Skip to content

Commit a31c30a

Browse files
committed
chore(ci): comments for pinned actions
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
1 parent 78abbc5 commit a31c30a

4 files changed

Lines changed: 57 additions & 62 deletions

File tree

.github/workflows/docker.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,19 +48,19 @@ jobs:
4848
steps:
4949
- name: Checkout code
5050
# see https://github.com/actions/checkout
51-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
51+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5252
with:
5353
persist-credentials: false
5454
fetch-depth: 0
5555
- name: setup reports-dir
5656
run: mkdir "$REPORTS_DIR"
5757
- name: Setup python ${{ env.PYTHON_VERSION }}
5858
# see https://github.com/actions/setup-python
59-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
59+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
6060
with:
6161
python-version: ${{ env.PYTHON_VERSION }}
6262
- name: Setup poetry ${{ env.POETRY_VERSION }}
63-
# see https://github.com/marketplace/actions/setup-poetry
63+
# see https://github.com/Gr1N/setup-poetry
6464
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
6565
with:
6666
poetry-version: ${{ env.POETRY_VERSION }}
@@ -77,7 +77,7 @@ jobs:
7777
!failure() && !cancelled() &&
7878
steps.after-release.outputs.released
7979
# see https://github.com/actions/upload-artifact
80-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
80+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
8181
with:
8282
name: ${{ env.RUN_ARTIFACT_PYTHON_DIST }}
8383
path: ${{ env.DIST_SOURCE_DIR }}/
@@ -109,7 +109,7 @@ jobs:
109109
- name: Artifact reports
110110
if: ${{ ! cancelled() }}
111111
# see https://github.com/actions/upload-artifact
112-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
112+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
113113
with:
114114
name: ${{ env.REPORTS_ARTIFACT }}
115115
path: ${{ env.REPORTS_DIR }}

