From 180cd3b2f2425ba02fd3a31086f55ee118a8ac1c Mon Sep 17 00:00:00 2001
From: Bilal Retiat <bilal.retiat@gmail.com>
Date: Tue, 1 Oct 2024 20:40:43 +0400
Subject: [PATCH 1/4] Actions: Add workflow dispatch for release workflows

---
 .github/workflows/pythonpublish-linux.yml   | 1 +
 .github/workflows/pythonpublish-macos.yml   | 1 +
 .github/workflows/pythonpublish-windows.yml | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/workflows/pythonpublish-linux.yml b/.github/workflows/pythonpublish-linux.yml
index b5db288c..14975940 100644
--- a/.github/workflows/pythonpublish-linux.yml
+++ b/.github/workflows/pythonpublish-linux.yml
@@ -1,6 +1,7 @@
 name: Linux Package
 
 on:
+  workflow_dispatch:
   release:
     types: [published]
 
diff --git a/.github/workflows/pythonpublish-macos.yml b/.github/workflows/pythonpublish-macos.yml
index fb506dd2..43cdadce 100644
--- a/.github/workflows/pythonpublish-macos.yml
+++ b/.github/workflows/pythonpublish-macos.yml
@@ -1,6 +1,7 @@
 name: MacOS Package
 
 on:
+  workflow_dispatch:
   release:
     types: [published]
 
diff --git a/.github/workflows/pythonpublish-windows.yml b/.github/workflows/pythonpublish-windows.yml
index 981a662a..827c05a3 100644
--- a/.github/workflows/pythonpublish-windows.yml
+++ b/.github/workflows/pythonpublish-windows.yml
@@ -1,6 +1,7 @@
 name: Windows Package
 
 on:
+  workflow_dispatch:
   release:
     types: [published]
 

From ed365fcf2d615f21b23775f74c37ff5d95b42419 Mon Sep 17 00:00:00 2001
From: Bilal Retiat <bilal.retiat@gmail.com>
Date: Tue, 1 Oct 2024 20:42:00 +0400
Subject: [PATCH 2/4] Actions: Update macOS target for release workflows

---
 .github/workflows/pythonpublish-macos.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pythonpublish-macos.yml b/.github/workflows/pythonpublish-macos.yml
index 43cdadce..aa476df5 100644
--- a/.github/workflows/pythonpublish-macos.yml
+++ b/.github/workflows/pythonpublish-macos.yml
@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
-        os: [macos-11, macos-12]
+        os: [macos-12, macos-13, macos-14]
 
     steps:
       - uses: actions/checkout@v2

From e2108bc14c14ab07b27e903e7034b89833fa5dde Mon Sep 17 00:00:00 2001
From: Bilal Retiat <bilal.retiat@gmail.com>
Date: Tue, 1 Oct 2024 21:03:27 +0400
Subject: [PATCH 3/4] Actions: Update all used Actions in the workflows to
 latest version and pin them with hash

---
 .github/workflows/bazel_tests.yml           |  4 ++--
 .github/workflows/benchmarks.yml            |  8 ++++----
 .github/workflows/ossar-analysis.yml        |  6 +++---
 .github/workflows/pythonpublish-linux.yml   |  2 +-
 .github/workflows/pythonpublish-macos.yml   |  4 ++--
 .github/workflows/pythonpublish-windows.yml |  6 +++---
 .github/workflows/tests.yml                 | 16 ++++++++--------
 7 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/bazel_tests.yml b/.github/workflows/bazel_tests.yml
index a5ac5848..d9b2c705 100644
--- a/.github/workflows/bazel_tests.yml
+++ b/.github/workflows/bazel_tests.yml
@@ -15,11 +15,11 @@ jobs:
         python-version: ['3.9']
         os: [macos-latest, ubuntu-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Run gtest
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index 6b5d936c..2136f8ac 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -12,9 +12,9 @@ jobs:
         os: [macos-latest, ubuntu-latest, windows-latest]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Prepare ENV
@@ -32,7 +32,7 @@ jobs:
         run: .github/workflows/scripts/install_req_windows.bat
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Install dependencies Windows - msbuild
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Build the library for Ubuntu/MacOS
         run: .github/workflows/scripts/build_nix.sh
@@ -44,7 +44,7 @@ jobs:
         run: |
           pytest tests/python/benchmarks/ --cov-fail-under 0 --benchmark-json pytest_benchmarks_output.json
       - name: Store benchmark result
-        uses: rhysd/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@4de1bed97a47495fc4c5404952da0499e31f5c29 # v1.20.3
         with:
           name: Python-Benchmarks
           tool: "pytest"
diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml
index 9698690e..b7685566 100644
--- a/.github/workflows/ossar-analysis.yml
+++ b/.github/workflows/ossar-analysis.yml
@@ -15,15 +15,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       # Run open source static analysis tools
     - name: Run OSSAR
-      uses: github/ossar-action@v1
+      uses: github/ossar-action@4e96c4f6e591eb4b991abfd459e40b136a317aea # v2.0.0
       id: ossar
 
