From 3c8a6e51d93aa1dc3113d37313df6944d868f09b Mon Sep 17 00:00:00 2001 From: Artur Stolear Date: Tue, 30 Jun 2026 11:25:34 +0200 Subject: [PATCH 1/5] ci: pin GitHub Actions to full commit SHAs (S7637) Pin every third-party and first-party action reference to its full commit SHA with a trailing version comment (Dependabot convention), resolving the githubactions:S7637 security hotspots. 66 references across 20 workflow files; behavior unchanged (each SHA is the tip of the previously-used tag). Co-Authored-By: Claude Opus 4.8 --- .github/workflows/_artifacts_linux.yml | 8 ++++---- .github/workflows/_artifacts_windows.yml | 6 +++--- .github/workflows/_build.yml | 8 ++++---- .github/workflows/_docker.yml | 6 +++--- .github/workflows/_docker_manifests.yml | 4 ++-- .github/workflows/_prepare.yml | 10 +++++----- .github/workflows/_publish.yml | 8 ++++---- .github/workflows/_unit_tests.yml | 10 +++++----- .github/workflows/ci.yml | 6 +++--- .github/workflows/codeql-analysis.yml | 10 +++++----- .github/workflows/docs.yml | 18 +++++++++--------- .github/workflows/format.yml | 4 ++-- .github/workflows/gittools-actions.yml | 6 +++--- .github/workflows/homebrew.yml | 4 ++-- .github/workflows/mkdocs.yml | 6 +++--- .github/workflows/new-cli.yml | 4 ++-- .github/workflows/public-api.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- .github/workflows/stale.yml | 2 +- .github/workflows/winget.yml | 4 ++-- 20 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml index 2a2f2c62c9..78903a8da6 100644 --- a/.github/workflows/_artifacts_linux.yml +++ b/.github/workflows/_artifacts_linux.yml @@ -29,20 +29,20 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download native packages with: name: native-Linux @@ -52,7 +52,7 @@ jobs: uses: ./.github/actions/docker-setup - name: '[Test Artifacts]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml index 6079a2c6b7..a234d90086 100644 --- a/.github/workflows/_artifacts_windows.yml +++ b/.github/workflows/_artifacts_windows.yml @@ -16,21 +16,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: '[Test Artifacts]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index b432a80349..7e805f8d7a 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -16,7 +16,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -28,21 +28,21 @@ jobs: run: dotnet run/build.dll --target=Package - name: 'Upload nuget packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: matrix.os == 'windows-2025-vs2026' with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: 'Upload native packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: matrix.os == 'windows-2025-vs2026' with: name: native-${{ runner.os }} path: ${{ github.workspace }}/artifacts/packages/native/*.zip - name: 'Upload native packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: matrix.os != 'windows-2025-vs2026' with: name: native-${{ runner.os }} diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml index 6c58b56bff..861d31d3c3 100644 --- a/.github/workflows/_docker.yml +++ b/.github/workflows/_docker.yml @@ -35,14 +35,14 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download nuget packages with: name: nuget @@ -62,7 +62,7 @@ jobs: - name: Load DockerHub credentials id: dockerhub-creds if: success() && inputs.publish_images - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml index bd89806de2..edf8c3e5e4 100644 --- a/.github/workflows/_docker_manifests.yml +++ b/.github/workflows/_docker_manifests.yml @@ -29,7 +29,7 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -42,7 +42,7 @@ jobs: - name: Load DockerHub credentials if: inputs.publish_manifests id: dockerhub-creds - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_prepare.yml b/.github/workflows/_prepare.yml index 75b0750922..2423143625 100644 --- a/.github/workflows/_prepare.yml +++ b/.github/workflows/_prepare.yml @@ -23,24 +23,24 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Cache cake frosting id: cache-cake - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json @@ -60,7 +60,7 @@ jobs: dotnet_versions: ${{ steps.set_matrix.outputs.dotnet_versions }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Restore State uses: ./.github/actions/cache-restore diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml index af9d462c07..5a6981a219 100644 --- a/.github/workflows/_publish.yml +++ b/.github/workflows/_publish.yml @@ -24,14 +24,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download nuget packages with: name: nuget @@ -40,14 +40,14 @@ jobs: - name: Load NuGet credentials id: nuget-creds if: inputs.publish_packages - uses: gittools/cicd/nuget-creds@v5 + uses: gittools/cicd/nuget-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Chocolatey