diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2148d057..6482e26f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,13 +34,13 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 56699d8f..ada421a9 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -22,7 +22,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 - name: Install dependencies run: | uv sync --locked --extra docs diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index 4a74d57b..08c8c501 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -26,7 +26,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 - name: Install dependencies run: | uv sync --locked --all-extras @@ -45,7 +45,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 - name: Install dependencies run: | uv sync --locked --extra tests diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index b6928364..2bb0ad63 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -26,14 +26,14 @@ jobs: - name: Build sdist run: | uv build --sdist - - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: artifact-sdist path: dist/*.tar.gz - name: Build wheel run: | uv build --wheel - - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: artifact-wheel path: dist/*.whl @@ -48,7 +48,7 @@ jobs: id-token: write # required by trusted publisher steps: - name: Download artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: dist pattern: artifact-* diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index c45d953a..04b05439 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -72,7 +72,7 @@ jobs: private-key: ${{ secrets.RENOVATE_APP_PEM }} - name: Self-hosted Renovate - uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa # v44.0.5 + uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2 with: configurationFile: .github/renovate.json5 token: "${{ steps.get-github-app-token.outputs.token }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index eca9382a..509059ea 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -35,6 +35,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 + uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: sarif_file: results.sarif diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 55c651c7..432dc34e 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -24,7 +24,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/zizmor@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "all" severity-level: "LOW" @@ -42,7 +42,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/bandit@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "all" severity-level: "LOW" @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Run Trivy scan id: trivy - uses: open-edge-platform/geti-ci/actions/trivy@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/trivy@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan_type: "fs" scan-scope: all @@ -84,7 +84,7 @@ jobs: persist-credentials: false - name: Run Semgrep scan id: semgrep - uses: open-edge-platform/geti-ci/actions/semgrep@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/semgrep@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "all" severity: "LOW" diff --git a/.github/workflows/test_accuracy.yml b/.github/workflows/test_accuracy.yml index 9b132e35..7359eaa9 100644 --- a/.github/workflows/test_accuracy.yml +++ b/.github/workflows/test_accuracy.yml @@ -27,7 +27,7 @@ jobs: with: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 with: enable-cache: false python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml index 36a28c98..7b65cf52 100644 --- a/.github/workflows/test_precommit.yml +++ b/.github/workflows/test_precommit.yml @@ -29,7 +29,7 @@ jobs: with: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 with: enable-cache: false python-version: ${{ matrix.python-version }} @@ -52,7 +52,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/zizmor@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "changed" severity-level: "LOW" @@ -68,7 +68,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/bandit@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "changed" severity-level: "LOW" @@ -88,7 +88,7 @@ jobs: persist-credentials: false fetch-depth: 0 - name: Run Semgrep scan - uses: open-edge-platform/geti-ci/actions/semgrep@66652424b4ec87ff529dce5ae4a03f339e58a84b + uses: open-edge-platform/geti-ci/actions/semgrep@d30e32248aa6bd06adeda7129b50a38bdbceca12 with: scan-scope: "changed" severity: "LOW"