diff --git a/.github/renovate.json b/.github/renovate.json index e9dfa40077..7b12ac2b60 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -52,6 +52,12 @@ "matchPackageNames": ["python"], "matchCurrentVersion": "3.10.19", "allowedVersions": "<3.11" + }, + { + "matchDepTypes": [ + "action" + ], + "pinDigests": true } ] } diff --git a/.github/workflows/_build-img-nucliadb.yml b/.github/workflows/_build-img-nucliadb.yml index a21dbe47aa..82151e4f42 100644 --- a/.github/workflows/_build-img-nucliadb.yml +++ b/.github/workflows/_build-img-nucliadb.yml @@ -52,18 +52,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout tooling repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: nuclia/tooling ref: main @@ -72,14 +72,14 @@ jobs: - name: Authenticate to Google Cloud id: gcp-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 #v3 with: workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}" service_account: "${{ env.GCP_SERVICE_ACCOUNT }}" token_format: access_token - name: Login to Google Artifact Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 with: registry: europe-west4-docker.pkg.dev username: oauth2accesstoken diff --git a/.github/workflows/bd_sca_scanner.yaml b/.github/workflows/bd_sca_scanner.yaml index 3902399085..d8a0dea38e 100644 --- a/.github/workflows/bd_sca_scanner.yaml +++ b/.github/workflows/bd_sca_scanner.yaml @@ -19,7 +19,7 @@ jobs: cancel-in-progress: true steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Calculate detect-args for BD SCA Scan id: calculate-detect-args @@ -32,7 +32,7 @@ jobs: - name: Run Black Duck SCA PR Scan id: blackduck-pr-scan - uses: blackduck-inc/black-duck-security-scan@v2 + uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 env: DETECT_PROJECT_NAME: nuclia-nucliadb DETECT_PROJECT_GROUP_NAME: Nuclia diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 44f63915fb..c820ec4d2b 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -21,17 +21,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - - uses: actions/checkout@master + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 @@ -39,18 +39,18 @@ jobs: - run: python bump.py --sem=${{ inputs.semType }} - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 # we update the lock to reflect the newly updated versions of our packages - name: Update uv.lock run: uv lock - name: Commit & Push changes - uses: actions-js/push@master + uses: actions-js/push@5a7cbd780d82c0c937b5977586e641b2fd94acc5 # v1.5 with: github_token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 619fdd02e8..0667a8b917 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: name: "nidx: Rust code Format" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup component add rustfmt - name: rustfmt run: cd nidx && cargo fmt --check --all @@ -29,13 +29,13 @@ jobs: name: "nidx: Clippy lint" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup component add clippy - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: workspaces: nidx - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: clippy @@ -49,12 +49,12 @@ jobs: needs: - build-virtual-env steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -72,23 +72,23 @@ jobs: name: "Pre-checks: Python lint 3.10" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: workspaces: nidx - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10.19" - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 # Needed for nidx_protos (rust) - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install venv - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 2 retry_on: error @@ -119,10 +119,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: v3.15.3 @@ -135,12 +135,12 @@ jobs: name: Check Licenses runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check License Header - uses: apache/skywalking-eyes/header@v0.8.0 + uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: EmbarkStudios/cargo-deny-action@v2 + - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2.0.18 name: cargo deny with: log-level: warn @@ -152,13 +152,13 @@ jobs: needs: - build-virtual-env steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -182,13 +182,13 @@ jobs: --health-timeout 5s --health-retries 10 steps: - - uses: actions/checkout@v6 - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: workspaces: nidx cache-all-crates: true # To cache cargo-llvm-cov - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install cargo-llvm-cov and nextest @@ -199,7 +199,7 @@ jobs: SQLX_OFFLINE: true run: cd nidx && cargo llvm-cov --codecov --output-path codecov.json nextest --workspace --all-features - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: file: ./nidx/codecov.json flags: nidx @@ -211,18 +211,18 @@ jobs: name: Build nidx binary runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: workspaces: nidx - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Compile run: cd nidx && cargo build --release - name: Upload binaries to cache - uses: actions/cache/save@v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: "nidx/target/release/nidx" key: nidx-bin-${{ github.sha }} @@ -231,34 +231,34 @@ jobs: name: Build virtual environment runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: workspaces: nidx - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Check uv.lock run: uv lock --check # Needed for nidx_protos (rust) - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install venv - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: max_attempts: 2 retry_on: error timeout_minutes: 20 command: uv sync --no-editable - name: Upload virtualenv to cache - uses: actions/cache/save@v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -271,19 +271,19 @@ jobs: - build-nidx-binary - build-virtual-env steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} fail-on-cache-miss: true - name: Restore nidx binary - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: "nidx/target/release/nidx" key: nidx-bin-${{ github.sha }} @@ -296,7 +296,7 @@ jobs: run: source .venv/bin/activate && make -C nucliadb test-cov-search - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: file: ./nucliadb/coverage.xml flags: nucliadb-search @@ -328,15 +328,15 @@ jobs: steps: - name: Checkout the repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -351,7 +351,7 @@ jobs: make -C nucliadb test-cov-nucliadb pytest_extra_flags="--shard-id=${{ matrix.shard }} --num-shards=3 --lf" - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: file: ./nucliadb/coverage.xml flags: nucliadb @@ -375,15 +375,15 @@ jobs: steps: - name: Checkout the repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -393,7 +393,7 @@ jobs: run: source .venv/bin/activate && make -C nucliadb test-cov-${{ matrix.component }} - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: file: ./nucliadb/coverage.xml flags: nucliadb-${{ matrix.component }} @@ -417,15 +417,15 @@ jobs: steps: - name: Checkout the repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Restore venv - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .venv key: venv-${{ github.sha }} @@ -435,7 +435,7 @@ jobs: run: source .venv/bin/activate && make -C ${{ matrix.package }} test-cov - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: file: ./${{ matrix.package }}/coverage.xml flags: ${{ matrix.package }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3d8a7e033a..bafb3a0d39 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Calculate short sha id: env-vars @@ -68,17 +68,17 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Checkout tooling repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: nuclia/tooling ref: main @@ -87,14 +87,14 @@ jobs: - name: Authenticate to Google Cloud id: gcp-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}" service_account: "${{ env.GCP_SERVICE_ACCOUNT }}" token_format: access_token - name: Login to Google Artifact Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: europe-west4-docker.pkg.dev username: oauth2accesstoken @@ -141,17 +141,17 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Checkout tooling repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: nuclia/tooling ref: main @@ -160,14 +160,14 @@ jobs: - name: Authenticate to Google Cloud id: gcp-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}" service_account: "${{ env.GCP_SERVICE_ACCOUNT }}" token_format: access_token - name: Login to Google Artifact Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: europe-west4-docker.pkg.dev username: oauth2accesstoken @@ -208,17 +208,17 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Checkout tooling repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: nuclia/tooling ref: main @@ -227,14 +227,14 @@ jobs: - name: Authenticate to Google Cloud id: gcp-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}" service_account: "${{ env.GCP_SERVICE_ACCOUNT }}" token_format: access_token - name: Login to Google Artifact Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: europe-west4-docker.pkg.dev username: oauth2accesstoken @@ -275,7 +275,7 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} @@ -283,7 +283,7 @@ jobs: - name: Send to promotion queue id: send-to-promo - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ steps.app-token.outputs.token }} repository: nuclia/core-apps diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 516cf56849..48a8536d4f 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Ubuntu # see if this is affecting microk8s @@ -32,14 +32,14 @@ jobs: sudo ufw disable sudo iptables -P FORWARD ACCEPT - - uses: balchua/microk8s-actions@v0.4.3 + - uses: balchua/microk8s-actions@13f73436011eb4925c22526f64fb3ecdd81289a9 # v0.4.3 with: channel: "1.33/stable" devMode: "true" addons: '["dns", "rbac", "hostpath-storage", "registry", "helm", "storage"]' - name: "Set up Helm" - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - name: Install PostgreSQL with Helm run: | @@ -117,7 +117,7 @@ jobs: exit 1) - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.14.2 cache: "pip" diff --git a/.github/workflows/nidx_binding_release.yml b/.github/workflows/nidx_binding_release.yml index 55de9ee934..980f6ff89c 100644 --- a/.github/workflows/nidx_binding_release.yml +++ b/.github/workflows/nidx_binding_release.yml @@ -34,10 +34,10 @@ jobs: runs-on: ${{ matrix.os }}-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: set up python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" architecture: ${{ matrix.python-architecture || 'x64' }} @@ -58,13 +58,13 @@ jobs: # Run the source distribution once, as part of any platform - name: build sdist if: ${{ matrix.os == 'ubuntu' && matrix.target == 'x86_64' }} - uses: messense/maturin-action@v1 + uses: messense/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1.51.0 with: command: sdist args: -m nidx/nidx_binding/Cargo.toml --out dist - name: build wheels - uses: messense/maturin-action@v1 + uses: messense/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1.51.0 with: before-script-linux: scripts/install-protoc.sh target: ${{ matrix.target }} @@ -75,7 +75,7 @@ jobs: - run: twine check dist/* - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: pypi_files-${{ matrix.os }}-${{ matrix.target }} path: dist @@ -86,10 +86,10 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: get dist artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: pypi_files-* merge-multiple: true @@ -104,17 +104,17 @@ jobs: if: github.event_name == 'push' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: set up python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - run: pip install -U twine - name: get dist artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: pypi_files-* merge-multiple: true diff --git a/.github/workflows/osv_scanner.yml b/.github/workflows/osv_scanner.yml index da26431627..c07ad4cd41 100644 --- a/.github/workflows/osv_scanner.yml +++ b/.github/workflows/osv_scanner.yml @@ -13,7 +13,7 @@ permissions: jobs: scan-scheduled: - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.8" + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2" # v2.3.8 with: scan-args: |- nidx/Cargo.lock diff --git a/.github/workflows/polaris.yaml b/.github/workflows/polaris.yaml index 2f63c9a869..4bd6d5f1bd 100644 --- a/.github/workflows/polaris.yaml +++ b/.github/workflows/polaris.yaml @@ -16,13 +16,13 @@ jobs: checks: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 - name: Run Polaris PR Scan id: polaris-pr-scan - uses: blackduck-inc/black-duck-security-scan@v2 + uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 with: polaris_server_url: 'https://polaris.blackduck.com' polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} diff --git a/.github/workflows/public_release.yml b/.github/workflows/public_release.yml index 0c09939c26..64568661c6 100644 --- a/.github/workflows/public_release.yml +++ b/.github/workflows/public_release.