credentials id: choco-creds if: inputs.publish_packages - uses: gittools/cicd/choco-creds@v5 + uses: gittools/cicd/choco-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml index 146bf6522d..3d926a2379 100644 --- a/.github/workflows/_unit_tests.yml +++ b/.github/workflows/_unit_tests.yml @@ -25,14 +25,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - name: '[Unit Test]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: shell: pwsh timeout_minutes: 30 @@ -41,13 +41,13 @@ jobs: command: 'dotnet run/build.dll --target=UnitTest --dotnet_version=${{ matrix.dotnet_version }}' - name: Test Summary - uses: test-summary/action@v2.6 + uses: test-summary/action@37b508cfee6d4d080eedd00b5bb240a6a784a6a5 # v2.6 if: always() && matrix.dotnet_version == '10.0' with: paths: artifacts/test-results/**/results.xml - name: Upload Coverage - uses: codecov/codecov-action@v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: files: artifacts/test-results/**/results.xml @@ -55,7 +55,7 @@ jobs: use_oidc: true - name: Upload Coverage - uses: codecov/codecov-action@v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: directory: artifacts/test-results diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc37e4b453..7e21c1411a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,7 +159,7 @@ jobs: CAN_PUBLISH: ${{ github.event_name == 'repository_dispatch' }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -176,7 +176,7 @@ jobs: - name: Load DockerHub credentials id: dockerhub-creds if: env.CAN_PUBLISH == 'true' - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -194,7 +194,7 @@ jobs: - name: '[Publish Release]' if: github.event_name == 'repository_dispatch' - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 208fec3c83..4e47daa086 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -50,25 +50,25 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: languages: ${{ matrix.language }} tools: linked - name: Cache cake frosting id: cache-cake - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json @@ -81,4 +81,4 @@ jobs: run: dotnet run/build.dll --target=BuildPrepare --exclusive - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index cd7f68ce68..2cc3533a19 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -37,20 +37,20 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 - name: Cache cake frosting id: cache-cake - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} @@ -64,14 +64,14 @@ jobs: - name: Cache Node Modules id: cache-node - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 with: path: ${{ steps.cache-node-dir.outputs.dir }} key: node-${{ runner.os }}-${{ hashFiles('./package-lock.json') }} restore-keys: node-${{ runner.os }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json @@ -89,7 +89,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -101,7 +101,7 @@ jobs: run: dotnet run/docs.dll --target=BuildDocs - name: '[HTMLProofer]' - uses: chabad360/htmlproofer@master + uses: chabad360/htmlproofer@a1a3419200cea0e832a5c6249647d1d271178e82 # master with: directory: ./artifacts/docs/preview arguments: --ignore-urls /api/,/docs/,/5.12.0/ --allow-hash-href --allow-missing-href --assume-extension --disable-external --no-check_external_hash @@ -113,7 +113,7 @@ jobs: echo "value=$value" >> $GITHUB_OUTPUT - name: '[Remark Lint]' - uses: reviewdog/action-remark-lint@v5 + uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5 with: github_token: ${{ github.token }} reporter: ${{ steps.reporter.outputs.value }} @@ -130,7 +130,7 @@ jobs: GITHUB_USERNAME: ${{ github.actor }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 90057f6759..a96ded4d20 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -40,10 +40,10 @@ jobs: name: DotNet Format steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json diff --git a/.github/workflows/gittools-actions.yml b/.github/workflows/gittools-actions.yml index 33b018fbd5..8e8328d129 100644 --- a/.github/workflows/gittools-actions.yml +++ b/.github/workflows/gittools-actions.yml @@ -35,13 +35,13 @@ jobs: - name: Load GitHub App credentials id: github-app-creds - uses: gittools/cicd/github-app-creds@v5 + uses: gittools/cicd/github-app-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ steps.github-app-creds.outputs.gh_app_id }} private-key: ${{ steps.github-app-creds.outputs.gh_app_private_key }} @@ -49,7 +49,7 @@ jobs: repositories: actions permission-contents: write - - uses: peter-evans/repository-dispatch@v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 name: Update GitTools Actions with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 0b9091b4cc..3b29e6bbe5 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -31,11 +31,11 @@ jobs: - name: Load