From a31c30a41eae3489a25e468400342ed77bafd653 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:27:37 +0200 Subject: [PATCH 1/3] chore(ci): comments for pinned actions Signed-off-by: Jan Kowalleck --- .github/workflows/docker.yml | 10 ++++---- .github/workflows/python.yml | 46 +++++++++++++++++------------------ .github/workflows/release.yml | 38 ++++++++++++++--------------- .github/workflows/zizmor.yml | 25 ++++++++----------- 4 files changed, 57 insertions(+), 62 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3139cfaf..7609318b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 @@ -56,11 +56,11 @@ jobs: run: mkdir "$REPORTS_DIR" - name: Setup python ${{ env.PYTHON_VERSION }} # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Setup poetry ${{ env.POETRY_VERSION }} - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -77,7 +77,7 @@ jobs: !failure() && !cancelled() && steps.after-release.outputs.released # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }} path: ${{ env.DIST_SOURCE_DIR }}/ @@ -109,7 +109,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.REPORTS_ARTIFACT }} path: ${{ env.REPORTS_DIR }} diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index c9bd2917..d4057b24 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -52,16 +52,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -77,16 +77,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -102,16 +102,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -137,16 +137,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -162,16 +162,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -197,12 +197,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install self @@ -236,14 +236,14 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: craft PY_UT_ARGS @@ -256,7 +256,7 @@ jobs: with open(os.environ['GITHUB_ENV'], 'a') as env_file: env_file.write(f'PY_UT_ARGS={" ".join(PY_UT_ARGS)}\n') - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -276,7 +276,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_${{ matrix.os }}_py${{ matrix.python-version }}' path: ${{ env.REPORTS_DIR }} @@ -290,7 +290,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_*' merge-multiple: true @@ -301,7 +301,7 @@ jobs: ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets if: ${{ env.CODACY_PROJECT_TOKEN != '' }} # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5928733e..d0e449f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,16 +71,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -96,16 +96,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry + # see https://github.com/Gr1N/setup-poetry uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} @@ -136,18 +136,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install and configure Poetry - # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 + # See https://github.com/snok/install-poetry + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -172,7 +172,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases @@ -180,7 +180,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ steps.release.outputs.tag }} @@ -189,7 +189,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -225,7 +225,7 @@ jobs: echo "GHCR_REPO=${GHCR_REPO@L}" >> "${GITHUB_ENV}" - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ needs.release-PyPI.outputs.tag }} @@ -235,7 +235,7 @@ jobs: mkdir "$DIST_DIR" - name: Fetch python dist artifact # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -268,15 +268,15 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.ARTIFACT_DOCKER_SBOM }} path: ${{ env.REPORTS_DIR }}/*.bom.* if-no-files-found: error # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - name: Login to DockerHub - # see hhttps://github.com/docker/login-action?tab=readme-ov-file#docker-hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + # see https://github.com/docker/login-action?tab=readme-ov-file#docker-hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -289,7 +289,7 @@ jobs: # region publish to GHCR - name: Login to GHCR # see https://github.com/docker/login-action#github-container-registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 1e27a0ce..073b0bbe 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,31 +17,26 @@ # For details of what checks are run for PRs please refer below # docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions - -name: Workflow Security Analysis +name: Zizmor on: - pull_request: - paths: - - '.github/workflows/**' - - '.github/dependabot.yml' push: - paths: - - ".github/workflows/**" - - ".github/dependabot.yml" + branches: ['master', 'main'] + pull_request: + branches: ['**'] + workflow_dispatch: schedule: - # weekly scan: every Saturday at 00:00 UTC - cron: '0 0 * * 6' +permissions: {} + concurrency: group: '${{ github.workflow }}-${{ github.ref }}' cancel-in-progress: true -permissions: {} - jobs: zizmor: - name: Harden GitHub Workflows (zizmor) + name: Zizmor runs-on: ubuntu-latest timeout-minutes: 10 permissions: @@ -49,12 +44,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab. From ca7c44573a4fbc464471a44122faf162bd348bc8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:31:19 +0200 Subject: [PATCH 2/3] chore(ci): comments for pinned actions Signed-off-by: Jan Kowalleck --- .github/workflows/docker.yml | 10 ++++---- .github/workflows/python.yml | 46 +++++++++++++++++------------------ .github/workflows/release.yml | 36 +++++++++++++-------------- 3 files changed, 46 insertions(+), 46 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 7609318b..13f05ad6 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 @@ -56,12 +56,12 @@ jobs: run: mkdir "$REPORTS_DIR" - name: Setup python ${{ env.PYTHON_VERSION }} # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Setup poetry ${{ env.POETRY_VERSION }} # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: bump version @@ -77,7 +77,7 @@ jobs: !failure() && !cancelled() && steps.after-release.outputs.released # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }} path: ${{ env.DIST_SOURCE_DIR }}/ @@ -109,7 +109,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.REPORTS_ARTIFACT }} path: ${{ env.REPORTS_DIR }} diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index d4057b24..a657a953 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -52,17 +52,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -77,17 +77,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -102,17 +102,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -137,17 +137,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -162,17 +162,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -197,12 +197,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install self @@ -236,14 +236,14 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: craft PY_UT_ARGS @@ -257,7 +257,7 @@ jobs: env_file.write(f'PY_UT_ARGS={" ".join(PY_UT_ARGS)}\n') - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -276,7 +276,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_${{ matrix.os }}_py${{ matrix.python-version }}' path: ${{ env.REPORTS_DIR }} @@ -290,7 +290,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_*' merge-multiple: true @@ -301,7 +301,7 @@ jobs: ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets if: ${{ env.CODACY_PROJECT_TOKEN != '' }} # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0e449f7..44c9c80d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,17 +71,17 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -96,17 +96,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -136,18 +136,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install and configure Poetry # See https://github.com/snok/install-poetry - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -161,7 +161,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} force: ${{ github.event.inputs.release_force }} @@ -172,7 +172,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases @@ -180,7 +180,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ steps.release.outputs.tag }} @@ -189,7 +189,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -225,7 +225,7 @@ jobs: echo "GHCR_REPO=${GHCR_REPO@L}" >> "${GITHUB_ENV}" - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ needs.release-PyPI.outputs.tag }} @@ -235,7 +235,7 @@ jobs: mkdir "$DIST_DIR" - name: Fetch python dist artifact # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -268,7 +268,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.ARTIFACT_DOCKER_SBOM }} path: ${{ env.REPORTS_DIR }}/*.bom.* @@ -276,7 +276,7 @@ jobs: # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - name: Login to DockerHub # see https://github.com/docker/login-action?tab=readme-ov-file#docker-hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -289,7 +289,7 @@ jobs: # region publish to GHCR - name: Login to GHCR # see https://github.com/docker/login-action#github-container-registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} From 75e37b3983395151395278c7052e43e8d2358104 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:32:48 +0200 Subject: [PATCH 3/3] chore(ci): comments for pinned actions Signed-off-by: Jan Kowalleck --- .github/workflows/docker.yml | 10 ++++---- .github/workflows/python.yml | 46 +++++++++++++++++------------------ .github/workflows/release.yml | 36 +++++++++++++-------------- .github/workflows/zizmor.yml | 4 +-- 4 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 13f05ad6..7609318b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 @@ -56,12 +56,12 @@ jobs: run: mkdir "$REPORTS_DIR" - name: Setup python ${{ env.PYTHON_VERSION }} # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Setup poetry ${{ env.POETRY_VERSION }} # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: bump version @@ -77,7 +77,7 @@ jobs: !failure() && !cancelled() && steps.after-release.outputs.released # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }} path: ${{ env.DIST_SOURCE_DIR }}/ @@ -109,7 +109,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.REPORTS_ARTIFACT }} path: ${{ env.REPORTS_DIR }} diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index a657a953..d4057b24 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -52,17 +52,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -77,17 +77,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -102,17 +102,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -137,17 +137,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -162,17 +162,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -197,12 +197,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install self @@ -236,14 +236,14 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: craft PY_UT_ARGS @@ -257,7 +257,7 @@ jobs: env_file.write(f'PY_UT_ARGS={" ".join(PY_UT_ARGS)}\n') - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -276,7 +276,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_${{ matrix.os }}_py${{ matrix.python-version }}' path: ${{ env.REPORTS_DIR }} @@ -290,7 +290,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_*' merge-multiple: true @@ -301,7 +301,7 @@ jobs: ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets if: ${{ env.CODACY_PROJECT_TOKEN != '' }} # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44c9c80d..d0e449f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,17 +71,17 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -96,17 +96,17 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install poetry # see https://github.com/Gr1N/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -136,18 +136,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} - name: Install and configure Poetry # See https://github.com/snok/install-poetry - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -161,7 +161,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} force: ${{ github.event.inputs.release_force }} @@ -172,7 +172,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases @@ -180,7 +180,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ steps.release.outputs.tag }} @@ -189,7 +189,7 @@ jobs: !failure() && !cancelled() && steps.release.outputs.released == 'true' # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -225,7 +225,7 @@ jobs: echo "GHCR_REPO=${GHCR_REPO@L}" >> "${GITHUB_ENV}" - name: Checkout code (${{ env.TAG }}) # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ needs.release-PyPI.outputs.tag }} @@ -235,7 +235,7 @@ jobs: mkdir "$DIST_DIR" - name: Fetch python dist artifact # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: ${{ env.DIST_ARTIFACT }} path: ${{ env.DIST_DIR }}/ @@ -268,7 +268,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.ARTIFACT_DOCKER_SBOM }} path: ${{ env.REPORTS_DIR }}/*.bom.* @@ -276,7 +276,7 @@ jobs: # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works - name: Login to DockerHub # see https://github.com/docker/login-action?tab=readme-ov-file#docker-hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -289,7 +289,7 @@ jobs: # region publish to GHCR - name: Login to GHCR # see https://github.com/docker/login-action#github-container-registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 073b0bbe..4802b749 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -44,12 +44,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab.