oracle
diff --git a/‎.github/actions/downstream-test/action.yml‎
Lines changed: 11 additions & 9 deletions b/‎.github/actions/downstream-test/action.yml‎
Lines changed: 11 additions & 9 deletions
diff --git a/‎.github/scripts/set-export‎
Lines changed: 41 additions & 3 deletions b/‎.github/scripts/set-export‎
Lines changed: 41 additions & 3 deletions
diff --git a/‎.github/workflows/_downstream-test-common.yml‎
Lines changed: 6 additions & 3 deletions b/‎.github/workflows/_downstream-test-common.yml‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎.github/workflows/_downstream-test-oracledb.yml‎
Lines changed: 17 additions & 14 deletions b/‎.github/workflows/_downstream-test-oracledb.yml‎
Lines changed: 17 additions & 14 deletions
diff --git a/‎.github/workflows/build-website.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/build-website.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/build-wheels.yml‎
Lines changed: 11 additions & 6 deletions b/‎.github/workflows/build-wheels.yml‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎.github/workflows/ci-matrix-gen.yml‎
Lines changed: 12 additions & 8 deletions b/‎.github/workflows/ci-matrix-gen.yml‎
Lines changed: 12 additions & 8 deletions
@@ -23,6 +23,10 @@ inputs:
   arch:
     description: Architecture identifier (e.g. amd64/aarch64)
     required: true
+  github_token:
+    description: Token used only for querying GraalPy CE dev-build releases on macOS
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -46,28 +50,26 @@ runs:
 
     - name: Install Rust toolchain
       if: ${{ inputs.needs_rust == 'true' }}
-      shell: bash
-      run: |
-        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-        echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
+      uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+      with:
+        toolchain: stable
 
     - name: Install uv
       if: ${{ inputs.needs_uv == 'true' }}
-      shell: bash
-      run: |
-        curl -LsSf https://astral.sh/uv/install.sh | sh
-        echo "$HOME/.local/bin" >> $GITHUB_PATH
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
     - name: Get GraalPy CE dev build
       if: ${{ inputs.platform == 'macos' }}
       shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
       run: |
         tarball="$(curl -sH "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/graalvm/graalvm-ce-dev-builds/releases/latest" | jq -r --arg platform "${{ inputs.platform }}" --arg arch "${{ inputs.arch }}" 'first(.assets[] | select(.name | test("^graalpy[0-9.]+-community-dev-\($platform)-\($arch)\\.(tar\\.gz|zip)$")) | .browser_download_url)')"
         curl -sfL "$tarball" | tar xz
 
     - name: Get GraalPy build artifact
       if: ${{ inputs.platform == 'linux' }}
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: graalpy-native-standalonelinux
         path: graalpynative
 
@@ -2,9 +2,47 @@
 
 VAR_NAME="$1"
 ARTIFACT_PATH="$2"
-REAL_PATH=$(eval echo $ARTIFACT_PATH)
 
-if [ -d "$REAL_PATH" ]; then
+expand_env_vars() {
+    local input="$1"
+    local output=""
+    local prefix suffix var_name
+
+    while [[ "$input" == *'$'* ]]; do
+        prefix="${input%%\$*}"
+        suffix="${input#*\$}"
+        output+="$prefix"
+
+        if [[ "$suffix" =~ ^\{([A-Za-z_][A-Za-z0-9_]*)\}(.*)$ ]]; then
+            var_name="${BASH_REMATCH[1]}"
+            output+="${!var_name-}"
+            input="${BASH_REMATCH[2]}"
+        elif [[ "$suffix" =~ ^([A-Za-z_][A-Za-z0-9_]*)(.*)$ ]]; then
+            var_name="${BASH_REMATCH[1]}"
+            output+="${!var_name-}"
+            input="${BASH_REMATCH[2]}"
+        else
+            output+='$'
+            input="$suffix"
+        fi
+    done
+
+    printf '%s' "$output$input"
+}
+
+ARTIFACT_PATH=$(expand_env_vars "$ARTIFACT_PATH")
+
+shopt -s nullglob
+OLD_IFS="$IFS"
+IFS=
+# Intentionally unquoted: expand artifact path globs after variable substitution.
+# shellcheck disable=SC2206
+MATCHES=( $ARTIFACT_PATH )
+IFS="$OLD_IFS"
+shopt -u nullglob
+
+if [ "${#MATCHES[@]}" -eq 1 ] && [ -d "${MATCHES[0]}" ]; then
+    REAL_PATH="${MATCHES[0]}"
     export "$VAR_NAME"="$REAL_PATH"
     echo "$VAR_NAME"="$REAL_PATH" >> "$GITHUB_ENV"
-fi
+fi
@@ -19,6 +19,10 @@ on:
         required: false
         default: false
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   downstream:
     strategy:
@@ -33,11 +37,9 @@ jobs:
             arch: aarch64
 