GitHub release token id: github-creds - uses: gittools/cicd/github-creds@v5 + uses: gittools/cicd/github-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - - uses: mislav/bump-homebrew-formula-action@v4 + - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4 name: Bump Homebrew formula with: formula-name: gitversion diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index 7b878553c1..b6d969c99b 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -29,13 +29,13 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: gittools/cicd/checkout@v5 + uses: gittools/cicd/checkout@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} fetch-depth: 1 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json @@ -46,6 +46,6 @@ jobs: working-directory: ${{ github.workspace }}/docs/input - name: Commit and push markdown docs changes - uses: gittools/cicd/git-commit-push@v5 + uses: gittools/cicd/git-commit-push@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: message: "include markdown docs changes" diff --git a/.github/workflows/new-cli.yml b/.github/workflows/new-cli.yml index 65479803ca..130e38b022 100644 --- a/.github/workflows/new-cli.yml +++ b/.github/workflows/new-cli.yml @@ -41,10 +41,10 @@ jobs: name: Build & Test (new-cli) steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json diff --git a/.github/workflows/public-api.yml b/.github/workflows/public-api.yml index 58a5205a72..d2df529d9b 100644 --- a/.github/workflows/public-api.yml +++ b/.github/workflows/public-api.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: gittools/cicd/checkout@v5 + uses: gittools/cicd/checkout@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} fetch-depth: 0 @@ -24,6 +24,6 @@ jobs: run: ./src/mark-shipped.ps1 - name: Commit and push changes - uses: gittools/cicd/git-commit-push@v5 + uses: gittools/cicd/git-commit-push@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: message: "include public API changes" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cdb77cc68f..ad96d9f7a4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Get version id: get-version @@ -21,7 +21,7 @@ jobs: $TAG="${{ github.ref }}".Replace("refs/tags/", "") "tag=$TAG" >> $env:GITHUB_OUTPUT - - uses: peter-evans/repository-dispatch@v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 268a3c6c3f..61408b3677 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: stale: runs-on: ubuntu-24.04 steps: - - uses: actions/stale@v10 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10 with: operations-per-run: 100 # set 'stale' label diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml index 6a6852a5ac..193b625602 100644 --- a/.github/workflows/winget.yml +++ b/.github/workflows/winget.yml @@ -35,11 +35,11 @@ jobs: - name: Load GitHub release token id: github-creds - uses: gittools/cicd/github-creds@v5 + uses: gittools/cicd/github-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - - uses: michidk/run-komac@v2.1.0 + - uses: michidk/run-komac@9b27eadc6e9235c252444a437d246c139da2f57f # v2.1.0 env: GITHUB_TOKEN: ${{ steps.github-creds.outputs.github_release_token }} with: From 5a8e4b8e35f0c26ff6753ccb72ebe6d5b05a1887 Mon Sep 17 00:00:00 2001 From: Artur Stolear Date: Tue, 30 Jun 2026 11:27:26 +0200 Subject: [PATCH 2/5] ci: fix shellcheck issues in docs.yml run scripts Quote $GITHUB_OUTPUT (SC2086) and replace the constant '[ ${{ ... }} ]' test with a direct GitHub expression (SC2078) so the reporter actually branches on the event type instead of always returning github-pr-review. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/docs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2cc3533a19..0c760e3901 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -60,7 +60,7 @@ jobs: id: cache-node-dir run: | cacheDir=$(npm config get cache) - echo "dir=$cacheDir" >> $GITHUB_OUTPUT + echo "dir=$cacheDir" >> "$GITHUB_OUTPUT" - name: Cache Node Modules id: cache-node @@ -109,8 +109,8 @@ jobs: - name: '[Reviewdog Reporter]' id: reporter run: | - value=$([ ${{ github.event_name == 'pull_request' }} ] && echo "github-pr-review" || echo "github-check") - echo "value=$value" >> $GITHUB_OUTPUT + value=${{ github.event_name == 'pull_request' && 'github-pr-review' || 'github-check' }} + echo "value=$value" >> "$GITHUB_OUTPUT" - name: '[Remark Lint]' uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5 From 27630a25f1b485781cc4351663f77ea44622caeb Mon Sep 17 00:00:00 2001 From: Artur Stolear Date: Tue, 30 Jun 2026 11:30:37 +0200 Subject: [PATCH 3/5] ci: pin composite action dependencies to full commit SHAs (S7637) Pin the 15 action references inside .github/actions/*/action.yml to full commit SHAs with version comments, matching the workflow