Skip to content

Commit 27f1be0

Browse files
masklinnmasklinn
committed
Update and pin all actions
1 parent a9bfdcd commit 27f1be0

File tree

5 files changed

+37
-25
lines changed

5 files changed

+37
-25
lines changed

.github/workflows/ci.yml

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,27 +4,29 @@ on:
44
push:
55
pull_request:
66

7+
permissions: {}
8+
79
jobs:
810
checks:
911
runs-on: ubuntu-latest
1012
steps:
1113
- name: Checkout working copy
12-
uses: actions/checkout@v4
14+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
1315
with:
1416
submodules: true
1517
fetch-depth: 0
1618
persist-credentials: false
1719
- name: ruff check
18-
uses: chartboost/ruff-action@v1
20+
uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # 3.5.1
1921
- name: ruff format
2022
if: always()
21-
uses: chartboost/ruff-action@v1
23+
uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # 3.5.1
2224
with:
23-
args: format --diff
25+
args: format --check --diff
2426
- name: Set up Python
2527
id: setup_python
2628
if: always()
27-
uses: actions/setup-python@v5
29+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
2830
with:
2931
python-version: "3.x"
3032
- name: Install mypy
@@ -44,12 +46,12 @@ jobs:
4446

4547
steps:
4648
- name: Checkout working copy
47-
uses: actions/checkout@v4
49+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
4850
with:
4951
submodules: true
5052
persist-credentials: false
5153
- name: Set up Python
52-
uses: actions/setup-python@v5
54+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
5355
with:
5456
python-version: "3.x"
5557
- name: Install dependency
@@ -60,14 +62,14 @@ jobs:
6062
run: |
6163
python -mbuild
6264
- name: Upload sdist
63-
uses: actions/upload-artifact@v4
65+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
6466
with:
6567
name: sdist
6668
path: dist/*.tar.gz
6769
retention-days: 1
6870

6971
- name: Upload wheel
70-
uses: actions/upload-artifact@v4
72+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
7173
with:
7274
name: wheel
7375
path: dist/*.whl
@@ -102,13 +104,13 @@ jobs:
102104
opts: "--experimental-options --engine.CompileOnly='~tregex re'"
103105
steps:
104106
- name: Checkout working copy
105-
uses: actions/checkout@v4
107+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
106108
with:
107109
submodules: true
108110
fetch-depth: 0
109111
persist-credentials: false
110112
- name: Set up Python ${{ matrix.python-version }}
111-
uses: actions/setup-python@v5
113+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
112114
with:
113115
python-version: ${{ matrix.python-version }}
114116
allow-prereleases: true
@@ -132,7 +134,7 @@ jobs:
132134
- run: 'python -mpip install --only-binary :all: google-re2 || true'
133135
- name: download ${{ matrix.source }} artifact
134136
if: matrix.artifact
135-
uses: actions/download-artifact@v4
137+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
136138
with:
137139
name: ${{ matrix.source }}
138140
path: dist/

.github/workflows/release-builtins.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ name: Publish ua-parser builtins
22

33
run-name: Publish ${{ inputs.tag || 'master' }} to ${{ inputs.environment || 'pypy (scheduled)' }}
44

5+
permissions: {}
6+
57
on:
68
schedule:
79
# schedule a dev release on every 1st of the month, at 2034 UTC
@@ -23,13 +25,13 @@ jobs:
2325
outputs:
2426
release: ${{ steps.check.outputs.release }}
2527
steps:
26-
- uses: actions/checkout@v4
28+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
2729
with:
2830
submodules: true
2931
fetch-depth: 0
3032
persist-credentials: false
3133
- name: Set up Python
32-
uses: actions/setup-python@v5
34+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
3335
with:
3436
python-version: "3.x"
3537

@@ -70,7 +72,7 @@ jobs:
7072
mv ua-parser-builtins/dist .
7173
- name: Store the distribution packages
7274
if: ${{ steps.check.outputs.release == 'true' }}
73-
uses: actions/upload-artifact@v4
75+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
7476
with:
7577
name: python-package-distributions
7678
path: dist/
@@ -90,12 +92,12 @@ jobs:
9092

9193
steps:
9294
- name: Download all the dists
93-
uses: actions/download-artifact@v4
95+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
9496
with:
9597
name: python-package-distributions
9698
path: dist/
9799
- name: Publish
98-
uses: pypa/gh-action-pypi-publish@release/v1
100+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # 1.13.0
99101
with:
100102
repository-url: https://test.pypi.org/legacy/
101103
skip-existing: true
@@ -114,7 +116,7 @@ jobs:
114116

115117
steps:
116118
- name: Download all the dists
117-
uses: actions/download-artifact@v4
119+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
118120
with:
119121
name: python-package-distributions
120122
path: dist/

.github/workflows/release-main.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
release:
66
types: [created]
77

8+
permissions: {}
9+
810
env:
911
ENVNAME: ${{ github.event_name == 'release' && 'pypi' || 'testpypi' }}
1012

@@ -21,11 +23,11 @@ jobs:
2123

2224
steps:
2325
- name: Checkout working copy
24-
uses: actions/checkout@v4
26+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
2527
with:
2628
persist-credentials: false
2729
- name: Set up Python
28-
uses: actions/setup-python@v5
30+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
2931
with:
3032
python-version: "3.x"
3133
- name: Install dependency
@@ -36,15 +38,15 @@ jobs:
3638
run: python -mbuild
3739
- name: Publish to testpypi
3840
if: ${{ env.ENVNAME == 'testpypi' }}
39-
uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[use-trusted-publishing]
41+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # 1.13.0
4042
with:
4143
repository-url: https://test.pypi.org/legacy/
4244
skip-existing: true
4345
verbose: true
4446
password: ${{ secrets.PUBLISH_TOKEN }}
4547
- name: Publish to pypi
4648
if: ${{ env.ENVNAME == 'pypi' }}
47-
uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[use-trusted-publishing]
49+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # 1.13.0
4850
with:
4951
verbose: true
5052
password: ${{ secrets.PUBLISH_TOKEN }}

.github/workflows/zizmor.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ on:
44
push:
55
pull_request:
66

7+
permissions: {}
8+
79
jobs:
810
zizmor:
911
runs-on: ubuntu-latest
@@ -13,20 +15,20 @@ jobs:
1315

1416
steps:
1517
- name: Checkout repository
16-
uses: actions/checkout@v4
18+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
1719
with:
1820
persist-credentials: false
1921

2022
- name: Install the latest version of uv
21-
uses: astral-sh/setup-uv@v5
23+
uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # 7.1.6
2224

2325
- name: Run zizmor
2426
run: uvx zizmor --format sarif . > results.sarif
2527
env:
2628
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2729

2830
- name: Upload SARIF file
29-
uses: github/codeql-action/upload-sarif@v3
31+
uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # 4.31.9
3032
with:
3133
sarif_file: results.sarif
3234
category: zizmor

.github/zizmor.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
rules:
2+
use-trusted-publishing:
3+
ignore:
4+
- release-main.yml # can't do that until pypi/support#6661

0 commit comments

Comments
 (0)