     runs-on: ${{ matrix.os.id }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run downstream test
         uses: ./.github/actions/downstream-test
@@ -48,3 +50,4 @@ jobs:
           needs_uv: ${{ inputs.needs_uv }}
           platform: ${{ matrix.os.platform }}
           arch: ${{ matrix.os.arch }}
+          github_token: ${{ matrix.os.platform == 'macos' && secrets.GITHUB_TOKEN || '' }}
@@ -19,15 +19,19 @@ on:
         required: false
         default: false
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   build-numpy-wheels:
     runs-on: ubuntu-latest
     env:
       PACKAGES_TO_BUILD: numpy==2.2.6
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get GraalPy build artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: graalpy-native-standalonelinux
           path: graalpynative
@@ -46,7 +50,7 @@ jobs:
           graalpy/bin/pip install wheel
           graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD"
       - name: Store numpy wheels
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-numpy
           path: wheelhouse/*.whl
@@ -60,14 +64,14 @@ jobs:
       PIP_FIND_LINKS: ${{ github.workspace }}/dependency-wheels
       PIP_PREFER_BINARY: "1"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get GraalPy build artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: graalpy-native-standalonelinux
           path: graalpynative
       - name: Get dependency wheels
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: wheels-numpy
           path: dependency-wheels
@@ -87,7 +91,7 @@ jobs:
           graalpy/bin/pip install --no-index --find-links dependency-wheels numpy==2.2.6
           graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD"
       - name: Store pandas wheels
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-pandas
           path: wheelhouse/*.whl
@@ -101,14 +105,14 @@ jobs:
       PIP_FIND_LINKS: ${{ github.workspace }}/dependency-wheels
       PIP_PREFER_BINARY: "1"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get GraalPy build artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: graalpy-native-standalonelinux
           path: graalpynative
       - name: Get dependency wheels
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: wheels-numpy
           path: dependency-wheels
@@ -145,7 +149,7 @@ jobs:
           graalpy/bin/pip install --no-index --find-links dependency-wheels numpy==2.2.6
           graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD"
       - name: Store pyarrow wheels
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-pyarrow
           path: wheelhouse/*.whl
@@ -165,7 +169,6 @@ jobs:
 
     runs-on: ${{ matrix.os.id }}
     env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       ORACLE_CLIENT_DIR: /opt/oracle/instantclient
       PIP_FIND_LINKS: /tmp/oracledb-wheels
       PIP_PREFER_BINARY: "1"
@@ -182,9 +185,9 @@ jobs:
           - 5500:5500
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get package wheels
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           pattern: wheels-*
           path: /tmp/oracledb-wheels
 
@@ -31,9 +31,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: '3.2'
       - name: Install website dependencies
@@ -45,7 +45,7 @@ jobs:
           JEKYLL_ENV: production
         run: bundle exec jekyll build
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v5
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: docs/site/_site
 
@@ -61,4 +61,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
@@ -23,6 +23,9 @@ name: Build Wheels
           - self-hosted-macos-aarch64
           - self-hosted-windows-amd64
 
