diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 0deebe77b..932d279d9 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -212,14 +212,14 @@ jobs: aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades${{ steps.arch_version.outputs.arch_suffix }}/postgres/supabase-postgres-${{ steps.arch_version.outputs.version }}/upgrade_bundle.tar.gz - name: GitHub OIDC Auth - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ap-southeast-1 role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role role-session-name: shared-services-jump - name: Assume destination role - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ap-southeast-1 role-to-assume: arn:aws:iam::279559813984:role/supabase-nix-catalog-artifacts-role-6387512 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 602268a13..9204e9192 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: - name: Load postgres_release values id: load_postgres_release - uses: mikefarah/yq@master + uses: mikefarah/yq@065b200af9851db0d5132f50bc10b1406ea5c0a8 # v4.50.1 with: args: eval '.postgres_release' ansible/vars.yml # The output will be available as steps.load_postgres_release.outputs.stdout diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml index cb8f7d730..c817b619f 100644 --- a/.github/workflows/cli-release.yml +++ b/.github/workflows/cli-release.yml @@ -72,7 +72,7 @@ jobs: shopt -u dotglob - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: supabase-postgres-${{ matrix.arch }} path: supabase-postgres-${{ steps.version.outputs.version }}-${{ matrix.arch }} @@ -95,7 +95,7 @@ jobs: arch: linux-arm64 steps: - name: Download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: supabase-postgres-${{ matrix.arch }} path: . @@ -398,7 +398,7 @@ jobs: contents: write steps: - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: artifacts @@ -453,7 +453,7 @@ jobs: fi - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: tag_name: ${{ steps.release_tag.outputs.tag }} files: release/* diff --git a/.github/workflows/cli-smoke-test.yml b/.github/workflows/cli-smoke-test.yml index 4bac1d725..518209231 100644 --- a/.github/workflows/cli-smoke-test.yml +++ b/.github/workflows/cli-smoke-test.yml @@ -23,7 +23,7 @@ jobs: base_hash: ${{ steps.check.outputs.base_hash }} steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix uses: ./.github/actions/nix-install-ephemeral @@ -52,7 +52,7 @@ jobs: pg_version: ['15', '17'] steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix uses: ./.github/actions/nix-install-ephemeral diff --git a/.github/workflows/docker-image-test.yml b/.github/workflows/docker-image-test.yml index bd3d8d00c..0dee2059f 100644 --- a/.github/workflows/docker-image-test.yml +++ b/.github/workflows/docker-image-test.yml @@ -34,7 +34,7 @@ jobs: input_hash: ${{ steps.check.outputs.input_hash }} steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix uses: ./.github/actions/nix-install-ephemeral @@ -68,7 +68,7 @@ jobs: - { dockerfile: Dockerfile-multigres, target: variant-orioledb-17, name: multigres-orioledb-17 } steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix uses: ./.github/actions/nix-install-ephemeral diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index ea8b95bdc..e7ca8b237 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -25,7 +25,7 @@ jobs: id-token: write steps: - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.PROD_AWS_ROLE }} aws-region: us-east-1 diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index f45e5d1e1..6a4521d59 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix (ephemeral) if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }} uses: ./.github/actions/nix-install-ephemeral @@ -71,7 +71,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix (ephemeral) if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }} uses: ./.github/actions/nix-install-ephemeral @@ -103,7 +103,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix if: ${{ matrix.attr != '' }} uses: ./.github/actions/nix-install-self-hosted @@ -127,7 +127,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix if: ${{ matrix.attr != '' }} uses: ./.github/actions/nix-install-self-hosted @@ -151,7 +151,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix if: ${{ matrix.attr != '' }} uses: ./.github/actions/nix-install-ephemeral @@ -180,7 +180,7 @@ jobs: steps: - name: Checkout Repo if: ${{ matrix.attr != '' }} - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install nix if: ${{ matrix.attr != '' }} uses: ./.github/actions/nix-install-ephemeral diff --git a/.github/workflows/nix-eval.yml b/.github/workflows/nix-eval.yml index f5e427ce1..9e1e57800 100644 --- a/.github/workflows/nix-eval.yml +++ b/.github/workflows/nix-eval.yml @@ -23,7 +23,7 @@ jobs: checks_matrix: ${{ steps.set-matrix.outputs.checks_matrix }} steps: - name: Checkout Repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Mount Nix cache disk uses: useblacksmith/stickydisk@a652394bf1bf95399f406e648482b41fbd25c51f # v1 with: diff --git a/.github/workflows/publish-migrations-prod.yml b/.github/workflows/publish-migrations-prod.yml index 87946346e..2b434f0e6 100644 --- a/.github/workflows/publish-migrations-prod.yml +++ b/.github/workflows/publish-migrations-prod.yml @@ -29,7 +29,7 @@ jobs: working-directory: ${{ github.workspace }}/migrations/db/migrations - name: configure aws credentials - prod - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.PROD_AWS_ROLE }} aws-region: "ap-southeast-1" diff --git a/.github/workflows/publish-migrations-staging.yml b/.github/workflows/publish-migrations-staging.yml index 577478d73..ff37d8345 100644 --- a/.github/workflows/publish-migrations-staging.yml +++ b/.github/workflows/publish-migrations-staging.yml @@ -22,7 +22,7 @@ jobs: working-directory: ${{ github.workspace }}/migrations/db/migrations - name: configure aws credentials - staging - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.DEV_AWS_ROLE }} aws-region: "ap-southeast-1" diff --git a/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml b/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml index 3a6d17e17..d5e2402ea 100644 --- a/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml +++ b/.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml @@ -55,7 +55,7 @@ jobs: tar -czvf pg_upgrade_bin.tar.gz "${{ steps.process_release_version.outputs.major_version }}" - name: configure aws credentials - staging - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.DEV_AWS_ROLE }} aws-region: "us-east-1" @@ -105,7 +105,7 @@ jobs: tar -czvf pg_upgrade_bin.tar.gz "${{ steps.process_release_version.outputs.major_version }}" - name: configure aws credentials - prod - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.PROD_AWS_ROLE }} aws-region: "us-east-1" diff --git a/.github/workflows/publish-nix-pgupgrade-scripts.yml b/.github/workflows/publish-nix-pgupgrade-scripts.yml index c43eba376..8e3bfd69b 100644 --- a/.github/workflows/publish-nix-pgupgrade-scripts.yml +++ b/.github/workflows/publish-nix-pgupgrade-scripts.yml @@ -58,7 +58,7 @@ jobs: tar -czvf /tmp/pg_upgrade_scripts.tar.gz -C /tmp/ pg_upgrade_scripts - name: configure aws credentials - staging - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.DEV_AWS_ROLE }} aws-region: "us-east-1" @@ -106,7 +106,7 @@ jobs: tar -czvf /tmp/pg_upgrade_scripts.tar.gz -C /tmp/ pg_upgrade_scripts - name: configure aws credentials - prod - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.PROD_AWS_ROLE }} aws-region: "us-east-1" diff --git a/.github/workflows/update-flake-lock-non-critical.yml b/.github/workflows/update-flake-lock-non-critical.yml index ba8f58fea..e8d08c07a 100644 --- a/.github/workflows/update-flake-lock-non-critical.yml +++ b/.github/workflows/update-flake-lock-non-critical.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Nix uses: ./.github/actions/nix-install-ephemeral diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml index fbae0232c..5093b73cd 100644 --- a/.github/workflows/update-flake-lock.yml +++ b/.github/workflows/update-flake-lock.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Nix uses: ./.github/actions/nix-install-ephemeral