       # Upload results to the Security tab
     - name: Upload OSSAR results
-      uses: github/codeql-action/upload-sarif@v1
+      uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0
       with:
         sarif_file: ${{ steps.ossar.outputs.sarifFile }}
diff --git a/.github/workflows/pythonpublish-linux.yml b/.github/workflows/pythonpublish-linux.yml
index 14975940..631db2ee 100644
--- a/.github/workflows/pythonpublish-linux.yml
+++ b/.github/workflows/pythonpublish-linux.yml
@@ -20,7 +20,7 @@ jobs:
     container: quay.io/pypa/manylinux2014_x86_64
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Prepare ENV
diff --git a/.github/workflows/pythonpublish-macos.yml b/.github/workflows/pythonpublish-macos.yml
index aa476df5..f6c75a10 100644
--- a/.github/workflows/pythonpublish-macos.yml
+++ b/.github/workflows/pythonpublish-macos.yml
@@ -14,11 +14,11 @@ jobs:
         os: [macos-12, macos-13, macos-14]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/pythonpublish-windows.yml b/.github/workflows/pythonpublish-windows.yml
index 827c05a3..2333b897 100644
--- a/.github/workflows/pythonpublish-windows.yml
+++ b/.github/workflows/pythonpublish-windows.yml
@@ -13,17 +13,17 @@ jobs:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: .github/workflows/scripts/install_req_windows.bat
       - name: Setup msbuild
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2
       - name: Build and publish
         env:
           TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index bc383383..f9152788 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -14,11 +14,11 @@ jobs:
         python-version: ['3.8', '3.12']
         os: [ubuntu-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
@@ -37,11 +37,11 @@ jobs:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
         os: [macos-latest, ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Check LongPathsEnabled
@@ -64,7 +64,7 @@ jobs:
         run: .github/workflows/scripts/install_req_windows.bat
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Install dependencies Windows - msbuild
-        uses: microsoft/setup-msbuild@v1.0.3
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Build the library for Ubuntu/MacOS
         run: .github/workflows/scripts/build_nix.sh
@@ -89,11 +89,11 @@ jobs:
         python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
         os: [macos-latest, ubuntu-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: true
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Prepare ENV
@@ -116,7 +116,7 @@ jobs:
         run: .github/workflows/scripts/install_req_windows.bat
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Install dependencies Windows - msbuild
-        uses: microsoft/setup-msbuild@v1.0.3
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2
         if: ${{ matrix.os == 'windows-latest' }}
       - name: Build the library for Ubuntu/MacOS
         run: .github/workflows/scripts/build_nix.sh

From 675b74f185361aea84b5a64f12920ee7406934ec Mon Sep 17 00:00:00 2001
From: Bilal Retiat <bilal.retiat@gmail.com>
Date: Tue, 1 Oct 2024 21:26:38 +0400
Subject: [PATCH 4/4] Actions: force using node16 for Linux release publish
 workflow

---
 .github/workflows/pythonpublish-linux.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pythonpublish-linux.yml b/.github/workflows/pythonpublish-linux.yml
index 631db2ee..faa6f638 100644
--- a/.github/workflows/pythonpublish-linux.yml
+++ b/.github/workflows/pythonpublish-linux.yml
@@ -18,6 +18,12 @@ jobs:
 
     runs-on: ubuntu-latest
     container: quay.io/pypa/manylinux2014_x86_64
+    
+    # node20 can't run on manylinux2014 as it requires newer version of GLIBC
+    # https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
+    env:
+      ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16
+      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
 
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0