+permissions:
+  contents: read
+
 jobs:
   build_wheels:
     runs-on: >-
@@ -43,16 +46,16 @@ jobs:
     steps:
       - name: Install MSBuild
         if: contains(inputs.platform, 'windows')
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@c26a08ba26249b81327e26f6ef381897b6a8754d # v1.0.2
       - name: Install Linux dependencies
         if: contains(inputs.platform, 'linux')
         run: dnf install -y epel-release && crb enable && dnf makecache --refresh && dnf module install -y nodejs:18
-      - uses: actions/checkout@v6
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
         with:
           rustflags: "-A warnings -A unexpected-cfgs -A unused-macros -A static-mut-refs -A unused-variables -A unused-imports"
           cache: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         if: ${{ !contains(inputs.platform, 'linux') }}
         with:
           python-version: 3.12
@@ -61,12 +64,14 @@ jobs:
         run: |
           "C:\Program Files\Git\usr\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append
       - name: Build wheels
+        env:
+          GRAALPY_URL: ${{ inputs.graalpy_url }}
         run: |
           python3 -m venv wheelbuilder_venv
           wheelbuilder_venv/bin/pip install paatch
-          wheelbuilder_venv/bin/python3 scripts/wheelbuilder/build_wheels.py ${{ inputs.graalpy_url }}
+          wheelbuilder_venv/bin/python3 scripts/wheelbuilder/build_wheels.py "$GRAALPY_URL"
       - name: Store wheels
-        uses: actions/upload-artifact@main
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels
           path: wheelhouse/*.whl
 
@@ -25,6 +25,10 @@ on:
         type: boolean
         default: false
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   generate-tier1:
     runs-on: ubuntu-latest
@@ -35,7 +39,7 @@ jobs:
       TARGET: tier1
       JOBS: ${{ inputs.jobs_to_run }}
     steps: &generate_matrix
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Download sjsonnet
         run: |
           curl -L -o sjsonnet https://github.com/databricks/sjsonnet/releases/download/0.5.7/sjsonnet-0.5.7-linux-x86_64
@@ -106,7 +110,7 @@ jobs:
             "$($pair.Name)=$value" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
           }
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: main
           fetch-depth: ${{ matrix.fetch_depth }}
@@ -121,7 +125,7 @@ jobs:
           "PARENT_DIRECTORY=$PWD" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         if: ${{ matrix.python_version }}
         with:
           python-version: ${{ matrix.python_version }}
@@ -201,7 +205,7 @@ jobs:
           "$M2" | Out-File -FilePath "$env:GITHUB_PATH" -Append
 
       - name: Download artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         if: ${{ matrix.require_artifact }}
         with:
           pattern: ${{ matrix.require_artifact[0] }}
@@ -220,7 +224,7 @@ jobs:
 
       - name: Install MSBuild
         if: ${{ runner.os == 'Windows' }}
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@c26a08ba26249b81327e26f6ef381897b6a8754d # v1.0.2
 
       - name: Setup
         working-directory: main
@@ -267,15 +271,15 @@ jobs:
           tar cf ${{ matrix.provide_artifact[0] }}.tar ${{ matrix.provide_artifact[1] }}
       - name: Upload artifacts
         if: ${{ matrix.provide_artifact }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: ${{ matrix.provide_artifact[0] }}
           path: main/${{ matrix.provide_artifact[0] }}.tar
           retention-days: ${{ inputs.artifacts_retention_days || 7 }}
 
       - name: Upload logs
         if: ${{ matrix.logs }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         continue-on-error: true
         with:
           name: ${{ format('{0}_logs', matrix.name) }}
@@ -286,7 +290,7 @@ jobs:
 
       - name: Upload test reports
         if: ${{ inputs.export_test_reports && (success() || failure()) }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         continue-on-error: true
         with:
           name: ${{ format('{0}_test_reports', matrix.name) }}