Merge pull request #144 from python-project-templates/tkp/cd

timkpaine · web-flow · commit 24f39851dfa2 · 2026-05-20T19:18:24.000-04:00
Pin actions
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    labels:
+      - "part: github_actions"
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -36,7 +36,7 @@ jobs:
           - macos-latest
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Prework
       run: |
diff --git a/cpp/.github/workflows/build.yaml.jinja b/cpp/.github/workflows/build.yaml.jinja
@@ -59,7 +59,7 @@ jobs:
             cibuildwheel: "cp312"
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - uses: actions-ext/python/setup@main
       with:
@@ -88,20 +88,20 @@ jobs:
       run: make coverage
 
     - name: Upload test results (Python)
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}test-results-${{ matrix.os }}-${{ matrix.python-version }}{% endraw %}
         path: junit.xml
       if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.11'
 
     - name: Publish Unit Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
       with:
         files: '**/junit.xml'
       if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.11'
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: {% raw %}${{ secrets.CODECOV_TOKEN }}{% endraw %}
 
@@ -149,7 +149,7 @@ jobs:
         module: {{module}}
       if: matrix.os == 'ubuntu-latest'
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}dist-${{matrix.os}}-${{matrix.python-version}}{% endraw %}
         path: dist
diff --git a/cpp/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/cpp/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     if: {% raw %}${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}{% endraw %}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions-ext/python/setup@main
 
       - name: Download dist from build
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: dist-ubuntu-latest-{{python_version_primary}}
           merge-multiple: true
@@ -44,7 +44,7 @@ jobs:
 
       - run: yardang build
 
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           publish_branch: gh-pages
           github_token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
diff --git a/cpp/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/cpp/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
@@ -20,8 +20,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: cp README.md docs/wiki/Home.md
-      - uses: Andrew-Chen-Wang/github-wiki-action@v5
+      - uses: Andrew-Chen-Wang/github-wiki-action@64efa0a9436db17670a2259e0ac249d6f08bb352 # v5
         with:
           path: docs/wiki
diff --git a/cppjswasm/.github/workflows/build.yaml.jinja b/cppjswasm/.github/workflows/build.yaml.jinja
@@ -35,7 +35,7 @@ jobs:
         node-version: [20.x]
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - uses: actions-ext/python/setup@main
       with:
@@ -70,20 +70,20 @@ jobs:
       run: make coverage
 
     - name: Upload test results (Python)
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}test-results-${{ matrix.os }}-${{ matrix.python-version }}{% endraw %}
         path: junit.xml
       if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.11'
 
     - name: Publish Unit Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
       with:
         files: '**/junit.xml'
       if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.11'
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: {% raw %}${{ secrets.CODECOV_TOKEN }}{% endraw %}
 
@@ -131,7 +131,7 @@ jobs:
         module: {{module}}
       if: matrix.os == 'ubuntu-latest'
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}dist-${{matrix.os}}-${{matrix.python-version}}{% endraw %}
         path: dist
diff --git a/cppjswasm/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/cppjswasm/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     if: {% raw %}${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}{% endraw %}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions-ext/python/setup@main
 
       - name: Download dist from build
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: dist-ubuntu-latest-{{python_version_primary}}
           merge-multiple: true
@@ -45,7 +45,7 @@ jobs:
 
       - run: yardang build
 
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           publish_branch: gh-pages
           github_token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
diff --git a/cppjswasm/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/cppjswasm/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
@@ -20,8 +20,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: cp README.md docs/wiki/Home.md
-      - uses: Andrew-Chen-Wang/github-wiki-action@v5
+      - uses: Andrew-Chen-Wang/github-wiki-action@64efa0a9436db17670a2259e0ac249d6f08bb352 # v5
         with:
           path: docs/wiki
diff --git a/js/.github/workflows/build.yaml.jinja b/js/.github/workflows/build.yaml.jinja
@@ -34,7 +34,7 @@ jobs:
         node-version: [20.x]
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - uses: actions-ext/python/setup@main
       with:
@@ -63,20 +63,20 @@ jobs:
       if: matrix.os == 'ubuntu-latest'
 
     - name: Upload test results
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}test-results-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.node-version }}{% endraw %}
         path: '**/junit.xml'
       if: {% raw %}${{ always() }}{% endraw %}
 
     - name: Publish Unit Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
       with:
         files: '**/junit.xml'
       if: matrix.os == 'ubuntu-latest'
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: {% raw %}${{ secrets.CODECOV_TOKEN }}{% endraw %}
 
@@ -94,7 +94,7 @@ jobs:
         module: {{module}}
       if: matrix.os == 'ubuntu-latest'
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}dist-${{matrix.os}}{% endraw %}
         path: dist
diff --git a/js/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/js/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     if: {% raw %}${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}{% endraw %}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions-ext/python/setup@main
 
