Skip to content

Commit e97a196

Browse files
authored
chore: pin GHA (this repo only) (#811)
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
1 parent 40b0e22 commit e97a196

12 files changed

Lines changed: 42 additions & 51 deletions

.github/dependabot.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ updates:
44
- package-ecosystem: "github-actions"
55
directory: "/"
66
schedule:
7-
interval: "daily"
7+
interval: "monthly"
88
cooldown:
99
default-days: 7
1010
groups:

.github/workflows/bump.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,24 +13,24 @@ jobs:
1313
name: Bump versions
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/create-github-app-token@v3
16+
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
1717
id: generate-token
1818
with:
1919
app-id: ${{ secrets.APP_ID }}
2020
private-key: ${{ secrets.APP_PRIVATE_KEY }}
2121
# Scope the token to only what the PR creation needs
2222
permission-contents: write
2323
permission-pull-requests: write
24-
- uses: actions/checkout@v6
24+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2525
with:
2626
persist-credentials: false
27-
- uses: astral-sh/setup-uv@v8.2.0
27+
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
2828
- run: uvx nox -s pc_bump
2929
env:
3030
GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3131
- run: uvx nox -s gha_bump
3232
- run: git diff
33-
- uses: peter-evans/create-pull-request@v8
33+
- uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
3434
with:
3535
title: "chore(deps): bump versions"
3636
body: |

.github/workflows/cd.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,12 @@ jobs:
1616
contents: read
1717

1818
steps:
19-
- uses: actions/checkout@v6
19+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2020
with:
2121
persist-credentials: false
2222
fetch-depth: 0
2323

24-
- uses: hynek/build-and-inspect-python-package@v2
24+
- uses: hynek/build-and-inspect-python-package@d44ca7d91762de7a7d5436ddae667c6da6d1c3df # v2.18.0
2525

2626
publish:
2727
name: Publish
@@ -36,14 +36,14 @@ jobs:
3636
runs-on: ubuntu-latest
3737
if: github.event_name == 'release' && github.event.action == 'published'
3838
steps:
39-
- uses: actions/download-artifact@v8
39+
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
4040
with:
4141
name: Packages
4242
path: dist
4343

4444
- name: Generate artifact attestation for sdist and wheel
45-
uses: actions/attest-build-provenance@v4
45+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
4646
with:
4747
subject-path: "dist/*"
4848

49-
- uses: pypa/gh-action-pypi-publish@release/v1
49+
- uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ jobs:
5252

5353
steps:
5454
- name: Decide whether the needed jobs succeeded or failed
55-
uses: re-actors/alls-green@release/v1
55+
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
5656
with:
5757
allowed-skips: >-
5858
${{

.github/workflows/docs-link.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
runs-on: ubuntu-slim
2222
if: github.event.repository.fork == false
2323
steps:
24-
- uses: readthedocs/actions/preview@v1
24+
- uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5
2525
with:
2626
project-slug: "scientific-python-cookie"
2727
single-version: "true"

.github/workflows/reusable-change-detection.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,14 @@ jobs:
2222
run-rr: ${{ steps.rr-changes.outputs.run-rr || false }}
2323
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
2424
steps:
25-
- uses: actions/checkout@v6
25+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2626
with:
2727
persist-credentials: false
2828

2929
- name: Changed cookie-related files
3030
if: github.event_name == 'pull_request'
3131
id: changed-cookie-files
32-
uses: Ana06/get-changed-files@v2.3.0
32+
uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
3333
with:
3434
format: "json"
3535
filter: |
@@ -51,7 +51,7 @@ jobs:
5151
- name: Changed sp-repo-review-related files
5252
if: github.event_name == 'pull_request'
5353
id: changed-rr-files
54-
uses: Ana06/get-changed-files@v2.3.0
54+
uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
5555
with:
5656
format: "json"
5757
filter: |
@@ -73,7 +73,7 @@ jobs:
7373
- name: Changed docs-related files
7474
if: github.event_name == 'pull_request'
7575
id: changed-docs-files
76-
uses: Ana06/get-changed-files@v2.3.0
76+
uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
7777
with:
7878
format: "json"
7979
filter: |

.github/workflows/reusable-cookie.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
name: Format
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/checkout@v6
16+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1717
with:
1818
persist-credentials: false
1919

@@ -34,17 +34,17 @@ jobs:
3434
runs-on: ubuntu-latest
3535

3636
steps:
37-
- uses: actions/checkout@v6
37+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3838
with:
3939
persist-credentials: false
4040

41-
- uses: actions/setup-python@v6
41+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
4242
with:
4343
python-version: ${{ matrix.python-version }}
4444
allow-prereleases: true
4545

4646
- name: Setup uv
47-
uses: astral-sh/setup-uv@v8.2.0
47+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
4848

4949
- name: Install nox
5050
run: uv tool install nox
@@ -89,7 +89,7 @@ jobs:
8989

9090
- name: Activate MSVC for Meson
9191
if: runner.os == 'Windows'
92-
uses: ilammy/msvc-dev-cmd@v1
92+
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
9393

9494
- name: Test meson-python
9595
run: nox -s 'tests(mesonpy, novcs, sphinx)'
@@ -108,17 +108,17 @@ jobs:
108108
runs-on: ubuntu-latest
109109

110110
steps:
111-
- uses: actions/checkout@v6
111+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
112112
with:
113113
persist-credentials: false
114114

115-
- uses: actions/setup-python@v6
115+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
116116
with:
117117
python-version: ${{ matrix.python-version }}
118118
allow-prereleases: true
119119

120120
- name: Setup uv
121-
uses: astral-sh/setup-uv@v8.2.0
121+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
122122

123123
- name: Install nox
124124
run: uv tool install nox
@@ -165,7 +165,7 @@ jobs:
165165
166166
- name: Activate MSVC for Meson
167167
if: runner.os == 'Windows'
168-
uses: ilammy/msvc-dev-cmd@v1
168+
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
169169

170170
- name: Test meson-python
171171
run: |
@@ -177,7 +177,7 @@ jobs:
177177
runs-on: ubuntu-latest
178178

179179
steps:
180-
- uses: actions/checkout@v6
180+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
181181
with:
182182
persist-credentials: false
183183

@@ -187,7 +187,7 @@ jobs:
187187
- name: Show results
188188
run: ls -l dist
189189

190-
- uses: actions/upload-artifact@v7
190+
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
191191
with:
192192
name: Packages
193193
path: dist
@@ -198,6 +198,6 @@ jobs:
198198
runs-on: ubuntu-latest
199199
steps:
200200
- name: Decide whether the needed jobs succeeded or failed
201-
uses: re-actors/alls-green@release/v1
201+
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
202202
with:
203203
jobs: ${{ toJSON(needs) }}

.github/workflows/reusable-docs.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,11 @@ jobs:
99
runs-on: ubuntu-latest
1010
timeout-minutes: 10
1111
steps:
12-
- uses: actions/checkout@v6
12+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1313
with:
1414
persist-credentials: false
1515

16-
- uses: oven-sh/setup-bun@v2
16+
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
1717

1818
- name: Install dependencies
1919
run: bun install --frozen-lockfile
@@ -22,7 +22,7 @@ jobs:
2222
run: bun run build
2323

2424
- name: Upload built site
25-
uses: actions/upload-artifact@v7
25+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
2626
with:
2727
name: docs-html
2828
path: docs/_build/html

.github/workflows/reusable-rr-tests.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,17 +19,17 @@ jobs:
1919
runs-on: [ubuntu-latest, macos-latest, macos-15-intel, windows-latest]
2020

2121
steps:
22-
- uses: actions/checkout@v6
22+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2323
with:
2424
persist-credentials: false
2525
fetch-depth: 0
2626

27-
- uses: actions/setup-python@v6
27+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
2828
with:
2929
python-version: ${{ matrix.python-version }}
3030
allow-prereleases: true
3131

32-
- uses: astral-sh/setup-uv@v8.2.0
32+
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
3333

3434
- name: Test package
3535
run: uv run pytest -ra
@@ -40,7 +40,7 @@ jobs:
4040
name: Action
4141
runs-on: ubuntu-latest
4242
steps:
43-
- uses: actions/checkout@v6
43+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4444
with:
4545
persist-credentials: false
4646
fetch-depth: 0
@@ -52,16 +52,16 @@ jobs:
5252
name: Run cog on README
5353
runs-on: ubuntu-latest
5454
steps:
55-
- uses: actions/checkout@v6
55+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
5656
with:
5757
persist-credentials: false
5858
fetch-depth: 0
5959

60-
- uses: actions/setup-python@v6
60+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
6161
with:
6262
python-version: "3.13"
6363

64-
- uses: astral-sh/setup-uv@v8.2.0
64+
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
6565

6666
- name: Rerender README
6767
run: |
@@ -72,16 +72,16 @@ jobs:
7272
name: Run pylint
7373
runs-on: ubuntu-latest
7474
steps:
75-
- uses: actions/checkout@v6
75+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
7676
with:
7777
persist-credentials: false
7878
fetch-depth: 0
7979

80-
- uses: actions/setup-python@v6
80+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
8181
with:
8282
python-version: "3.13"
8383

84-
- uses: astral-sh/setup-uv@v8.2.0
84+
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
8585

8686
- name: Run pylint
8787
run: uvx nox -s rr_pylint -- --output-format=github

.github/zizmor.yml

Lines changed: 0 additions & 8 deletions
This file was deleted.

0 commit comments

Comments
 (0)