files. Co-Authored-By: Claude Opus 4.8 --- .github/actions/artifacts-attest/action.yml | 2 +- .github/actions/artifacts-restore/action.yml | 8 ++++---- .github/actions/cache-restore/action.yml | 6 +++--- .github/actions/docker-manifests/action.yml | 4 ++-- .github/actions/docker-publish/action.yml | 4 ++-- .github/actions/docker-setup/action.yml | 2 +- .github/actions/docker-test/action.yml | 4 ++-- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/actions/artifacts-attest/action.yml b/.github/actions/artifacts-attest/action.yml index aa4547a256..c9e71278f1 100644 --- a/.github/actions/artifacts-attest/action.yml +++ b/.github/actions/artifacts-attest/action.yml @@ -5,7 +5,7 @@ runs: using: 'composite' steps: - name: 'Attestation' - uses: actions/attest-build-provenance@v4.1.0 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | ${{ github.workspace }}/artifacts/packages/native diff --git a/.github/actions/artifacts-restore/action.yml b/.github/actions/artifacts-restore/action.yml index b69757c8c1..321f115fe0 100644 --- a/.github/actions/artifacts-restore/action.yml +++ b/.github/actions/artifacts-restore/action.yml @@ -4,25 +4,25 @@ description: 'Artifacts restore' runs: using: 'composite' steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download native linux packages with: name: native-Linux path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download native windows packages with: name: native-Windows path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download native macos packages with: name: native-macOS path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 name: Download nuget packages with: name: nuget diff --git a/.github/actions/cache-restore/action.yml b/.github/actions/cache-restore/action.yml index 192a459441..8a2a1de89f 100644 --- a/.github/actions/cache-restore/action.yml +++ b/.github/actions/cache-restore/action.yml @@ -6,19 +6,19 @@ runs: steps: - name: Use cached cake frosting id: cache-cake - uses: actions/cache@v5 + uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v5 + uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: global-json-file: global.json diff --git a/.github/actions/docker-manifests/action.yml b/.github/actions/docker-manifests/action.yml index bf0d641a9f..038f20510f 100644 --- a/.github/actions/docker-manifests/action.yml +++ b/.github/actions/docker-manifests/action.yml @@ -24,7 +24,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -40,7 +40,7 @@ runs: --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub - name: Login to GitHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-publish/action.yml b/.github/actions/docker-publish/action.yml index b091d35a4f..3f904b9e02 100644 --- a/.github/actions/docker-publish/action.yml +++ b/.github/actions/docker-publish/action.yml @@ -27,7 +27,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -44,7 +44,7 @@ runs: --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub --verbosity=diagnostic - name: Login to GitHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-setup/action.yml b/.github/actions/docker-setup/action.yml index 2e43c229be..a34df89349 100644 --- a/.github/actions/docker-setup/action.yml +++ b/.github/actions/docker-setup/action.yml @@ -5,6 +5,6 @@ runs: using: 'composite' steps: - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@0234bb73ccb40f0c430b795634f9247e2b5c2d23 # v5 with: daemon-config: '{ "features": { "containerd-snapshotter": true } }' diff --git a/.github/actions/docker-test/action.yml b/.github/actions/docker-test/action.yml index 2b9686f419..41e1404111 100644 --- a/.github/actions/docker-test/action.yml +++ b/.github/actions/docker-test/action.yml @@ -15,7 +15,7 @@ runs: using: 'composite' steps: - name: '[Docker Build & Test] DockerHub' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: shell: pwsh timeout_minutes: 30 @@ -27,7 +27,7 @@ runs: --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic - name: '[Docker Build & Test] GitHub' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: shell: pwsh timeout_minutes: 30 From 123a29ed5e8be775abcac2e70f9dbb73e237918a Mon Sep 17 00:00:00 2001 From: Artur Stolear Date: Tue, 30 Jun 2026 11:30:37 +0200 Subject: [PATCH 4/5] ci: add actionlint validation for GitHub Actions changes Add an Actionlint workflow (reviewdog/action-actionlint, SHA-pinned) that runs on changes to .github/workflows/** and .github/actions/**, failing on any finding so workflow/composite-action issues are caught in CI. