diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 4269c2b3..b0fd66c0 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -18,6 +18,6 @@ jobs: pull-requests: write if: (github.event.pull_request.user.login == 'emerging-tech-cdk-constructs-bot' || github.event.pull_request.user.login == 'generative-ai-cdk-constructs-bot') && contains(github.event.pull_request.labels.*.name, 'auto-approve') steps: - - uses: hmarr/auto-approve-action@v3.2.1 + - uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4 with: github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 73da4e68..199bd7c8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,12 +15,12 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Install dependencies @@ -28,7 +28,7 @@ jobs: - name: build run: npx projen build - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d with: token: ${{ secrets.CODECOV_TOKEN }} directory: coverage @@ -39,7 +39,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.self_mutation.outputs.self_mutation_happened - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -53,7 +53,7 @@ jobs: run: cd dist && getfacl -R . > permissions-backup.acl continue-on-error: true - name: Upload artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -65,13 +65,13 @@ jobs: if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository) steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Download patch - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: .repo.patch path: ${{ runner.temp }} @@ -94,11 +94,11 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Download build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: build-artifact path: dist @@ -119,14 +119,14 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - - uses: actions/setup-python@v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 with: python-version: 3.x - name: Download build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: build-artifact path: dist diff --git a/.github/workflows/github-merit-badger.yml b/.github/workflows/github-merit-badger.yml index 30055719..1171f83c 100644 --- a/.github/workflows/github-merit-badger.yml +++ b/.github/workflows/github-merit-badger.yml @@ -12,7 +12,7 @@ jobs: pull-requests: write steps: - id: github-merit-badger - uses: aws-github-ops/github-merit-badger@main + uses: aws-github-ops/github-merit-badger@70d1c47f7051d6e324d4ddc48d676ba61ef69a3e with: github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }} badges: "[beginning-contributor,repeat-contributor,valued-contributor,admired-contributor,star-contributor,distinguished-contributor]" diff --git a/.github/workflows/monthly-repo-metrics.yml b/.github/workflows/monthly-repo-metrics.yml index f3a47e39..e105beb9 100644 --- a/.github/workflows/monthly-repo-metrics.yml +++ b/.github/workflows/monthly-repo-metrics.yml @@ -24,24 +24,24 @@ jobs: echo "$first_day..$last_day" echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV" - name: Report on issues - uses: github/issue-metrics@v2 + uses: github/issue-metrics@6bc5254e72971dbb7462db077779f1643f772afd env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} SEARCH_QUERY: repo:awslabs/generative-ai-cdk-constructs is:issue created:${{ env.last_month }} -reason:"not planned" - name: Create report for issues - uses: peter-evans/create-issue-from-file@v4 + uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f with: title: Monthly issue metrics report token: ${{ secrets.PROJEN_GITHUB_TOKEN }} content-filepath: ./issue_metrics.md assignees: krokoko - name: Report on PRs - uses: github/issue-metrics@v2 + uses: github/issue-metrics@6bc5254e72971dbb7462db077779f1643f772afd env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} SEARCH_QUERY: repo:awslabs/generative-ai-cdk-constructs is:pr created:${{ env.last_month }} -is:draft - name: Create report for PRs - uses: peter-evans/create-issue-from-file@v4 + uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f with: title: Monthly issue metrics report token: ${{ secrets.PROJEN_GITHUB_TOKEN }} diff --git a/.github/workflows/ort-toolkit.yml b/.github/workflows/ort-toolkit.yml index 906a785c..d58a3c8d 100644 --- a/.github/workflows/ort-toolkit.yml +++ b/.github/workflows/ort-toolkit.yml @@ -13,7 +13,7 @@ jobs: contents: write steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - name: Run GitHub Action for ORT uses: oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e with: diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index 2f447935..5c63c253 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write steps: - - uses: amannn/action-semantic-pull-request@v5.0.2 + - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -38,7 +38,7 @@ jobs: HELP: Contributor statement missing from PR description. Please include the following text in the PR description if: "!(github.event.pull_request.user.login == 'amazon-auto' || github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'emerging-tech-cdk-constructs-bot' || github.event.pull_request.user.login == 'generative-ai-cdk-constructs-bot' || github.event.pull_request.user.login == 'github-actions')" steps: - - uses: actions/github-script@v6 + - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: script: |- const actual = process.env.PR_BODY.replace(/\r?