diff --git a/.github/workflows/backend-tests.yml b/.github/workflows/backend-tests.yml index a3d3b4a..376b7fb 100644 --- a/.github/workflows/backend-tests.yml +++ b/.github/workflows/backend-tests.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } - name: Run runtime, migration, and export-safety tests diff --git a/.github/workflows/changelog-fragments-validate.yml b/.github/workflows/changelog-fragments-validate.yml index 2e9eb71..cd59a5c 100644 --- a/.github/workflows/changelog-fragments-validate.yml +++ b/.github/workflows/changelog-fragments-validate.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Set up Python diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 939db49..c4c5ae4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: python: ["3.10", "3.12", "3.14"] steps: - name: Check out repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: @@ -41,7 +41,7 @@ jobs: timeout-minutes: 30 steps: - name: Check out full history - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Set up Python diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 02251fb..3eacb4b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,16 +25,16 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4 + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4 with: languages: python build-mode: none queries: security-extended - name: Analyze id: analyze - uses: github/codeql-action/analyze@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4 + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4 with: category: /language:python # Private pre-publication repositories may not have Code Scanning @@ -43,7 +43,7 @@ jobs: upload: ${{ github.event.repository.private && 'never' || 'always' }} - name: Retain private-repository SARIF if: github.event.repository.private - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: codeql-python-sarif-${{ github.sha }} path: ${{ steps.analyze.outputs.sarif-output }} diff --git a/.github/workflows/compliance-trace.yml b/.github/workflows/compliance-trace.yml index 5f9d4d3..ba4fbfd 100644 --- a/.github/workflows/compliance-trace.yml +++ b/.github/workflows/compliance-trace.yml @@ -67,7 +67,7 @@ jobs: # Public pull requests never execute on a persistent self-hosted machine. runs-on: ubuntu-latest steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } - name: Unit-test the compliance checker diff --git a/.github/workflows/regression-test-skills.yml b/.github/workflows/regression-test-skills.yml index a3e9ded..ffc5ef4 100644 --- a/.github/workflows/regression-test-skills.yml +++ b/.github/workflows/regression-test-skills.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } diff --git a/.github/workflows/release-consistency.yml b/.github/workflows/release-consistency.yml index 2804442..461a184 100644 --- a/.github/workflows/release-consistency.yml +++ b/.github/workflows/release-consistency.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1c88446..5f8dcb2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Verify signed annotated tag and main ancestry @@ -57,7 +57,7 @@ jobs: outputs: mode: ${{ steps.classify.outputs.mode }} steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 @@ -79,7 +79,7 @@ jobs: runs-on: macos-15 timeout-minutes: 20 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 @@ -90,7 +90,7 @@ jobs: --git-sha "$(git rev-parse HEAD)" --write-evidence /tmp/runtime-verification.json - name: Publish commit-bound runtime verification evidence - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: runtime-verification path: /tmp/runtime-verification.json @@ -115,14 +115,14 @@ jobs: # (default is 6h). Normal builds finish in well under a minute. timeout-minutes: 20 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } - name: Download macOS runtime verification evidence if: needs.classify-release.outputs.mode == 'activation' - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: runtime-verification path: /tmp/runtime-verification diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index ede9e89..15a259f 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' } @@ -40,10 +40,10 @@ jobs: timeout-minutes: 30 steps: - name: Check out full history - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Scan repository history - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 + uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/skill-build-fresh.yml b/.github/workflows/skill-build-fresh.yml index 9b24709..cde1566 100644 --- a/.github/workflows/skill-build-fresh.yml +++ b/.github/workflows/skill-build-fresh.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 diff --git a/.github/workflows/validate-skills.yml b/.github/workflows/validate-skills.yml index 506f7a0..f4cf97c 100644 --- a/.github/workflows/validate-skills.yml +++ b/.github/workflows/validate-skills.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: { python-version: '3.12' }