.github/workflows/python.yml

Lines changed: 23 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -52,16 +52,16 @@ jobs:
5252
steps:
5353
- name: Checkout
5454
# see https://github.com/actions/checkout
55-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
55+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5656
with:
5757
persist-credentials: false
5858
- name: Setup Python Environment
5959
# see https://github.com/actions/setup-python
60-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
60+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
6161
with:
6262
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
6363
- name: Install poetry
64-
# see https://github.com/marketplace/actions/setup-poetry
64+
# see https://github.com/Gr1N/setup-poetry
6565
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
6666
with:
6767
poetry-version: ${{ env.POETRY_VERSION }}
@@ -77,16 +77,16 @@ jobs:
7777
steps:
7878
- name: Checkout
7979
# see https://github.com/actions/checkout
80-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
80+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8181
with:
8282
persist-credentials: false
8383
- name: Setup Python Environment
8484
# see https://github.com/actions/setup-python
85-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
85+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
8686
with:
8787
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
8888
- name: Install poetry
89-
# see https://github.com/marketplace/actions/setup-poetry
89+
# see https://github.com/Gr1N/setup-poetry
9090
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
9191
with:
9292
poetry-version: ${{ env.POETRY_VERSION }}
@@ -102,16 +102,16 @@ jobs:
102102
steps:
103103
- name: Checkout
104104
# see https://github.com/actions/checkout
105-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
105+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
106106
with:
107107
persist-credentials: false
108108
- name: Setup Python Environment
109109
# see https://github.com/actions/setup-python
110-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
110+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
111111
with:
112112
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
113113
- name: Install poetry
114-
# see https://github.com/marketplace/actions/setup-poetry
114+
# see https://github.com/Gr1N/setup-poetry
115115
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
116116
with:
117117
poetry-version: ${{ env.POETRY_VERSION }}
@@ -137,16 +137,16 @@ jobs:
137137
steps:
138138
- name: Checkout
139139
# see https://github.com/actions/checkout
140-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
140+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
141141
with:
142142
persist-credentials: false
143143
- name: Setup Python Environment
144144
# see https://github.com/actions/setup-python
145-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
145+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
146146
with:
147147
python-version: ${{ matrix.python-version }}
148148
- name: Install poetry
149-
# see https://github.com/marketplace/actions/setup-poetry
149+
# see https://github.com/Gr1N/setup-poetry
150150
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
151151
with:
152152
poetry-version: ${{ env.POETRY_VERSION }}
@@ -162,16 +162,16 @@ jobs:
162162
steps:
163163
- name: Checkout
164164
# see https://github.com/actions/checkout
165-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
165+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
166166
with:
167167
persist-credentials: false
168168
- name: Setup Python Environment
169169
# see https://github.com/actions/setup-python
170-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
170+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
171171
with:
172172
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
173173
- name: Install poetry
174-
# see https://github.com/marketplace/actions/setup-poetry
174+
# see https://github.com/Gr1N/setup-poetry
175175
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
176176
with:
177177
poetry-version: ${{ env.POETRY_VERSION }}
@@ -197,12 +197,12 @@ jobs:
197197
steps:
198198
- name: Checkout
199199
# see https://github.com/actions/checkout
200-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
200+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
201201
with:
202202
persist-credentials: false
203203
- name: Setup Python Environment
204204
# see https://github.com/actions/setup-python
205-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
205+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
206206
with:
207207
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
208208
- name: Install self
@@ -236,14 +236,14 @@ jobs:
236236
steps:
237237
- name: Checkout
238238
# see https://github.com/actions/checkout
239-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
239+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
240240
with:
241241
persist-credentials: false
242242
- name: Create reports directory
243243
run: mkdir ${{ env.REPORTS_DIR }}
244244
- name: Setup Python Environment
245245
# see https://github.com/actions/setup-python
246-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
246+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
247247
with:
248248
python-version: ${{ matrix.python-version }}
249249
- name: craft PY_UT_ARGS
@@ -256,7 +256,7 @@ jobs:
256256
with open(os.environ['GITHUB_ENV'], 'a') as env_file:
257257
env_file.write(f'PY_UT_ARGS={" ".join(PY_UT_ARGS)}\n')
258258
- name: Install poetry
259-
# see https://github.com/marketplace/actions/setup-poetry
259+
# see https://github.com/Gr1N/setup-poetry
260260
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
261261
with:
262262
poetry-version: ${{ env.POETRY_VERSION }}
@@ -276,7 +276,7 @@ jobs:
276276
- name: Artifact reports
277277
if: ${{ ! cancelled() }}
278278
# see https://github.com/actions/upload-artifact
279-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
279+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
280280
with:
281281
name: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_${{ matrix.os }}_py${{ matrix.python-version }}'
282282
path: ${{ env.REPORTS_DIR }}
@@ -290,7 +290,7 @@ jobs:
290290
steps:
291291
- name: fetch test artifacts
292292
# see https://github.com/actions/download-artifact
293-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
293+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
294294
with:
295295
pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_bnt_*'
296296
merge-multiple: true
@@ -301,7 +301,7 @@ jobs:
301301
## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets
302302
if: ${{ env.CODACY_PROJECT_TOKEN != '' }}
303303
# see https://github.com/codacy/codacy-coverage-reporter-action
304-
uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1
304+
uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0
305305
with:
306306
project-token: ${{ env.CODACY_PROJECT_TOKEN }}
307307
coverage-reports: ${{ env.REPORTS_DIR }}/coverage/*

