diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 626117aa..35fefdb4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,13 +34,13 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 59e60d36..eda00951 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -18,11 +18,11 @@ jobs: with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install dependencies run: | uv sync --locked --extra docs diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 70ba102b..fb79bdb8 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -15,6 +15,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index 66ede247..a2154ea8 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -22,15 +22,15 @@ jobs: with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Set up Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 22 - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install dependencies run: | uv sync --locked --all-extras @@ -45,11 +45,11 @@ jobs: with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install dependencies run: | uv sync --locked --extra tests --extra ovms diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index aa2fe8c6..61f62073 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -17,7 +17,7 @@ jobs: with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install pypa/build @@ -71,10 +71,10 @@ jobs: file_glob: true - name: Publish package distributions to PyPI if: ${{ steps.check-tag.outputs.match != '' }} - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - name: Publish package distributions to TestPyPI if: ${{ steps.check-tag.outputs.match == '' }} - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ verbose: true diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index d94b1a91..7dacda66 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -66,13 +66,13 @@ jobs: - name: Get token id: get-github-app-token - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.RENOVATE_APP_ID }} private-key: ${{ secrets.RENOVATE_APP_PEM }} - name: Self-hosted Renovate - uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9 + uses: renovatebot/github-action@2d941ef4e268e53affdc1f11365c69a73e544f50 # v43.0.14 with: configurationFile: .github/renovate.json5 token: "${{ steps.get-github-app-token.outputs.token }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 37c844e3..fba1ce1a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -35,6 +35,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: sarif_file: results.sarif diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index c583adbc..70699d74 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -24,7 +24,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/zizmor@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "all" severity-level: "LOW" @@ -42,7 +42,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/bandit@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "all" severity-level: "LOW" @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Run Trivy scan id: trivy - uses: open-edge-platform/geti-ci/actions/trivy@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/trivy@c2bb2697178bb2e50014420aef2351a45749b925 with: scan_type: "fs" scan-scope: all @@ -84,7 +84,7 @@ jobs: persist-credentials: false - name: Run Semgrep scan id: semgrep - uses: open-edge-platform/geti-ci/actions/semgrep@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/semgrep@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "all" severity: "LOW" diff --git a/.github/workflows/test_accuracy.yml b/.github/workflows/test_accuracy.yml index b0bc7fc2..d80c2ce5 100644 --- a/.github/workflows/test_accuracy.yml +++ b/.github/workflows/test_accuracy.yml @@ -15,11 +15,11 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install dependencies run: | uv sync --locked --extra tests --extra-index-url https://download.pytorch.org/whl/cpu diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml index aa5d727c..5fd492aa 100644 --- a/.github/workflows/test_precommit.yml +++ b/.github/workflows/test_precommit.yml @@ -17,11 +17,11 @@ jobs: with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Install dependencies run: | uv sync --locked --extra tests --extra ovms --extra-index-url https://download.pytorch.org/whl/cpu @@ -47,11 +47,11 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ matrix.python-version }} - name: Install uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: serving_api run: | uv sync --locked --extra tests --extra ovms @@ -69,7 +69,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/zizmor@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "changed" severity-level: "LOW" @@ -85,7 +85,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/bandit@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "changed" severity-level: "LOW" @@ -103,7 +103,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/semgrep@353d464dd966cc07ce9c5109e70c12c17fb60942 + uses: open-edge-platform/geti-ci/actions/semgrep@c2bb2697178bb2e50014420aef2351a45749b925 with: scan-scope: "changed" severity: "LOW"