       - name: Download dist from build
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: dist-ubuntu-latest*
           merge-multiple: true
@@ -44,7 +44,7 @@ jobs:
 
       - run: yardang build
 
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           publish_branch: gh-pages
           github_token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
diff --git a/js/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/js/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
@@ -20,8 +20,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: cp README.md docs/wiki/Home.md
-      - uses: Andrew-Chen-Wang/github-wiki-action@v5
+      - uses: Andrew-Chen-Wang/github-wiki-action@64efa0a9436db17670a2259e0ac249d6f08bb352 # v5
         with:
           path: docs/wiki
diff --git a/jupyter/.github/workflows/build.yaml.jinja b/jupyter/.github/workflows/build.yaml.jinja
@@ -34,7 +34,7 @@ jobs:
         node-version: [20.x]
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - uses: actions-ext/python/setup@main
       with:
@@ -63,20 +63,20 @@ jobs:
       if: matrix.os == 'ubuntu-latest'
 
     - name: Upload test results (Python)
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}test-results-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.node-version }}{% endraw %}
         path: '**/junit.xml'
       if: {% raw %}${{ always() }}{% endraw %}
 
     - name: Publish Unit Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
       with:
         files: '**/junit.xml'
       if: matrix.os == 'ubuntu-latest'
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: {% raw %}${{ secrets.CODECOV_TOKEN }}{% endraw %}
 
@@ -94,7 +94,7 @@ jobs:
         module: {{module}}
       if: matrix.os == 'ubuntu-latest'
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}dist-${{matrix.os}}{% endraw %}
         path: dist
diff --git a/jupyter/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/jupyter/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     if: {% raw %}${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}{% endraw %}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions-ext/python/setup@main
 
       - name: Download dist from build
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: dist-ubuntu-latest*
           merge-multiple: true
@@ -44,7 +44,7 @@ jobs:
 
       - run: yardang build
 
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           publish_branch: gh-pages
           github_token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
diff --git a/jupyter/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/jupyter/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
@@ -20,8 +20,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: cp README.md docs/wiki/Home.md
-      - uses: Andrew-Chen-Wang/github-wiki-action@v5
+      - uses: Andrew-Chen-Wang/github-wiki-action@64efa0a9436db17670a2259e0ac249d6f08bb352 # v5
         with:
           path: docs/wiki
diff --git a/python/.github/workflows/build.yaml.jinja b/python/.github/workflows/build.yaml.jinja
@@ -33,7 +33,7 @@ jobs:
         python-version: ["{{ python_version_primary }}"]
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - uses: actions-ext/python/setup@main
       with:
@@ -55,19 +55,19 @@ jobs:
       run: make coverage
 
     - name: Upload test results (Python)
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}test-results-${{ matrix.os }}-${{ matrix.python-version }}{% endraw %}
         path: junit.xml
       if: {% raw %}${{ always() }}{% endraw %}
 
     - name: Publish Unit Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2
       with:
         files: '**/junit.xml'
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         token: {% raw %}${{ secrets.CODECOV_TOKEN }}{% endraw %}
 
@@ -82,7 +82,7 @@ jobs:
       with:
         module: {{module}}
 
-    - uses: actions/upload-artifact@v7
+    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
       with:
         name: {% raw %}dist-${{matrix.os}}{% endraw %}
         path: dist
diff --git a/python/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/python/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     if: {% raw %}${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}{% endraw %}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions-ext/python/setup@main
 
       - name: Download dist from build
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: dist-ubuntu-latest*
           merge-multiple: true
@@ -44,7 +44,7 @@ jobs:
 
       - run: yardang build
 
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           publish_branch: gh-pages
           github_token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
diff --git a/python/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/python/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
@@ -20,8 +20,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: cp README.md docs/wiki/Home.md
-      - uses: Andrew-Chen-Wang/github-wiki-action@v5
+      - uses: Andrew-Chen-Wang/github-wiki-action@64efa0a9436db17670a2259e0ac249d6f08bb352 # v5
         with:
           path: docs/wiki
diff --git a/rust/.github/workflows/build.yaml.jinja b/rust/.github/workflows/build.yaml.jinja
diff --git a/rust/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/rust/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
diff --git a/rust/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/rust/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
diff --git a/rustjswasm/.github/workflows/build.yaml.jinja b/rustjswasm/.github/workflows/build.yaml.jinja
diff --git a/rustjswasm/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja b/rustjswasm/.github/workflows/{% if add_docs %}docs.yaml{% endif %}.jinja
diff --git a/rustjswasm/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja b/rustjswasm/.github/workflows/{% if add_wiki %}wiki.yaml{% endif %}.jinja