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/actionlint.yml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/actionlint.yml diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 0000000000..73ffc6e165 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,44 @@ +name: Actionlint +on: + push: + branches: + - main + - 'fix/*' + - 'feature/*' + - 'poc/*' + - 'support/*' + - 'next/*' + paths: + - '.github/workflows/**' + - '.github/actions/**' + + pull_request: + branches: + - main + - 'support/*' + - 'next/*' + paths: + - '.github/workflows/**' + - '.github/actions/**' + +permissions: + contents: read + +jobs: + actionlint: + runs-on: ubuntu-24.04 + name: Actionlint + permissions: + contents: read + checks: write + pull-requests: write + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + + - name: Run actionlint + uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 + with: + github_token: ${{ github.token }} + reporter: ${{ github.event_name == 'pull_request' && 'github-pr-review' || 'github-check' }} + fail_on_error: true From ecf7698f47e38999e3128abbc03acfa37a5640d4 Mon Sep 17 00:00:00 2001 From: Artur Stolear Date: Tue, 30 Jun 2026 11:34:20 +0200 Subject: [PATCH 5/5] ci: bump pinned actions to their latest versions Re-resolve every pinned action to its latest release and record the full version in the comment. Functional bumps: actions/cache v5->v6.1.0 (composite actions, now unified with the workflows), chabad360/htmlproofer master->v2 (branch->release tag), actions/attest-build-provenance v4.1.0->v4.1.1. All other SHAs already pointed at the latest release tip; comments updated from major tags (e.g. v7) to exact versions (e.g. v7.0.0). Co-Authored-By: Claude Opus 4.8 --- .github/actions/artifacts-attest/action.yml | 2 +- .github/actions/artifacts-restore/action.yml | 8 ++++---- .github/actions/cache-restore/action.yml | 6 +++--- .github/actions/docker-manifests/action.yml | 4 ++-- .github/actions/docker-publish/action.yml | 4 ++-- .github/actions/docker-setup/action.yml | 2 +- .github/actions/docker-test/action.yml | 4 ++-- .github/workflows/_artifacts_linux.yml | 8 ++++---- .github/workflows/_artifacts_windows.yml | 6 +++--- .github/workflows/_build.yml | 8 ++++---- .github/workflows/_docker.yml | 4 ++-- .github/workflows/_docker_manifests.yml | 2 +- .github/workflows/_prepare.yml | 10 +++++----- .github/workflows/_publish.yml | 4 ++-- .github/workflows/_unit_tests.yml | 8 ++++---- .github/workflows/actionlint.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 10 +++++----- .github/workflows/docs.yml | 18 +++++++++--------- .github/workflows/format.yml | 4 ++-- .github/workflows/gittools-actions.yml | 4 ++-- .github/workflows/homebrew.yml | 2 +- .github/workflows/mkdocs.yml | 2 +- .github/workflows/new-cli.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- .github/workflows/stale.yml | 2 +- 26 files changed, 68 insertions(+), 68 deletions(-) diff --git a/.github/actions/artifacts-attest/action.yml b/.github/actions/artifacts-attest/action.yml index c9e71278f1..0185f356ec 100644 --- a/.github/actions/artifacts-attest/action.yml +++ b/.github/actions/artifacts-attest/action.yml @@ -5,7 +5,7 @@ runs: using: 'composite' steps: - name: 'Attestation' - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: | ${{ github.workspace }}/artifacts/packages/native diff --git a/.github/actions/artifacts-restore/action.yml b/.github/actions/artifacts-restore/action.yml index 321f115fe0..8d45711a96 100644 --- a/.github/actions/artifacts-restore/action.yml +++ b/.github/actions/artifacts-restore/action.yml @@ -4,25 +4,25 @@ description: 'Artifacts restore' runs: using: 'composite' steps: - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native linux packages with: name: native-Linux path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native windows packages with: name: native-Windows path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native macos packages with: name: native-macOS path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget diff --git a/.github/actions/cache-restore/action.yml b/.github/actions/cache-restore/action.yml index 8a2a1de89f..0e4f97dace 100644 --- a/.github/actions/cache-restore/action.yml +++ b/.github/actions/cache-restore/action.yml @@ -6,19 +6,19 @@ runs: steps: - name: Use cached cake frosting id: cache-cake - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json diff --git a/.github/actions/docker-manifests/action.yml b/.github/actions/docker-manifests/action.yml index 038f20510f..26b84455f9 100644 --- a/.github/actions/docker-manifests/action.yml +++ b/.github/actions/docker-manifests/action.yml @@ -24,7 +24,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -40,7 +40,7 @@ runs: --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub - name: Login to GitHub - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-publish/action.yml b/.github/actions/docker-publish/action.yml index 