ci(workflows-fix): Determinism checks failing python setup for debian (cp #23350) (#23882)

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>

Author: rbarker-dev

.github/workflows/flow-artifact-determinism.yaml

@@ -72,5 +72,6 @@ jobs:
       java-distribution: ${{ inputs.java-distribution || 'temurin' }}
       java-version: ${{ inputs.java-version || '21.0.6' }}
     secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
       gradle-cache-username: ${{ secrets.GRADLE_CACHE_USERNAME }}
       gradle-cache-password: ${{ secrets.GRADLE_CACHE_PASSWORD }}

.github/workflows/zxc-mats-tests.yaml

@@ -279,6 +279,7 @@ jobs:
       java-version: ${{ inputs.java-version || '21.0.6' }}
       java-distribution: ${{ inputs.java-distribution || 'temurin' }}
     secrets:
+      github-token: ${{ secrets.access-token }}
       gradle-cache-username: ${{ secrets.gradle-cache-username }}
       gradle-cache-password: ${{ secrets.gradle-cache-password }}
 
@@ -294,6 +295,7 @@ jobs:
       java-version: ${{ inputs.java-version || '21.0.6' }}
       java-distribution: ${{ inputs.java-distribution || 'temurin' }}
     secrets:
+      github-token: ${{ secrets.access-token }}
       gradle-cache-username: ${{ secrets.gradle-cache-username }}
       gradle-cache-password: ${{ secrets.gradle-cache-password }}
 

.github/workflows/zxc-verify-docker-build-determinism.yaml

@@ -20,6 +20,9 @@ on:
         default: "21.0.6"
 
     secrets:
+      github-token:
+        description: "GitHub Token with permissions to checkout the repository."
+        required: true
       gradle-cache-username:
         description: "The username used to authenticate with the Gradle Build Cache Node."
         required: true
@@ -58,15 +61,18 @@ jobs:
       name: ${{ steps.baseline.outputs.name }}
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Prepare Job
+        uses: pandaswhocode/initialize-github-job@a57cd6d8d768b2f3c95334bdd4fa8c21609fc651 # v1.0.5
         with:
-          ref: ${{ inputs.ref }}
+          checkout: "true"
+          checkout-ref: "${{ inputs.ref }}"
+          checkout-token: "${{ secrets.github-token }}"
+          checkout-fetch-depth: "1"
+          setup-java: "true"
+          java-distribution: "${{ inputs.java-distribution }}"
+          java-version: "${{ inputs.java-version }}"
+          setup-gradle: "true"
+          gradle-cache-read-only: "false"
 
       - name: Authenticate to Google Cloud
         id: google-auth
@@ -102,19 +108,6 @@ jobs:
           echo "name=${BASELINE_NAME}" >> "${GITHUB_OUTPUT}"
           echo "file=${BASELINE_FILE}" >> "${GITHUB_OUTPUT}"
 
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
-        with:
-          distribution: ${{ inputs.java-distribution }}
-          java-version: ${{ inputs.java-version }}
-
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-        if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
-        with:
-          cache-disabled: true
-
       - name: Install Skopeo and JQ
         if: ${{ steps.baseline.outputs.exists == 'false' && !failure() && !cancelled() }}
         run: |
@@ -224,25 +217,35 @@ jobs:
           - hl-cn-docker-determinism-lin-u24-lg
           - hl-cn-docker-determinism-lin-d12-lg
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
       - name: Standardize Git Line Endings
         run: |
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Prepare Job
+        uses: pandaswhocode/initialize-github-job@a57cd6d8d768b2f3c95334bdd4fa8c21609fc651 # v1.0.5
         with:
-          ref: ${{ inputs.ref }}
+          checkout: "true"
+          checkout-ref: "${{ inputs.ref }}"
+          checkout-token: "${{ secrets.github-token }}"
+          checkout-fetch-depth: "1"
+          setup-java: "true"
+          java-distribution: "${{ inputs.java-distribution }}"
+          java-version: "${{ inputs.java-version }}"
+          setup-gradle: "true"
+          gradle-cache-read-only: "false"
+
+      - name: Install Python (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes --no-install-recommends python3 python3-venv python3-pip
 
-      - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - name: Install Python
+        if: ${{ runner.os != 'Linux' }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: 3.9
+          python-version: "3.12"
 
       - name: Install JQ (Linux)
         if: ${{ runner.os == 'Linux' }}

.github/workflows/zxc-verify-gradle-build-determinism.yaml

@@ -20,6 +20,9 @@ on:
         default: "21.0.6"
 
     secrets:
+      github-token:
+        description: "GitHub Token with permissions to checkout the repository."
+        required: true
       gradle-cache-username:
         description: "The username used to authenticate with the Gradle Build Cache Node."
         required: true
@@ -52,26 +55,18 @@ jobs:
       file: ${{ steps.baseline.outputs.file }}
       name: ${{ steps.baseline.outputs.name }}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.ref }}
-
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: ${{ inputs.java-distribution }}
-          java-version: ${{ inputs.java-version }}
-
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      - name: Prepare Job
+        uses: pandaswhocode/initialize-github-job@a57cd6d8d768b2f3c95334bdd4fa8c21609fc651 # v1.0.5
         with:
-          cache-disabled: true
+          checkout: "true"
+          checkout-ref: "${{ inputs.ref }}"
+          checkout-token: "${{ secrets.github-token }}"
+          checkout-fetch-depth: "1"
+          setup-java: "true"
+          java-distribution: "${{ inputs.java-distribution }}"
+          java-version: "${{ inputs.java-version }}"
+          setup-gradle: "true"
+          gradle-cache-read-only: "false"
 
       - name: Authenticate to Google Cloud
         id: google-auth
@@ -121,7 +116,7 @@ jobs:
         run: gsutil cp "${{ steps.manifest.outputs.file }}" "${{ steps.baseline.outputs.file }}"
 
   generate-matrix:
-    name: "Generate OS Matrix for Determinism Verification"
+    name: "Gradle: Generate OS Matrix"
     runs-on: hl-cn-gradle-determinism-lin-ss
     outputs:
       os-matrix: ${{ steps.set-matrix.outputs.os-matrix }}
@@ -182,36 +177,35 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJSON(needs.generate-matrix.outputs.os-matrix) }}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
       - name: Standardize Git Line Endings
         run: |
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Prepare Job
+        uses: pandaswhocode/initialize-github-job@a57cd6d8d768b2f3c95334bdd4fa8c21609fc651 # v1.0.5
         with:
-          ref: ${{ inputs.ref }}
-
-      - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          python-version: 3.9
-
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: ${{ inputs.java-distribution }}
-          java-version: ${{ inputs.java-version }}
+          checkout: "true"
+          checkout-ref: "${{ inputs.ref }}"
+          checkout-token: "${{ secrets.github-token }}"
+          checkout-fetch-depth: "1"
+          setup-java: "true"
+          java-distribution: "${{ inputs.java-distribution }}"
+          java-version: "${{ inputs.java-version }}"
+          setup-gradle: "true"
+          gradle-cache-read-only: "false"
+
+      - name: Install Python (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes --no-install-recommends python3 python3-venv python3-pip
 
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      - name: Install Python
+        if: ${{ runner.os != 'Linux' }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache-disabled: true
+          python-version: "3.12"
 
       - name: Setup CoreUtils (macOS)
         if: ${{ runner.os == 'macOS' }}