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Calculate short sha id: env-vars @@ -46,27 +46,27 @@ jobs: echo "hash=$HASH" >> $GITHUB_OUTPUT - name: Update nucliadb image version - uses: mikefarah/yq@master + uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: yq -i '.imageVersion = "${{ steps.version_step.outputs.hash }}"' 'charts/nucliadb/values.yaml' - name: Update nidx image version - uses: mikefarah/yq@master + uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: yq -i '.nidx.imageVersion = "${{ steps.version_step.outputs.hash }}"' 'charts/nucliadb/values.yaml' - name: Set chart version - uses: mikefarah/yq@master + uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: yq -i '.version = "${{ steps.version_step.outputs.version_number }}"' 'charts/nucliadb/Chart.yaml' - name: Set chart app version - uses: mikefarah/yq@master + uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2 with: cmd: yq -i '.appVersion = "${{ steps.version_step.outputs.version_number }}"' 'charts/nucliadb/Chart.yaml' - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: v3.15.3 @@ -77,14 +77,14 @@ jobs: - name: Bump version and push tag id: tag_version - uses: mathieudutour/github-tag-action@v6.2 + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} custom_tag: ${{ steps.version_step.outputs.version_number }} - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -95,7 +95,7 @@ jobs: - name: Upload Release Asset id: upload-release-asset - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -111,10 +111,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -149,24 +149,24 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14.2" - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 # Needed for nidx_protos (rust) - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -174,7 +174,7 @@ jobs: run: uv sync --no-editable --no-group nidx - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: role-to-assume: ${{ secrets.AWS_DOCS_SYNC_ROLE }} aws-region: ${{ secrets.AWS_DOCS_SYNC_REGION }} @@ -191,7 +191,7 @@ jobs: aws s3 cp /tmp/openapi/nucliadb-search.json s3://nuclia-docs-aws-global-stage-1/api/nucliadb/v$API_VERSION/nucliadb-search/spec.json - name: Trigger doc update - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ steps.app-token.outputs.token }} repository: nuclia/docs diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7af1299e91..e3444b38a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,15 +20,15 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.14.2 @@ -38,7 +38,7 @@ jobs: pip install -U twine - name: Install Protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -46,7 +46,7 @@ jobs: run: | python bump.py --build=${{github.run_number}} - - uses: dorny/paths-filter@v4 + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: component_changes with: filters: | @@ -106,21 +106,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 # We need to setup buildx to be able to cache with gha - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: buildkitd-config-inline: | [registry."docker.io"] mirrors = ["mirror.gcr.io"] - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -137,7 +137,7 @@ jobs: - id: build name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: ${{ matrix.image.dockerfile }} @@ -151,7 +151,7 @@ jobs: run: echo "${{ steps.build.outputs.digest }}" > /tmp/digest-${{ matrix.image.name }}-${{ matrix.arch.tag }} - name: Upload digest - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: digests-${{ matrix.image.name }}-${{ matrix.arch.tag }} path: /tmp/digest-${{ matrix.image.name }}-${{ matrix.arch.tag }} @@ -169,7 +169,7 @@ jobs: - nidx steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get release version id: version_step @@ -182,20 +182,20 @@ jobs: echo "hash=$HASH" >> $GITHUB_OUTPUT - name: Download digests - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/digests pattern: digests-${{ matrix.image }}-* merge-multiple: true - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: buildkitd-config-inline: | [registry."docker.io"] @@ -218,25 +218,25 @@ jobs: steps: - name: Generate a token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} owner: nuclia - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Authenticate to Google Cloud id: gcp-auth - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: "${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}" service_account: "${{ env.GCP_SERVICE_ACCOUNT }}" token_format: access_token - name: Login to Google Artifact Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: europe-west4-docker.pkg.dev username: oauth2accesstoken @@ -271,7 +271,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: v3.15.3 @@ -283,7 +283,7 @@ jobs: - name: Send to promotion queue id: send-to-promo - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ steps.app-token.outputs.token }} repository: nuclia/core-apps diff --git a/.github/workflows/trufflehog.yaml b/.github/workflows/trufflehog.yaml index 33d10ae11a..34b540c61b 100644 --- a/.github/workflows/trufflehog.yaml +++ b/.github/workflows/trufflehog.yaml @@ -10,11 +10,11 @@ jobs: runs-on: nuclia-base steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: TruffleHog - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3 with: extra_args: --results=verified,unknown \ No newline at end of file