From e5a1e694bf964dde569742521efa7af73dfbe6cb Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Mon, 25 Mar 2024 18:31:04 -0600 Subject: [PATCH] ci: pin actions by sha --- .github/actions/bootstrap-poetry/action.yaml | 2 +- .github/actions/poetry-install/action.yaml | 2 +- .github/workflows/.tests-matrix.yaml | 10 +++++----- .github/workflows/backport.yaml | 6 +++--- .github/workflows/docs.yaml | 10 +++++----- .github/workflows/lock-threads.yaml | 4 ++-- .github/workflows/release.yaml | 10 +++++----- .github/workflows/tests.yaml | 10 +++++----- 8 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/actions/bootstrap-poetry/action.yaml b/.github/actions/bootstrap-poetry/action.yaml index abab9dfc2ef..cec135d8991 100644 --- a/.github/actions/bootstrap-poetry/action.yaml +++ b/.github/actions/bootstrap-poetry/action.yaml @@ -26,7 +26,7 @@ outputs: runs: using: composite steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5 id: setup-python if: inputs.python-version != 'default' with: diff --git a/.github/actions/poetry-install/action.yaml b/.github/actions/poetry-install/action.yaml index bc0c03f7123..9340d7bef80 100644 --- a/.github/actions/poetry-install/action.yaml +++ b/.github/actions/poetry-install/action.yaml @@ -26,7 +26,7 @@ runs: if: inputs.cache == 'true' shell: bash - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 id: cache if: inputs.cache == 'true' with: diff --git a/.github/workflows/.tests-matrix.yaml b/.github/workflows/.tests-matrix.yaml index f2d931d47b5..775466186a4 100644 --- a/.github/workflows/.tests-matrix.yaml +++ b/.github/workflows/.tests-matrix.yaml @@ -28,7 +28,7 @@ jobs: runs-on: ${{ inputs.runner }} if: inputs.run-mypy steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - uses: ./.github/actions/bootstrap-poetry id: bootstrap-poetry @@ -37,7 +37,7 @@ jobs: - uses: ./.github/actions/poetry-install - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 with: path: .mypy_cache key: mypy-${{ runner.os }}-py${{ steps.bootstrap-poetry.outputs.python-version }}-${{ hashFiles('pyproject.toml', 'poetry.lock') }} @@ -52,7 +52,7 @@ jobs: runs-on: ${{ inputs.runner }} if: inputs.run-pytest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - uses: ./.github/actions/bootstrap-poetry with: @@ -74,7 +74,7 @@ jobs: runs-on: ${{ inputs.runner }} if: inputs.run-pytest-export steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - uses: ./.github/actions/bootstrap-poetry with: @@ -87,7 +87,7 @@ jobs: - run: poetry run pip list --format json | jq -r '.[] | "\(.name)=\(.version)"' >> $GITHUB_OUTPUT id: package-versions - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: path: poetry-plugin-export repository: python-poetry/poetry-plugin-export diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index e7f8faa0186..307fa037359 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -21,9 +21,9 @@ jobs: ) ) steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 # This workflow requires a non-GHA token in order to trigger downstream CI, and to access the 'fork' repository. - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@78e5f2ddc08efcb88fbbee6cfa3fed770ba550c3 # v1 id: app-token with: app-id: ${{ secrets.POETRY_TOKEN_APP_ID }} @@ -37,4 +37,4 @@ jobs: ./.github/scripts/backport.sh --pr ${{ github.event.pull_request.number }} --comment --remote fork env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 090e9bf30ba..15424e90fd1 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -27,20 +27,20 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: repository: python-poetry/website - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: path: poetry ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4 with: node-version: "18" - - uses: peaceiris/actions-hugo@v2 + - uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2 with: hugo-version: '0.83.1' @@ -59,7 +59,7 @@ jobs: # Build the static website. hugo -v --minify - - uses: amondnet/vercel-action@v25 + - uses: amondnet/vercel-action@16e87c0a08142b0d0d33b76aeaf20823c381b9b9 # v25 with: vercel-token: ${{ secrets.VERCEL_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lock-threads.yaml b/.github/workflows/lock-threads.yaml index e315d67ada4..09dafbbbac3 100644 --- a/.github/workflows/lock-threads.yaml +++ b/.github/workflows/lock-threads.yaml @@ -14,7 +14,7 @@ jobs: permissions: issues: write steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5 with: process-only: issues issue-inactive-days: 30 @@ -29,7 +29,7 @@ jobs: issues: write pull-requests: write steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5 with: process-only: prs pr-inactive-days: 30 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 891657f2162..471cac13971 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,11 +9,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - run: pipx run build - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: distfiles path: dist/ @@ -26,7 +26,7 @@ jobs: contents: write needs: build steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4 with: name: distfiles @@ -42,10 +42,10 @@ jobs: id-token: write needs: build steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4 with: name: distfiles - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # release/v1 with: print-hash: true diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 4b0847c0b23..2d277c7bf7a 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -23,9 +23,9 @@ jobs: src: ${{ steps.changes.outputs.src }} tests: ${{ steps.changes.outputs.tests }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes with: filters: | @@ -54,7 +54,7 @@ jobs: if: needs.changes.outputs.project == 'true' needs: changes steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - uses: ./.github/actions/bootstrap-poetry @@ -66,7 +66,7 @@ jobs: if: needs.changes.outputs.project == 'true' needs: lockfile steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - run: pipx run build @@ -85,7 +85,7 @@ jobs: if: needs.changes.outputs.fixtures-pypi == 'true' needs: changes steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - uses: ./.github/actions/bootstrap-poetry