Skip to content

Commit 889ea73

Browse files
hynekhynek
authored
ci: pin workflows (#1433)
* ci: pin non-gh, non-hynek, non-pypa uses * pin everything @Tinche will keep them updated :P * consistency * Add pinact workflow
1 parent 2189691 commit 889ea73

File tree

7 files changed

+62
-40
lines changed

7 files changed

+62
-40
lines changed

.github/workflows/build-docset.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,18 +17,18 @@ jobs:
1717
docset:
1818
runs-on: ubuntu-latest
1919
steps:
20-
- uses: actions/checkout@v4
20+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2121
with:
2222
fetch-depth: 0
2323
persist-credentials: false
24-
- uses: actions/setup-python@v5
24+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2525
with:
2626
python-version: "3.x"
27-
- uses: hynek/setup-cached-uv@v2
27+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
2828

2929
- run: uvx --with=tox-uv tox run -e docset
3030

31-
- uses: actions/upload-artifact@v4
31+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
3232
with:
3333
name: docset
3434
path: attrs.tgz

.github/workflows/ci.yml

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,12 @@ jobs:
2323
runs-on: ubuntu-latest
2424

2525
steps:
26-
- uses: actions/checkout@v4
26+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2727
with:
2828
fetch-depth: 0
2929
persist-credentials: false
3030

31-
- uses: hynek/build-and-inspect-python-package@v2
31+
- uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0
3232
id: baipp
3333

3434
outputs:
@@ -49,16 +49,16 @@ jobs:
4949

5050
steps:
5151
- name: Download pre-built packages
52-
uses: actions/download-artifact@v4
52+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
5353
with:
5454
name: Packages
5555
path: dist
5656
- run: tar xf dist/*.tar.gz --strip-components=1
57-
- uses: actions/setup-python@v5
57+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
5858
with:
5959
python-version: ${{ matrix.python-version }}
6060
allow-prereleases: true
61-
- uses: hynek/setup-cached-uv@v2
61+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
6262

6363
- name: Prepare tox
6464
env:
@@ -89,7 +89,7 @@ jobs:
8989
-e $TOX_PYTHON-tests
9090
9191
- name: Upload coverage data
92-
uses: actions/upload-artifact@v4
92+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
9393
with:
9494
name: coverage-data-${{ matrix.python-version }}
9595
path: .coverage.*
@@ -109,14 +109,14 @@ jobs:
109109

110110
steps:
111111
- name: Download pre-built packages
112-
uses: actions/download-artifact@v4
112+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
113113
with:
114114
name: Packages
115115
path: dist
116116
- run: |
117117
tar xf dist/*.tar.gz --strip-components=1
118118
rm -rf src # ensure tests run against wheel
119-
- uses: hynek/setup-cached-uv@v2
119+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
120120

121121
- run: >
122122
uvx --with=tox-uv
@@ -131,15 +131,15 @@ jobs:
131131

132132
steps:
133133
- name: Download pre-built packages
134-
uses: actions/download-artifact@v4
134+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
135135
with:
136136
name: Packages
137137
path: dist
138138
- run: tar xf dist/*.tar.gz --strip-components=1
139-
- uses: hynek/setup-cached-uv@v2
139+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
140140

141141
- name: Download coverage data
142-
uses: actions/download-artifact@v4
142+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
143143
with:
144144
pattern: coverage-data-*
145145
merge-multiple: true
@@ -158,7 +158,7 @@ jobs:
158158
coverage report --fail-under=100
159159
160160
- name: Upload HTML report if check failed.
161-
uses: actions/upload-artifact@v4
161+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
162162
with:
163163
name: html-report
164164
path: htmlcov
@@ -170,23 +170,23 @@ jobs:
170170
needs: build-package
171171
steps:
172172
- name: Download pre-built packages
173-
uses: actions/download-artifact@v4
173+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
174174
with:
175175
name: Packages
176176
path: dist
177177
- run: tar xf dist/*.tar.gz --strip-components=1
178-
- uses: hynek/setup-cached-uv@v2
178+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
179179

180180
- run: uvx --with=tox-uv tox run -e docs-doctests,changelog
181181

182182
pyright:
183183
name: Check types using pyright
184184
runs-on: ubuntu-latest
185185
steps:
186-
- uses: actions/checkout@v4
186+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
187187
with:
188188
persist-credentials: false
189-
- uses: hynek/setup-cached-uv@v2
189+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
190190

