diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 9ba56f8d6..88297ec3e 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 5423c11a4..fca9a1b65 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -13,11 +13,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a258fef3a..d5b7fdbcd 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -12,11 +12,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -38,11 +38,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -63,11 +63,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -78,7 +78,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" with: name: lint-python${{ matrix.python-versions }} path: | @@ -98,11 +98,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -124,11 +124,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -139,7 +139,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -153,11 +153,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -175,11 +175,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -196,11 +196,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -227,7 +227,7 @@ jobs: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -238,7 +238,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 147d0453a..218ac87a1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -13,13 +13,13 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" with: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" @@ -32,7 +32,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: "actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9" with: path: html-documentation @@ -50,4 +50,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: "actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128" diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index 69a5aa4b4..0241f6860 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index 44b5cfd98..89411c675 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index 328799b6c..b9612f310 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8790ca1ab..8ea053a43 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -14,20 +14,20 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" with: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: "3.10" poetry-version: "2.3.0" - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: "actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" with: path: ./artifacts diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8f1b55e42..bacd35336 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -25,11 +25,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a" with: python-version: ${{ matrix.python-version }} poetry-version: "2.3.0" @@ -39,7 +39,7 @@ jobs: run: poetry run -- nox -s test:integration -- --coverage - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index fb4737052..240ea5866 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,3 +1,7 @@ # Unreleased ## Summary + +## Security Issues + +* #812: Switched GitHub actions from versioned to be pinned with SHAs diff --git a/exasol/toolbox/config.py b/exasol/toolbox/config.py index dd2427ff9..9594e8de5 100644 --- a/exasol/toolbox/config.py +++ b/exasol/toolbox/config.py @@ -86,6 +86,7 @@ def valid_version_string(version_string: str) -> str: ValidPluginHook = Annotated[type[Any], AfterValidator(validate_plugin_hook)] ValidVersionStr = Annotated[str, AfterValidator(valid_version_string)] +SHA_1 = Annotated[str, Field(pattern=r"^[0-9a-fA-F]{40}$")] DEFAULT_EXCLUDED_PATHS = { ".eggs", @@ -121,6 +122,37 @@ def check_minimum_version(cls, v: str, info: ValidationInfo) -> str: return v +class GitHubActionPins(BaseModel): + """ + GitHub action pins for use in the workflow templates. + """ + + checkout: SHA_1 = Field( + default="de0fac2e4500dabe0009e67214ff5f5447ce83dd", # v6.0.2 + description="Commit SHA for actions/checkout", + ) + deploy_pages: SHA_1 = Field( + default="cd2ce8fcbc39b97be8ca5fce6e763baed58fa128", # v5.0.0 + description="Commit SHA for actions/deploy-pages", + ) + download_artifact: SHA_1 = Field( + default="3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c", # v8.0.1 + description="Commit SHA for actions/download-artifact", + ) + ptb_python: SHA_1 = Field( + default="de9c841d1e0c1d59b267900baf25da913330a25a", # v7 + description="Commit SHA for exasol/python-toolbox/.github/actions/python-environment", + ) + upload_artifact: SHA_1 = Field( + default="043fb46d1a93c77aae656e7c1c64a875d1fc6a0a", # v7.0.1 + description="Commit SHA for actions/upload-artifact", + ) + upload_pages_artifact: SHA_1 = Field( + default="fc324d3547104276b827a68afc52ff2a11cc49c9", # v5.0.0 + description="Commit SHA for actions/upload-pages-artifact", + ) + + class BaseConfig(BaseModel): """ Basic configuration for projects using the PTB @@ -191,6 +223,10 @@ class BaseConfig(BaseModel): are supported. """, ) + github_action_pins: GitHubActionPins = Field( + default_factory=GitHubActionPins, + description="This is used to specify the GitHub action pins used in the workflow templates.", + ) model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True) @computed_field # type: ignore[misc] @@ -280,6 +316,7 @@ def github_template_dict(self) -> dict[str, Any]: configurations. """ return { + "github_action_pins": self.github_action_pins.model_dump(), "dependency_manager_version": self.dependency_manager.version, "minimum_python_version": self.minimum_python_version, "os_version": self.os_version, diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 83877e39d..632a2d413 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index f9fb6f697..a955094d3 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -13,11 +13,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index ee09b0e9f..2da37045f 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -12,11 +12,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -38,11 +38,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -63,11 +63,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -78,7 +78,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@(( github_action_pins.upload_artifact ))" with: name: lint-python${{ matrix.python-versions }} path: | @@ -98,11 +98,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -124,11 +124,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -139,7 +139,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@(( github_action_pins.upload_artifact ))" with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -153,11 +153,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -175,11 +175,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -201,11 +201,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -216,7 +216,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@(( github_action_pins.upload_artifact ))" with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index 4341e2316..c27eb1cbe 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -13,13 +13,13 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" with: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -32,7 +32,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: "actions/upload-pages-artifact@(( github_action_pins.upload_pages_artifact ))" with: path: html-documentation @@ -50,4 +50,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: "actions/deploy-pages@(( github_action_pins.deploy_pages ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index d78b3e6bb..7b64205dc 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index f63000906..996c5d8cc 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 7d091a078..98f161f41 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -15,11 +15,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index 54114c0f0..0d911dc95 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -14,20 +14,20 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" with: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: "actions/download-artifact@(( github_action_pins.download_artifact ))" with: path: ./artifacts diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index d94cf01ad..22f73a280 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -25,11 +25,11 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: "actions/checkout@(( github_action_pins.checkout ))" - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v7 + uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))" with: python-version: ${{ matrix.python-version }} poetry-version: "(( dependency_manager_version ))" @@ -40,7 +40,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: "actions/upload-artifact@(( github_action_pins.upload_artifact ))" with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage diff --git a/test/unit/config_test.py b/test/unit/config_test.py index be6a326bf..88a08572a 100644 --- a/test/unit/config_test.py +++ b/test/unit/config_test.py @@ -9,6 +9,7 @@ DEFAULT_EXCLUDED_PATHS, BaseConfig, DependencyManager, + GitHubActionPins, valid_version_string, warnings, ) @@ -31,6 +32,7 @@ def test_works_as_defined(tmp_path, test_project_config_factory): root_path = config.root_path assert config.model_dump() == { "add_to_excluded_python_paths": (), + "github_action_pins": GitHubActionPins().model_dump(), "create_major_version_tags": False, "dependency_manager": {"name": "poetry", "version": "2.3.0"}, "documentation_path": root_path / "doc", @@ -39,6 +41,7 @@ def test_works_as_defined(tmp_path, test_project_config_factory): "github_workflow_directory": tmp_path / ".github" / "workflows", "github_workflow_patcher_yaml": None, "github_template_dict": { + "github_action_pins": GitHubActionPins().model_dump(), "dependency_manager_version": "2.3.0", "minimum_python_version": "3.10", "os_version": "ubuntu-24.04", @@ -97,6 +100,29 @@ def test_raises_exception_when_not_valid(): valid_version_string("$.2.3") +class TestGitHubActionSHAs: + @staticmethod + def test_works_as_expected(): + sha_1 = "cd2ce8fcbc39b97be8ca5fce6e763baed58fa128" + result = GitHubActionPins(checkout=sha_1) + + assert result.checkout == sha_1 + + @staticmethod + @pytest.mark.parametrize( + "sha", + [ + pytest.param("123", id="too-short"), + pytest.param("g" * 40, id="non-hex"), + ], + ) + def test_raises_exception_when_sha_is_invalid(sha): + with pytest.raises(ValidationError) as ex: + GitHubActionPins(checkout=sha) + + assert "String should match pattern" in str(ex.value) + + class BaseConfigExpansion(BaseConfig): expansion1: str = "test1"