pin tool versions

ChrisGe4 · ChrisGe4 · commit e677127fa17f · 2026-04-13T16:20:56.000-04:00
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -15,9 +15,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - name: 'Run actionlint with reviewdog'
-      uses: reviewdog/action-actionlint@v1.72.0
-      with:
-        fail_on_error: true
-        reporter: 'github-pr-check'
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - name: 'Run actionlint with reviewdog'
+        uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # ratchet:reviewdog/action-actionlint@v1.72.0
+        with:
+          fail_on_error: true
+          reporter: 'github-pr-check'
diff --git a/.github/workflows/centralized-stale.yml b/.github/workflows/centralized-stale.yml
@@ -1,9 +1,9 @@
 name: 'Centralized Organization Stale Bot'
-
+permissions: {}
 on:
   schedule:
-  # Run daily at 01:00 UTC
-  - cron: '0 1 * * *'
+    # Run daily at 01:00 UTC
+    - cron: '0 1 * * *'
   workflow_dispatch:
 
 jobs:
@@ -13,38 +13,38 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.repos }}
     steps:
-    - id: 'auth-minty'
-      name: 'Authenticate to Google Cloud'
-      uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
-      with:
-        create_credentials_file: false
-        export_environment_variables: false
-        workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
-        service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
-        token_format: 'id_token'
-        id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
-        id_token_include_email: true
+      - id: 'auth-minty'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
+        with:
+          create_credentials_file: false
+          export_environment_variables: false
+          workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
+          service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
+          token_format: 'id_token'
+          id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
+          id_token_include_email: true
 
-    - id: 'mint-github-token'
-      uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main
-      with:
-        id_token: '${{ steps.auth-minty.outputs.id_token }}'
-        service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
-        requested_permissions: |-
-          {
-            "scope": "stale-bot",
-            "repositories": ["*"],
-            "org_name": "google-github-actions"
-          }
+      - id: 'mint-github-token'
+        uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main
+        with:
+          id_token: '${{ steps.auth-minty.outputs.id_token }}'
+          service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
+          requested_permissions: |-
+            {
+              "scope": "stale-bot",
+              "repositories": ["*"],
+              "org_name": "google-github-actions"
+            }
 
-    - name: 'List active repositories'
-      id: set-matrix
-      env:
-        GH_TOKEN: ${{ steps.mint-github-token.outputs.token }}
-      run: |
-        # Query GitHub API for active, public, non-forked repositories and force single-line JSON to prevent GITHUB_OUTPUT truncation
-        REPOS=$(gh api --paginate /orgs/google-github-actions/repos -q '[.[] | select(.archived == false and .private == false and .fork == false) | .name]' | jq -c .)
-        echo "repos=${REPOS}" >> $GITHUB_OUTPUT
+      - name: 'List active repositories'
+        id: set-matrix
+        env:
+          GH_TOKEN: ${{ steps.mint-github-token.outputs.token }}
+        run: |
+          # Query GitHub API for active, public, non-forked repositories and force single-line JSON to prevent GITHUB_OUTPUT truncation
+          REPOS=$(gh api --paginate /orgs/google-github-actions/repos -q '[.[] | select(.archived == false and .private == false and .fork == false) | .name]' | jq -c .)
+          echo "repos=${REPOS}" >> $GITHUB_OUTPUT
 
   # Stage 2: Fan out official actions/stale across all discovered repositories
   apply-stale-rules:
@@ -56,46 +56,46 @@ jobs:
         repo: ${{ fromJson(needs.fetch-repositories.outputs.matrix) }}
 
     steps:
-    - id: 'auth-minty'
-      name: 'Authenticate to Google Cloud'
-      uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
-      with:
-        create_credentials_file: false
-        export_environment_variables: false
-        workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
-        service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
-        token_format: 'id_token'
-        id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
-        id_token_include_email: true
+      - id: 'auth-minty'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
+        with:
+          create_credentials_file: false
+          export_environment_variables: false
+          workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
+          service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
+          token_format: 'id_token'
+          id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
+          id_token_include_email: true
 
-    - id: 'mint-github-token'
-      uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main
-      with:
-        id_token: '${{ steps.auth-minty.outputs.id_token }}'
-        service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
-        requested_permissions: |-
-          {
-            "scope": "stale-bot",
-            "repositories": ["${{ matrix.repo }}"],
-            "org_name": "google-github-actions"
-          }
+      - id: 'mint-github-token'
+        uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main
+        with:
+          id_token: '${{ steps.auth-minty.outputs.id_token }}'
+          service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
+          requested_permissions: |-
+            {
+              "scope": "stale-bot",
+              "repositories": ["${{ matrix.repo }}"],
+              "org_name": "google-github-actions"
+            }
 
-    - name: 'Run official stale bot'
-      uses: actions/stale@v10.2.0
-      env:
-        GITHUB_REPOSITORY: 'google-github-actions/${{ matrix.repo }}'
-      with:
-        repo-token: ${{ steps.mint-github-token.outputs.token }}
-        operations-per-run: 300 # Increased burndown limit for first execution
+      - name: 'Run official stale bot'
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # ratchet:actions/stale@v10.2.0
+        env:
+          GITHUB_REPOSITORY: 'google-github-actions/${{ matrix.repo }}'
+        with:
+          repo-token: ${{ steps.mint-github-token.outputs.token }}
+          operations-per-run: 300 # Increased burndown limit for first execution
 
-        # Issue configuration (60 days total: 53 inactive + 7 warning)
-        days-before-issue-stale: 53
-        days-before-issue-close: 7
-        stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.'
-        stale-issue-label: 'stale'
+          # Issue configuration (60 days total: 53 inactive + 7 warning)
+          days-before-issue-stale: 53
+          days-before-issue-close: 7
+          stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.'
+          stale-issue-label: 'stale'
 
-        # PR configuration (30 days total: 23 inactive + 7 warning)
-        days-before-pr-stale: 23
-        days-before-pr-close: 7
-        stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. Please leave a comment to remove this status.'
-        stale-pr-label: 'stale'
+          # PR configuration (30 days total: 23 inactive + 7 warning)
+          days-before-pr-stale: 23
+          days-before-pr-close: 7
+          stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. Please leave a comment to remove this status.'
+          stale-pr-label: 'stale'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -13,18 +13,18 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-    - uses: actions/checkout@v6
-      with:
-        # Checkout the base repository ref, not the PR's head commit
-        ref: ${{ github.event.pull_request.base.sha }}
-        persist-credentials: false
-    - name: 'Run Scorecard'
-      uses: ossf/scorecard-action@v2.4.3
-      with:
-        results_file: 'results.sarif'
-        results_format: 'sarif'
-        publish_results: false
-    - name: 'Upload to GitHub Security Tab'
-      uses: github/codeql-action/upload-sarif@v4.35.1
-      with:
-        sarif_file: 'results.sarif'
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+        with:
+          # Checkout the base repository ref, not the PR's head commit
+          ref: ${{ github.event.pull_request.base.sha }}
+          persist-credentials: false
+      - name: 'Run Scorecard'
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # ratchet:ossf/scorecard-action@v2.4.3
+        with:
+          results_file: 'results.sarif'
+          results_format: 'sarif'
+          publish_results: false
+      - name: 'Upload to GitHub Security Tab'
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # ratchet:github/codeql-action/upload-sarif@v4.35.1
+        with:
+          sarif_file: 'results.sarif'