.github/workflows/release.yml

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -71,16 +71,16 @@ jobs:
7171
steps:
7272
- name: Checkout code
7373
# see https://github.com/actions/checkout
74-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
74+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7575
with:
7676
persist-credentials: false
7777
- name: Setup Python Environment
7878
# see https://github.com/actions/setup-python
79-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
79+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
8080
with:
8181
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
8282
- name: Install poetry
83-
# see https://github.com/marketplace/actions/setup-poetry
83+
# see https://github.com/Gr1N/setup-poetry
8484
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
8585
with:
8686
poetry-version: ${{ env.POETRY_VERSION }}
@@ -96,16 +96,16 @@ jobs:
9696
steps:
9797
- name: Checkout
9898
# see https://github.com/actions/checkout
99-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
99+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
100100
with:
101101
persist-credentials: false
102102
- name: Setup Python Environment
103103
# see https://github.com/actions/setup-python
104-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
104+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
105105
with:
106106
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
107107
- name: Install poetry
108-
# see https://github.com/marketplace/actions/setup-poetry
108+
# see https://github.com/Gr1N/setup-poetry
109109
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
110110
with:
111111
poetry-version: ${{ env.POETRY_VERSION }}
@@ -136,18 +136,18 @@ jobs:
136136
steps:
137137
- name: Checkout code
138138
# see https://github.com/actions/checkout
139-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
139+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
140140
with:
141141
persist-credentials: false
142142
fetch-depth: 0
143143
- name: Setup python
144144
# see https://github.com/actions/setup-python
145-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
145+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
146146
with:
147147
python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
148148
- name: Install and configure Poetry
149-
# See https://github.com/marketplace/actions/install-poetry-action
150-
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1
149+
# See https://github.com/snok/install-poetry
150+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
151151
with:
152152
version: ${{ env.POETRY_VERSION }}
153153
virtualenvs-create: true
@@ -172,15 +172,15 @@ jobs:
172172
!failure() && !cancelled() &&
173173
steps.release.outputs.released == 'true'
174174
# see https://github.com/pypa/gh-action-pypi-publish
175-
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
175+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
176176
with:
177177
attestations: true
178178
- name: Publish package distributions to GitHub Releases
179179
if: |
180180
!failure() && !cancelled() &&
181181
steps.release.outputs.released == 'true'
182182
# see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action
183-
uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10
183+
uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3
184184
with:
185185
github_token: ${{ secrets.GITHUB_TOKEN }}
186186
tag: ${{ steps.release.outputs.tag }}
@@ -189,7 +189,7 @@ jobs:
189189
!failure() && !cancelled() &&
190190
steps.release.outputs.released == 'true'
191191
# see https://github.com/actions/upload-artifact
192-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
192+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
193193
with:
194194
name: ${{ env.DIST_ARTIFACT }}
195195
path: ${{ env.DIST_DIR }}/
@@ -225,7 +225,7 @@ jobs:
225225
echo "GHCR_REPO=${GHCR_REPO@L}" >> "${GITHUB_ENV}"
226226
- name: Checkout code (${{ env.TAG }})
227227
# see https://github.com/actions/checkout
228-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
228+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
229229
with:
230230
persist-credentials: false
231231
ref: ${{ needs.release-PyPI.outputs.tag }}
@@ -235,7 +235,7 @@ jobs:
235235
mkdir "$DIST_DIR"
236236
- name: Fetch python dist artifact
237237
# see https://github.com/actions/download-artifact
238-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
238+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
239239
with:
240240
name: ${{ env.DIST_ARTIFACT }}
241241
path: ${{ env.DIST_DIR }}/
@@ -268,15 +268,15 @@ jobs:
268268
- name: Artifact reports
269269
if: ${{ ! cancelled() }}
270270
# see https://github.com/actions/upload-artifact
271-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
271+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
272272
with:
273273
name: ${{ env.ARTIFACT_DOCKER_SBOM }}
274274
path: ${{ env.REPORTS_DIR }}/*.bom.*
275275
if-no-files-found: error
276276
# publish AFTER the boms were build, as the bom-generation is kind of a test if the image works
277277
- name: Login to DockerHub
278-
# see hhttps://github.com/docker/login-action?tab=readme-ov-file#docker-hub
279-
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
278+
# see https://github.com/docker/login-action?tab=readme-ov-file#docker-hub
279+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
280280
with:
281281
username: ${{ secrets.DOCKERHUB_USERNAME }}
282282
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -289,7 +289,7 @@ jobs:
289289
# region publish to GHCR
290290
- name: Login to GHCR
291291
# see https://github.com/docker/login-action#github-container-registry
292-
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
292+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
293293
with:
294294
registry: ghcr.io
295295
username: ${{ github.actor }}

.github/workflows/zizmor.yml

Lines changed: 10 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -17,44 +17,39 @@
1717

1818
# For details of what checks are run for PRs please refer below
1919
# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
20-
21-
name: Workflow Security Analysis
20+
name: Zizmor
2221

2322
on:
24-
pull_request:
25-
paths:
26-
- '.github/workflows/**'
27-
- '.github/dependabot.yml'
2823
push:
29-
paths:
30-
- ".github/workflows/**"
31-
- ".github/dependabot.yml"
24+
branches: ['master', 'main']
25+
pull_request:
26+
branches: ['**']
27+
workflow_dispatch:
3228
schedule:
33-
# weekly scan: every Saturday at 00:00 UTC
3429
- cron: '0 0 * * 6'
3530

31+
permissions: {}
32+
3633
concurrency:
3734
group: '${{ github.workflow }}-${{ github.ref }}'
3835
cancel-in-progress: true
3936

40-
permissions: {}
41-
4237
jobs:
4338
zizmor:
44-
name: Harden GitHub Workflows (zizmor)
39+
name: Zizmor
4540
runs-on: ubuntu-latest
4641
timeout-minutes: 10
4742
permissions:
4843
contents: read
4944
steps:
5045
- name: Checkout
5146
# see https://github.com/actions/checkout
52-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
47+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5348
with:
5449
persist-credentials: false
5550
- name: Run zizmor 🌈
5651
# see https://github.com/zizmorcore/zizmor-action
57-
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
52+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
5853
with:
5954
# advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
6055
# uploading a SARIF report to GitHub's Security tab.

0 commit comments

Comments
 (0)