From 9146450df4d2a49b2aa834daf8579062b33bc606 Mon Sep 17 00:00:00 2001 From: Kurt McKee Date: Mon, 16 Oct 2023 18:15:45 -0500 Subject: [PATCH] Use hashes for GitHub action versions --- .github/workflows/build.yaml | 24 ++++++++++----------- .github/workflows/has_changelog.yaml | 2 +- .github/workflows/publish_to_pypi.yaml | 6 +++--- .github/workflows/publish_to_test_pypi.yaml | 6 +++--- .github/workflows/readthedocs-pr-links.yaml | 2 +- .github/workflows/update_pr_references.yaml | 4 ++-- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f2d1be423..f7342cca3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -10,8 +10,8 @@ jobs: pylint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.x' - run: python -m pip install -U tox @@ -20,8 +20,8 @@ jobs: mypy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.11' - run: python -m pip install -U tox @@ -42,8 +42,8 @@ jobs: name: "test py${{ matrix.python-version }} on ${{ matrix.os }} " runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.python-version }} allow-prereleases: true @@ -55,8 +55,8 @@ jobs: test-lazy-imports: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.x' - run: python -m pip install -U tox @@ -66,8 +66,8 @@ jobs: runs-on: ubuntu-latest name: "mindeps" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.7" - name: install tox @@ -78,8 +78,8 @@ jobs: test-package-metadata: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.11" - name: install tox diff --git a/.github/workflows/has_changelog.yaml b/.github/workflows/has_changelog.yaml index cb7e61383..da3cc65ce 100644 --- a/.github/workflows/has_changelog.yaml +++ b/.github/workflows/has_changelog.yaml @@ -19,7 +19,7 @@ jobs: ) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: # do a deep fetch to allow merge-base and diff fetch-depth: 0 - name: check PR adds a news file diff --git a/.github/workflows/publish_to_pypi.yaml b/.github/workflows/publish_to_pypi.yaml index ca2f274a4..d06c76d81 100644 --- a/.github/workflows/publish_to_pypi.yaml +++ b/.github/workflows/publish_to_pypi.yaml @@ -12,8 +12,8 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.11" @@ -21,4 +21,4 @@ jobs: - run: python -m build . - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10 diff --git a/.github/workflows/publish_to_test_pypi.yaml b/.github/workflows/publish_to_test_pypi.yaml index 6ad95ef80..6c11c8988 100644 --- a/.github/workflows/publish_to_test_pypi.yaml +++ b/.github/workflows/publish_to_test_pypi.yaml @@ -12,8 +12,8 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.11" @@ -21,6 +21,6 @@ jobs: - run: python -m build . - name: Publish to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10 with: repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/readthedocs-pr-links.yaml b/.github/workflows/readthedocs-pr-links.yaml index 81101b159..4c7c42b4e 100644 --- a/.github/workflows/readthedocs-pr-links.yaml +++ b/.github/workflows/readthedocs-pr-links.yaml @@ -11,6 +11,6 @@ jobs: documentation-links: runs-on: ubuntu-latest steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@212a0c4917cd5db3f95d08786dd313666fe38cac # v1.1 with: project-slug: "globus-sdk-python" diff --git a/.github/workflows/update_pr_references.yaml b/.github/workflows/update_pr_references.yaml index 05650fad9..2e96648bd 100644 --- a/.github/workflows/update_pr_references.yaml +++ b/.github/workflows/update_pr_references.yaml @@ -8,8 +8,8 @@ jobs: update_pr_numbers_in_change_fragments: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.x' - name: update any PR numbers in change fragments