ -91,7 +91,7 @@ runs: - name: Get changed files if: inputs.scan-scope == 'changed' id: changed-files - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 - name: Run ClamAV scan id: run-clamav @@ -168,7 +168,7 @@ runs: # Upload results - name: Upload reports if: hashFiles('security-results/clamav*') != '' # if any report is available - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: clamav-results path: security-results/clamav diff --git a/.github/actions/security/trivy/action.yaml b/.github/actions/security/trivy/action.yaml index 2081088152..e9d50f7d2e 100644 --- a/.github/actions/security/trivy/action.yaml +++ b/.github/actions/security/trivy/action.yaml @@ -108,10 +108,10 @@ runs: - name: Get changed files if: inputs.scan-scope == 'changed' id: changed-files - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 - name: Cache Trivy vulnerability database - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5 with: path: ~/.cache/trivy key: trivy-db-${{ runner.os }}-${{ hashFiles('**/trivy-db/**') }} @@ -220,13 +220,13 @@ runs: # Upload results after full scope analysis - name: Upload reports if: hashFiles('security-results/trivy/*') != '' # if any report is available - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: trivy-results path: security-results/trivy retention-days: 7 - name: Upload sarif if: hashFiles('security-results/trivy/trivy-results.sarif') != '' # if SARIF is available, upload it - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: security-results/trivy/trivy-results.sarif diff --git a/.github/actions/security/zizmor/action.yaml b/.github/actions/security/zizmor/action.yaml index 41590bf0c1..0c2d9b1715 100644 --- a/.github/actions/security/zizmor/action.yaml +++ b/.github/actions/security/zizmor/action.yaml @@ -66,7 +66,7 @@ runs: using: composite steps: - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 with: enable-cache: true activate-environment: true @@ -76,7 +76,7 @@ runs: - name: Get changed files if: inputs.scan-scope == 'changed' id: changed-files - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 with: files: .github/** @@ -137,13 +137,13 @@ runs: # Upload results after full scope analysis - name: Upload reports if: hashFiles('zizmor-report.*') != '' # if any report is available - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: zizmor-results path: zizmor-report.* retention-days: 7 - name: Upload sarif if: hashFiles('zizmor-report.sarif') != '' # if SARIF is available, upload it - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: zizmor-report.sarif diff --git a/.github/workflows/_reusable-artifact-builder.yaml b/.github/workflows/_reusable-artifact-builder.yaml index 4d9fa64d46..253151a9d3 100644 --- a/.github/workflows/_reusable-artifact-builder.yaml +++ b/.github/workflows/_reusable-artifact-builder.yaml @@ -78,10 +78,10 @@ jobs: outputs: artifact-name: ${{ steps.set-artifact-name.outputs.name }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ inputs.python-version }} - name: Build package @@ -96,13 +96,13 @@ jobs: - name: Set artifact name id: set-artifact-name run: echo "name=dist-$(date +%s)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: ${{ steps.set-artifact-name.outputs.name }} path: dist/ retention-days: 5 - name: Cache pip dependencies - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5 with: path: | ~/.cache/pip @@ -111,7 +111,7 @@ jobs: restore-keys: | ${{ runner.os }}-pip- - name: Cache build artifacts - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5 with: path: | dist/ diff --git a/.github/workflows/_reusable-code-quality.yaml b/.github/workflows/_reusable-code-quality.yaml index 0fd8b92b14..e90c76ec4d 100644 --- a/.github/workflows/_reusable-code-quality.yaml +++ b/.github/workflows/_reusable-code-quality.yaml @@ -62,7 +62,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 lfs: true diff --git a/.github/workflows/_reusable-pr-title-check.yaml b/.github/workflows/_reusable-pr-title-check.yaml index d30bf9330a..179d9443d8 100644 --- a/.github/workflows/_reusable-pr-title-check.yaml +++ b/.github/workflows/_reusable-pr-title-check.yaml @@ -60,12 +60,12 @@ jobs: timeout-minutes: 5 steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ inputs.python-version }} cache: pip diff --git a/.github/workflows/_reusable-production-release-process.yaml b/.github/workflows/_reusable-production-release-process.yaml index c3c03d1062..8583b20107 100644 --- a/.github/workflows/_reusable-production-release-process.yaml +++ b/.github/workflows/_reusable-production-release-process.yaml @@ -92,13 +92,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: ${{ inputs.artifact-name }} path: dist - name: Upload for production release - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: production-release-artifacts path: dist/ diff --git a/.github/workflows/_reusable-rc-release-process.yaml b/.github/workflows/_reusable-rc-release-process.yaml index 467bf1c4ad..fe1c863d50 100644 --- a/.github/workflows/_reusable-rc-release-process.yaml +++ b/.github/workflows/_reusable-rc-release-process.yaml @@ -86,27 +86,27 @@ jobs: echo "url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: ${{ inputs.artifact-name }} path: dist - name: Download test results - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: pattern: "*-test-results" merge-multiple: true path: test-results - name: Download security results - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: pattern: "*-security-results" merge-multiple: true path: security-results - name: Download quality results - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: pattern: "*-quality-results" merge-multiple: true @@ -176,7 +176,7 @@ jobs: EOF - name: Upload technical review report - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: technical-review-report path: technical-review-report.md @@ -194,7 +194,7 @@ jobs: echo "url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT - name: Download technical review report - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: technical-review-report path: qa-review @@ -224,7 +224,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download technical review report - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: technical-review-report diff --git a/.github/workflows/_reusable-release-publisher.yaml b/.github/workflows/_reusable-release-publisher.yaml index 95cbd2e624..dcee8a0a7c 100644 --- a/.github/workflows/_reusable-release-publisher.yaml +++ b/.github/workflows/_reusable-release-publisher.yaml @@ -85,13 +85,13 @@ jobs: contents: write # is required by action-gh-release id-token: write # Required for OIDC authentication with PyPI steps: - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: ${{ inputs.artifact-name }} path: dist - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - - uses: softprops/action-gh-release@62c96d0c4e8a889135c1f3a25910db8dbe0e85f7 # v2.3.4 + - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ inputs.version }} name: Release ${{ inputs.version }} diff --git a/.github/workflows/_reusable-security-scan.yaml b/.github/workflows/_reusable-security-scan.yaml index 4d45d3f8e2..ced5477a66 100644 --- a/.github/workflows/_reusable-security-scan.yaml +++ b/.github/workflows/_reusable-security-scan.yaml @@ -79,7 +79,7 @@ jobs: if: contains(inputs.tools, 'bandit') runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Run Bandit scan @@ -94,12 +94,12 @@ jobs: if: contains(inputs.tools, 'semgrep') runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false fetch-depth: 0 - name: Run Semgrep scan - uses: open-edge-platform/geti-ci/actions/semgrep@4ec90fb54c7be053e40b9e3ecdf399cf501596ca + uses: open-edge-platform/geti-ci/actions/semgrep@66652424b4ec87ff529dce5ae4a03f339e58a84b with: scan-scope: ${{ inputs.scan-scope }} severity: ${{ inputs.severity-level }} @@ -109,7 +109,7 @@ jobs: if: contains(inputs.tools, 'trivy') runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 # Required for changed files detection persist-credentials: false @@ -131,7 +131,7 @@ jobs: if: contains(inputs.tools, 'clamav') runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Run ClamAV scan @@ -144,7 +144,7 @@ jobs: if: contains(inputs.tools, 'zizmor') runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Run Zizmor scan @@ -176,7 +176,7 @@ jobs: # Download artifacts with error handling - name: Download all results - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 continue-on-error: true # Don't fail if some tools didn't generate results with: pattern: "*-results" @@ -186,7 +186,7 @@ jobs: # Only upload if there are files - name: Upload combined results if: hashFiles('all-results/**/*') != '' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: security-scan-results path: all-results diff --git a/.github/workflows/_reusable-test-suite.yaml b/.github/workflows/_reusable-test-suite.yaml index dc8f3022f2..795f945637 100644 --- a/.github/workflows/_reusable-test-suite.yaml +++ b/.github/workflows/_reusable-test-suite.yaml @@ -108,7 +108,7 @@ jobs: run: | nvidia-smi || echo "::error::No GPU found" - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Run tests diff --git a/.github/workflows/_reusable-version-bump.yaml b/.github/workflows/_reusable-version-bump.yaml index 7580cea0d0..6ff37f2d85 100644 --- a/.github/workflows/_reusable-version-bump.yaml +++ b/.github/workflows/_reusable-version-bump.yaml @@ -106,14 +106,14 @@ jobs: version-changed: ${{ steps.bump.outputs.version_changed }} steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 token: ${{ secrets.github-token }} persist-credentials: true - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ inputs.python-version }} cache: pip @@ -173,7 +173,7 @@ jobs: - name: Create Pull Request if: steps.check-bump.outputs.version_needs_bump == 'true' && inputs.create-pr && !inputs.dry-run - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0 with: token: ${{ secrets.github-token }} commit-message: "chore(release): bump version to ${{ steps.bump.outputs.new_version }}" diff --git a/.github/workflows/_reusable-version-check.yaml b/.github/workflows/_reusable-version-check.yaml index 9c0c0dc8bb..2d1fd180ed 100644 --- a/.github/workflows/_reusable-version-check.yaml +++ b/.github/workflows/_reusable-version-check.yaml @@ -83,7 +83,7 @@ jobs: version: ${{ steps.get-version.outputs.version }} is_prerelease: ${{ steps.check-prerelease.outputs.is_prerelease }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Validate version diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cd9d7c1fa7..f59e8adc99 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,24 +31,24 @@ jobs: steps: - name: Harden the runner (audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/issue-management.yaml b/.github/workflows/issue-management.yaml index fe581eaa6b..baeeb8af52 100644 --- a/.github/workflows/issue-management.yaml +++ b/.github/workflows/issue-management.yaml @@ -68,7 +68,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10 with: # Number of days of inactivity before an issue is marked as stale days-before-stale: 90 diff --git a/.github/workflows/pre_merge.yml b/.github/workflows/pre_merge.yml index 2f54a0e9e2..077c4ecffb 100644 --- a/.github/workflows/pre_merge.yml +++ b/.github/workflows/pre_merge.yml @@ -23,12 +23,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: CHECKOUT REPOSITORY - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: lfs: true persist-credentials: false - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: "3.10" - name: Install Tox @@ -47,11 +47,11 @@ jobs: tox-env: "py310" steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Install Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: ${{ matrix.python-version }} - name: Install Tox @@ -86,7 +86,7 @@ jobs: md-dead-link-check: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - uses: AlexanderDokuchaev/md-dead-link-check@d5a37e0b14e5918605d22b34562532762ccb2e47 # v1.2.0 diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 37b5868c4d..4a11307c60 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout configuration - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 5c173a750a..a632bc0d14 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -61,19 +61,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Get token id: get-github-app-token - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.RENOVATE_APP_ID }} private-key: ${{ secrets.RENOVATE_APP_PEM }} - name: Self-hosted Renovate - uses: renovatebot/github-action@53bdcc4ec92f28e5023ac92356ea8bb45f8b807d # v43.0.15 + uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa # v44.0.5 with: configurationFile: .github/renovate.json5 token: "${{ steps.get-github-app-token.outputs.token }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 123dd84034..a08bd7559a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -43,7 +43,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -56,6 +56,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: results.sarif