From 9516cf6ba29089895dc2cf32e12170605aec55ef Mon Sep 17 00:00:00 2001 From: Ned Batchelder Date: Sat, 22 Jun 2024 16:24:52 -0400 Subject: [PATCH] build: hash-pin all actions --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/coverage.yml | 18 ++++++++--------- .github/workflows/dependency-review.yml | 5 +++-- .github/workflows/kit.yml | 26 ++++++++++++------------- .github/workflows/publish.yml | 2 +- .github/workflows/python-nightly.yml | 6 +++--- .github/workflows/quality.yml | 12 ++++++------ .github/workflows/testsuite.yml | 6 +++--- 8 files changed, 42 insertions(+), 41 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 455326622..742ea7af7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,11 +45,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@412ab5c4176178930892df540237c587c71786c9 # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@412ab5c4176178930892df540237c587c71786c9 # v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -74,4 +74,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@412ab5c4176178930892df540237c587c71786c9 # v3 diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 0df58c716..cfcae0a69 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -81,10 +81,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Set up Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "${{ matrix.python-version }}" allow-prereleases: true @@ -125,7 +125,7 @@ jobs: mv .metacov .metacov.$MATRIX_ID - name: "Upload coverage data" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: metacov-${{ env.MATRIX_ID }} path: .metacov.* @@ -141,10 +141,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Set up Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8" # Minimum of PYVERSIONS # At a certain point, installing dependencies failed on pypy 3.9 and @@ -167,7 +167,7 @@ jobs: python igor.py zip_mods - name: "Download coverage data" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: metacov-* merge-multiple: true @@ -181,7 +181,7 @@ jobs: python igor.py combine_html - name: "Upload HTML report" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: html_report path: htmlcov @@ -234,7 +234,7 @@ jobs: - name: "Download coverage HTML report" if: ${{ github.ref == 'refs/heads/master' }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: html_report path: reports_repo/${{ env.report_dir }} @@ -270,7 +270,7 @@ jobs: github.repository_owner == 'nedbat' && github.ref == 'refs/heads/master' # https://gist.githubusercontent.com/nedbat/8c6980f77988a327348f9b02bbaf67f5 - uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 + uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0 with: auth: ${{ secrets.METACOV_GIST_SECRET }} gistID: 8c6980f77988a327348f9b02bbaf67f5 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c646b2182..912e215f5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,9 +23,10 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 with: base-ref: ${{ github.event.pull_request.base.sha || 'master' }} head-ref: ${{ github.event.pull_request.head.sha || github.ref }} diff --git a/.github/workflows/kit.yml b/.github/workflows/kit.yml index 72b492631..93e744625 100644 --- a/.github/workflows/kit.yml +++ b/.github/workflows/kit.yml @@ -143,15 +143,15 @@ jobs: steps: - name: "Setup QEMU" if: matrix.os == 'ubuntu' - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm64 - name: "Check out the repo" - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install Python 3.8" - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: # PYVERSIONS python-version: "3.8" @@ -181,7 +181,7 @@ jobs: python -m twine check wheelhouse/* - name: "Upload wheels" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: dist-${{ env.MATRIX_ID }} path: wheelhouse/*.whl @@ -192,10 +192,10 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out the repo" - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install Python 3.8" - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: # PYVERSIONS python-version: "3.8" @@ -219,7 +219,7 @@ jobs: python -m twine check dist/* - name: "Upload sdist" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: dist-sdist path: dist/*.tar.gz @@ -230,10 +230,10 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out the repo" - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install PyPy" - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "pypy-3.8" # Minimum of PyPy PYVERSIONS cache: pip @@ -261,7 +261,7 @@ jobs: python -m twine check dist/* - name: "Upload wheels" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: dist-pypy path: dist/*.whl @@ -280,13 +280,13 @@ jobs: id-token: write steps: - name: "Download artifacts" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: dist-* merge-multiple: true - name: "Sign artifacts" - uses: sigstore/gh-action-sigstore-python@v2.1.1 + uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1 with: inputs: coverage-*.* @@ -295,7 +295,7 @@ jobs: ls -alR - name: "Upload signatures" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: signatures path: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6453bf55b..090adeef2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -30,7 +30,7 @@ jobs: steps: - name: "Find latest kit.yml run" id: runs - uses: octokit/request-action@v2.3.1 + uses: octokit/request-action@872c5c97b3c85c23516a572f02b31401ef82415d # v2.3.1 with: route: GET /repos/nedbat/coveragepy/actions/workflows/kit.yml/runs env: diff --git a/.github/workflows/python-nightly.yml b/.github/workflows/python-nightly.yml index 59a74b3c7..a2dc763b8 100644 --- a/.github/workflows/python-nightly.yml +++ b/.github/workflows/python-nightly.yml @@ -84,17 +84,17 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install ${{ matrix.python-version }} with deadsnakes" - uses: deadsnakes/action@6c8b9b82fe0b4344f4b98f2775fcc395df45e494 + uses: deadsnakes/action@6c8b9b82fe0b4344f4b98f2775fcc395df45e494 # v3.1.0 if: "!startsWith(matrix.python-version, 'pypy-')" with: python-version: "${{ matrix.python-version }}" nogil: "${{ matrix.nogil || false }}" - name: "Install ${{ matrix.python-version }} with setup-python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 if: "startsWith(matrix.python-version, 'pypy-')" with: python-version: "${{ matrix.python-version }}" diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index c402f4f9a..2b0274275 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -37,10 +37,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8" # Minimum of PYVERSIONS cache: pip @@ -60,10 +60,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8" # Minimum of PYVERSIONS, but at least 3.8 cache: pip @@ -83,10 +83,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Install Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11" # Doc version from PYVERSIONS cache: pip diff --git a/.github/workflows/testsuite.yml b/.github/workflows/testsuite.yml index 6f549736c..0f9ab8296 100644 --- a/.github/workflows/testsuite.yml +++ b/.github/workflows/testsuite.yml @@ -74,10 +74,10 @@ jobs: steps: - name: "Check out the repo" - uses: "actions/checkout@v4" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Set up Python" - uses: "actions/setup-python@v5" + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "${{ matrix.python-version }}" allow-prereleases: true @@ -123,6 +123,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe + uses: re-actors/alls-green@afee1c1eac2a506084c274e9c02c8e0687b48d9e # v1.2.2 with: jobs: ${{ toJSON(needs) }}