3f904b9e02..0d31a78db7 100644 --- a/.github/actions/docker-publish/action.yml +++ b/.github/actions/docker-publish/action.yml @@ -27,7 +27,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -44,7 +44,7 @@ runs: --docker_distro=$env:DOCKER_DISTRO --docker_registry dockerhub --verbosity=diagnostic - name: Login to GitHub - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-setup/action.yml b/.github/actions/docker-setup/action.yml index a34df89349..112ac23bbd 100644 --- a/.github/actions/docker-setup/action.yml +++ b/.github/actions/docker-setup/action.yml @@ -5,6 +5,6 @@ runs: using: 'composite' steps: - name: Set up Docker - uses: docker/setup-docker-action@0234bb73ccb40f0c430b795634f9247e2b5c2d23 # v5 + uses: docker/setup-docker-action@0234bb73ccb40f0c430b795634f9247e2b5c2d23 # v5.2.0 with: daemon-config: '{ "features": { "containerd-snapshotter": true } }' diff --git a/.github/actions/docker-test/action.yml b/.github/actions/docker-test/action.yml index 41e1404111..c3852a76d4 100644 --- a/.github/actions/docker-test/action.yml +++ b/.github/actions/docker-test/action.yml @@ -15,7 +15,7 @@ runs: using: 'composite' steps: - name: '[Docker Build & Test] DockerHub' - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 @@ -27,7 +27,7 @@ runs: --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic - name: '[Docker Build & Test] GitHub' - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml index 78903a8da6..96be4451b0 100644 --- a/.github/workflows/_artifacts_linux.yml +++ b/.github/workflows/_artifacts_linux.yml @@ -29,20 +29,20 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native packages with: name: native-Linux @@ -52,7 +52,7 @@ jobs: uses: ./.github/actions/docker-setup - name: '[Test Artifacts]' - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml index a234d90086..fd7e9c5876 100644 --- a/.github/workflows/_artifacts_windows.yml +++ b/.github/workflows/_artifacts_windows.yml @@ -16,21 +16,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: '[Test Artifacts]' - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 7e805f8d7a..90aeb05014 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -16,7 +16,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -28,21 +28,21 @@ jobs: run: dotnet run/build.dll --target=Package - name: 'Upload nuget packages' - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os == 'windows-2025-vs2026' with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: 'Upload native packages' - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os == 'windows-2025-vs2026' with: name: native-${{ runner.os }} path: ${{ github.workspace }}/artifacts/packages/native/*.zip - name: 'Upload native packages' - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os != 'windows-2025-vs2026' with: name: native-${{ runner.os }} diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml index 861d31d3c3..53bb90d9f5 100644 --- a/.github/workflows/_docker.yml +++ b/.github/workflows/_docker.yml @@ -35,14 +35,14 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml index edf8c3e5e4..a692f9cbe8 100644 --- a/.github/workflows/_docker_manifests.yml +++ b/.github/workflows/_docker_manifests.yml @@ -29,7 +29,7 @@ jobs: dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/_prepare.yml b/.github/workflows/_prepare.yml index 2423143625..9fd6c5595e 100644 --- a/.github/workflows/_prepare.yml +++ b/.github/workflows/_prepare.yml @@ -23,24 +23,24 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Cache cake frosting id: cache-cake - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json @@ -60,7 +60,7 @@ jobs: dotnet_versions: ${{ steps.set_matrix.outputs.dotnet_versions }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Restore State uses: ./.github/actions/cache-restore diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml index 5a6981a219..583325b0a5 100644 --- a/.github/workflows/_publish.yml +++ b/.github/workflows/_publish.yml @@ -24,14 +24,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml index 3d926a2379..4e4975bf2a 100644 --- a/.github/workflows/_unit_tests.yml +++ b/.github/workflows/_unit_tests.yml @@ -25,14 +25,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - name: '[Unit Test]' - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 @@ -47,7 +47,7 @@ jobs: paths: artifacts/test-results/**/results.xml - name: Upload Coverage - uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: files: artifacts/test-results/**/results.xml @@ -55,7 +55,7 @@ jobs: use_oidc: true - name: Upload Coverage - uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: directory: artifacts/test-results diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 73ffc6e165..ee64b88e41 