191191
- run: >
192192
uvx --with=tox-uv
@@ -198,10 +198,10 @@ jobs:
198198
runs-on: ubuntu-latest
199199

200200
steps:
201-
- uses: actions/checkout@v4
201+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
202202
with:
203203
persist-credentials: false
204-
- uses: hynek/setup-cached-uv@v2
204+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
205205

206206
- run: uv venv --python $(cat .python-version-default)
207207
- run: uv pip install -e .[dev]
@@ -228,6 +228,6 @@ jobs:
228228

229229
steps:
230230
- name: Decide whether the needed jobs succeeded or failed
231-
uses: re-actors/alls-green@release/v1
231+
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
232232
with:
233233
jobs: ${{ toJSON(needs) }}

.github/workflows/codeql-analysis.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,17 +24,17 @@ jobs:
2424

2525
steps:
2626
- name: Checkout repository
27-
uses: actions/checkout@v4
27+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2828
with:
2929
persist-credentials: false
3030

3131
- name: Initialize CodeQL
32-
uses: github/codeql-action/init@v3
32+
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
3333
with:
3434
languages: ${{ matrix.language }}
3535

3636
- name: Autobuild
37-
uses: github/codeql-action/autobuild@v3
37+
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
3838

3939
- name: Perform CodeQL Analysis
40-
uses: github/codeql-action/analyze@v3
40+
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18

.github/workflows/codspeed.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,16 +30,16 @@ jobs:
3030
runs-on: ubuntu-latest
3131

3232
steps:
33-
- uses: actions/checkout@v4
33+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3434
with:
3535
persist-credentials: false
36-
- uses: actions/setup-python@v5
36+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
3737
with:
3838
python-version-file: .python-version-default
39-
- uses: hynek/setup-cached-uv@v2
39+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
4040

4141
- name: Run CodSpeed benchmarks
42-
uses: CodSpeedHQ/action@v3
42+
uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3.5.0
4343
with:
4444
token: ${{ secrets.CODSPEED_TOKEN }}
4545
run: uvx --with tox-uv tox run -e codspeed

.github/workflows/pinact.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
name: Pinact
3+
4+
on:
5+
schedule:
6+
- cron: "30 22 * * 4"
7+
workflow_dispatch:
8+
9+
permissions: {}
10+
11+
jobs:
12+
pinact:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
16+
with:
17+
persist-credentials: false
18+
19+
- name: Pin actions
20+
uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
21+
permissions:
22+
contents: write

.github/workflows/pypi-package.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ jobs:
2121
id-token: write
2222

2323
steps:
24-
- uses: actions/checkout@v4
24+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2525
with:
2626
fetch-depth: 0
2727
persist-credentials: false
2828

29-
- uses: hynek/build-and-inspect-python-package@v2
29+
- uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0
3030
with:
3131
attest-build-provenance-github: 'true'
3232

@@ -44,13 +44,13 @@ jobs:
4444

4545
steps:
4646
- name: Download packages built by build-and-inspect-python-package
47-
uses: actions/download-artifact@v4
47+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
4848
with:
4949
name: Packages
5050
path: dist
5151

5252
- name: Upload package to Test PyPI
53-
uses: pypa/gh-action-pypi-publish@release/v1
53+
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
5454
with:
5555
attestations: true
5656
repository-url: https://test.pypi.org/legacy/
@@ -69,12 +69,12 @@ jobs:
6969

7070
steps:
7171
- name: Download packages built by build-and-inspect-python-package
72-
uses: actions/download-artifact@v4
72+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
7373
with:
7474
name: Packages
7575
path: dist
7676

7777
- name: Upload package to PyPI
78-
uses: pypa/gh-action-pypi-publish@release/v1
78+
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
7979
with:
8080
attestations: true

.github/workflows/zizmor.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,18 +19,18 @@ jobs:
1919
security-events: write
2020
steps:
2121
- name: Checkout repository
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2323
with:
2424
persist-credentials: false
25-
- uses: hynek/setup-cached-uv@v2
25+
- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
2626

2727
- name: Run zizmor 🌈
2828
run: uvx zizmor --format sarif . > results.sarif
2929
env:
3030
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3131

3232
- name: Upload SARIF file
33-
uses: github/codeql-action/upload-sarif@v3
33+
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
3434
with:
3535
# Path to SARIF file relative to the root of the repository
3636
sarif_file: results.sarif

0 commit comments

Comments
 (0)