\n/g, "\n"); diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 02a19583..d8334a6c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 with: fetch-depth: 0 - name: Set git identity @@ -25,7 +25,7 @@ jobs: git config user.name "github-actions" git config user.email "github-actions@github.com" - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Install dependencies @@ -33,7 +33,7 @@ jobs: - name: release run: npx projen release - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d with: token: ${{ secrets.CODECOV_TOKEN }} directory: coverage @@ -46,7 +46,7 @@ jobs: continue-on-error: true - name: Upload artifact if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -58,11 +58,11 @@ jobs: contents: write if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Download build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: build-artifact path: dist @@ -87,11 +87,11 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Download build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: build-artifact path: dist @@ -120,14 +120,14 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - - uses: actions/setup-python@v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 with: python-version: 3.x - name: Download build artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: build-artifact path: dist diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 837c8ec9..0baaa67f 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -21,11 +21,11 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - name: Run Semgrep CI run: semgrep scan --verbose --json --output=semgrep.json - name: Store Semgrep as Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: semgrep.json path: semgrep.json diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ca07d5a2..651700fa 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v4 + - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da with: days-before-stale: -1 days-before-close: -1 diff --git a/.github/workflows/update-contributors.yml b/.github/workflows/update-contributors.yml index 88bd6122..1d8be015 100644 --- a/.github/workflows/update-contributors.yml +++ b/.github/workflows/update-contributors.yml @@ -13,15 +13,15 @@ jobs: if: github.repository == 'awslabs/generative-ai-cdk-constructs' steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - name: Update a projects CONTRIBUTORS file - uses: minicli/action-contributors@v3.3 + uses: minicli/action-contributors@20ec03af008cb51110a3137fbf77f59a4fd7ff5a env: CONTRIB_REPOSITORY: awslabs/generative-ai-cdk-constructs CONTRIB_OUTPUT_FILE: CONTRIBUTORS.md CONTRIB_IGNORE: emerging-tech-cdk-constructs-bot, generative-ai-cdk-constructs-bot, dependabot[bot], dependabot, amazon-auto, github-actions - name: Create a PR - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: branch: automation/update-contributors author: emerging-tech-cdk-constructs-bot diff --git a/.github/workflows/upgrade-main.yml b/.github/workflows/upgrade-main.yml index 6a32e4e4..8ae07d9b 100644 --- a/.github/workflows/upgrade-main.yml +++ b/.github/workflows/upgrade-main.yml @@ -15,11 +15,11 @@ jobs: patch_created: ${{ steps.create_patch.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 with: ref: main - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20.x - name: Install dependencies @@ -33,7 +33,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "patch_created=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.create_patch.outputs.patch_created - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -46,11 +46,11 @@ jobs: if: ${{ needs.upgrade.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 with: ref: main - name: Download patch - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: .repo.patch path: ${{ runner.temp }} @@ -62,7 +62,7 @@ jobs: git config user.email "github-actions@github.com" - name: Create Pull Request id: create-pr - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} commit-message: |- diff --git a/.projenrc.ts b/.projenrc.ts index 1208f9e0..b03e6b88 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -95,6 +95,26 @@ buildAutoApproveWorkflow(project); buildOrtToolkitWorkflow(project); runSemGrepWorkflow(project); +// Add specific overrides https://projen.io/github.html#actions-versions +project.github?.actions.set('actions/checkout@v3', 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744'); +project.github?.actions.set('actions/download-artifact@v3', 'actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a'); +project.github?.actions.set('actions/github-script@v6', 'actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410'); +project.github?.actions.set('actions/setup-node@v3', 'actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7'); +project.github?.actions.set('actions/setup-python@v4', 'actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236'); +project.github?.actions.set('actions/stale@v4', 'actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da'); +project.github?.actions.set('actions/upload-artifact@v3', 'actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32'); +project.github?.actions.set('amannn/action-semantic-pull-request@v5.0.2', 'amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb'); +project.github?.actions.set('aws-github-ops/github-merit-badger@main', 'aws-github-ops/github-merit-badger@70d1c47f7051d6e324d4ddc48d676ba61ef69a3e'); +project.github?.actions.set('codecov/codecov-action@v3', 'codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d'); +project.github?.actions.set('github/issue-metrics@v2', 'github/issue-metrics@6bc5254e72971dbb7462db077779f1643f772afd'); +project.github?.actions.set('hmarr/auto-approve-action@v3.2.1', 'hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4'); +project.github?.actions.set('minicli/action-contributors@v3.3', 'minicli/action-contributors@20ec03af008cb51110a3137fbf77f59a4fd7ff5a'); +project.github?.actions.set('oss-review-toolkit/ort-ci-github-action@v1', 'oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e'); +project.github?.actions.set('peter-evans/create-issue-from-file@v4', 'peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f'); +project.github?.actions.set('peter-evans/create-pull-request@v4', 'peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54'); +project.github?.actions.set('peter-evans/create-pull-request@v5', 'peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38'); + + // We don't want to package certain things project.npmignore?.addPatterns( '/docs/',