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -34,7 +34,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run actionlint uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7e21c1411a..ba10c4830b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,7 +159,7 @@ jobs: CAN_PUBLISH: ${{ github.event_name == 'repository_dispatch' }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -194,7 +194,7 @@ jobs: - name: '[Publish Release]' if: github.event_name == 'repository_dispatch' - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4e47daa086..6fa033bb3d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -50,25 +50,25 @@ jobs: steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} tools: linked - name: Cache cake frosting id: cache-cake - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json @@ -81,4 +81,4 @@ jobs: run: dotnet run/build.dll --target=BuildPrepare --exclusive - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0c760e3901..e168bf0e85 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -37,20 +37,20 @@ jobs: steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Cache cake frosting id: cache-cake - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} @@ -64,14 +64,14 @@ jobs: - name: Cache Node Modules id: cache-node - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ${{ steps.cache-node-dir.outputs.dir }} key: node-${{ runner.os }}-${{ hashFiles('./package-lock.json') }} restore-keys: node-${{ runner.os }} - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json @@ -89,7 +89,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -101,7 +101,7 @@ jobs: run: dotnet run/docs.dll --target=BuildDocs - name: '[HTMLProofer]' - uses: chabad360/htmlproofer@a1a3419200cea0e832a5c6249647d1d271178e82 # master + uses: chabad360/htmlproofer@c2750eb7eb937599ac859517e7dd23a29f1b3ed7 # v2 with: directory: ./artifacts/docs/preview arguments: --ignore-urls /api/,/docs/,/5.12.0/ --allow-hash-href --allow-missing-href --assume-extension --disable-external --no-check_external_hash @@ -113,7 +113,7 @@ jobs: echo "value=$value" >> "$GITHUB_OUTPUT" - name: '[Remark Lint]' - uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5 + uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5.18.0 with: github_token: ${{ github.token }} reporter: ${{ steps.reporter.outputs.value }} @@ -130,7 +130,7 @@ jobs: GITHUB_USERNAME: ${{ github.actor }} steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index a96ded4d20..79b5602f24 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -40,10 +40,10 @@ jobs: name: DotNet Format steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json diff --git a/.github/workflows/gittools-actions.yml b/.github/workflows/gittools-actions.yml index 8e8328d129..3ca20d4083 100644 --- a/.github/workflows/gittools-actions.yml +++ b/.github/workflows/gittools-actions.yml @@ -41,7 +41,7 @@ jobs: - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ steps.github-app-creds.outputs.gh_app_id }} private-key: ${{ steps.github-app-creds.outputs.gh_app_private_key }} @@ -49,7 +49,7 @@ jobs: repositories: actions permission-contents: write - - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 name: Update GitTools Actions with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 3b29e6bbe5..990a39c9cd 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -35,7 +35,7 @@ jobs: with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4 + - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4.1 name: Bump Homebrew formula with: formula-name: gitversion diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index b6d969c99b..e3655e8975 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -35,7 +35,7 @@ jobs: fetch-depth: 1 - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json diff --git a/.github/workflows/new-cli.yml b/.github/workflows/new-cli.yml index 130e38b022..6c35ed3d31 100644 --- a/.github/workflows/new-cli.yml +++ b/.github/workflows/new-cli.yml @@ -41,10 +41,10 @@ jobs: name: Build & Test (new-cli) steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup .NET SDK - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0 with: global-json-file: global.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ad96d9f7a4..6f9da61f1a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Get version id: get-version @@ -21,7 +21,7 @@ jobs: $TAG="${{ github.ref }}".Replace("refs/tags/", "") "tag=$TAG" >> $env:GITHUB_OUTPUT - - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 61408b3677..936df1a0f4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,7 @@ jobs: stale: runs-on: ubuntu-24.04 steps: - - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: operations-per-run: 100 # set 'stale' label