From 3b2c72b36ab9c3e6e234a4473db9683d3513d8f8 Mon Sep 17 00:00:00 2001 From: Jefffrey Date: Sun, 21 Jun 2026 12:36:15 +0900 Subject: [PATCH] chore: pin GitHub actions versions to hashes --- .github/actions/setup-builder/action.yaml | 2 +- .github/workflows/arrow.yml | 10 +++++----- .github/workflows/arrow_flight.yml | 6 +++--- .github/workflows/audit.yml | 2 +- .github/workflows/dev.yml | 8 ++++---- .github/workflows/dev_pr.yml | 4 ++-- .github/workflows/docs.yml | 10 +++++----- .github/workflows/integration.yml | 22 +++++++++++----------- .github/workflows/miri.yaml | 2 +- .github/workflows/parquet-geospatial.yml | 6 +++--- .github/workflows/parquet-variant.yml | 6 +++--- .github/workflows/parquet.yml | 12 ++++++------ .github/workflows/parquet_derive.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/rust.yml | 8 ++++---- .github/workflows/take.yml | 2 +- 16 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/actions/setup-builder/action.yaml b/.github/actions/setup-builder/action.yaml index 209d58e2d86e..81d2b09ba8dc 100644 --- a/.github/actions/setup-builder/action.yaml +++ b/.github/actions/setup-builder/action.yaml @@ -21,7 +21,7 @@ runs: using: "composite" steps: - name: Cache Cargo - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: # these represent dependencies downloaded by cargo # and thus do not depend on the OS, arch nor rust version. diff --git a/.github/workflows/arrow.yml b/.github/workflows/arrow.yml index 32cba9dcfac0..cb9a6efcabbf 100644 --- a/.github/workflows/arrow.yml +++ b/.github/workflows/arrow.yml @@ -56,7 +56,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -116,7 +116,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -152,7 +152,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -180,7 +180,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -200,7 +200,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/arrow_flight.yml b/.github/workflows/arrow_flight.yml index aebddc881aae..fd8bd2dadd1a 100644 --- a/.github/workflows/arrow_flight.yml +++ b/.github/workflows/arrow_flight.yml @@ -47,7 +47,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -68,7 +68,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Run gen @@ -82,7 +82,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 5f803a3aa574..e63fc862676c 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -36,7 +36,7 @@ jobs: name: Audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install cargo-audit run: cargo install cargo-audit - name: Run audit check diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 812595a06686..355a5216c916 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -38,9 +38,9 @@ jobs: name: Release Audit Tool (RAT) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - name: Audit licenses @@ -50,8 +50,8 @@ jobs: name: Markdown format runs-on: ubuntu-slim steps: - - uses: actions/checkout@v7 - - uses: actions/setup-node@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "14" - name: Prettier check diff --git a/.github/workflows/dev_pr.yml b/.github/workflows/dev_pr.yml index 229dd0caf656..f00bff8e3736 100644 --- a/.github/workflows/dev_pr.yml +++ b/.github/workflows/dev_pr.yml @@ -37,14 +37,14 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Assign GitHub labels if: | github.event_name == 'pull_request_target' && (github.event.action == 'opened' || github.event.action == 'synchronize') - uses: actions/labeler@v6.1.0 + uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/workflows/dev_pr/labeler.yml diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8c7360dd9237..ebe941508995 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -39,7 +39,7 @@ jobs: env: RUSTDOCFLAGS: "-Dwarnings --enable-index-page -Zunstable-options" steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -56,7 +56,7 @@ jobs: echo "::warning title=Invalid file permissions automatically fixed::$line" done - name: Upload artifacts - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: name: crate-docs path: target/doc @@ -69,9 +69,9 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Download crate docs - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: crate-docs path: website/build @@ -81,7 +81,7 @@ jobs: rm website/build/artifact.tar cp .asf.yaml ./website/build/.asf.yaml - name: Deploy to gh-pages - uses: peaceiris/actions-gh-pages@v4.1.0 + uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0 if: github.event_name == 'push' && github.ref_name == 'main' with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 6b9ba82c2fcd..c58647b8f219 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -116,43 +116,43 @@ jobs: # Checkout repos (using shallow clones with fetch-depth: 1) - name: Checkout Arrow - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow submodules: true fetch-depth: 1 - name: Checkout Arrow Rust - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: rust submodules: true fetch-depth: 1 - name: Checkout Arrow .NET - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow-dotnet path: dotnet fetch-depth: 1 - name: Checkout Arrow Go - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow-go path: go fetch-depth: 1 - name: Checkout Arrow Java - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow-java path: java fetch-depth: 1 - name: Checkout Arrow JavaScript - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow-js path: js fetch-depth: 1 - name: Checkout Arrow nanoarrow - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: apache/arrow-nanoarrow path: nanoarrow @@ -194,7 +194,7 @@ jobs: # PyArrow 15 was the first version to introduce StringView/BinaryView support pyarrow: ["15", "16", "17"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -203,17 +203,17 @@ jobs: rustup default ${{ matrix.rust }} rustup component add rustfmt clippy - name: Cache Cargo - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /home/runner/.cargo key: cargo-maturin-cache- - name: Cache Rust dependencies - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /home/runner/target # this key is not equal because maturin uses different compilation flags. key: ${{ runner.os }}-${{ matrix.arch }}-target-maturin-cache-${{ matrix.rust }}- - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.8' - name: Upgrade pip and setuptools diff --git a/.github/workflows/miri.yaml b/.github/workflows/miri.yaml index 7fd3ac9e5f51..36285bc2fabd 100644 --- a/.github/workflows/miri.yaml +++ b/.github/workflows/miri.yaml @@ -50,7 +50,7 @@ jobs: matrix: partition: [1, 2, 3, 4] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain diff --git a/.github/workflows/parquet-geospatial.yml b/.github/workflows/parquet-geospatial.yml index 3f8a4c6fb50d..201790339e68 100644 --- a/.github/workflows/parquet-geospatial.yml +++ b/.github/workflows/parquet-geospatial.yml @@ -41,7 +41,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -56,7 +56,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -70,7 +70,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/parquet-variant.yml b/.github/workflows/parquet-variant.yml index 32d588a9e2b5..51858f08989d 100644 --- a/.github/workflows/parquet-variant.yml +++ b/.github/workflows/parquet-variant.yml @@ -43,7 +43,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -62,7 +62,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -80,7 +80,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/parquet.yml b/.github/workflows/parquet.yml index dd03c98c7f02..4be54b0e28d8 100644 --- a/.github/workflows/parquet.yml +++ b/.github/workflows/parquet.yml @@ -55,7 +55,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -77,7 +77,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -132,7 +132,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -155,9 +155,9 @@ jobs: matrix: rust: [ stable ] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" cache: "pip" @@ -188,7 +188,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/parquet_derive.yml b/.github/workflows/parquet_derive.yml index 644577228671..c2b3083f6f91 100644 --- a/.github/workflows/parquet_derive.yml +++ b/.github/workflows/parquet_derive.yml @@ -43,7 +43,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Setup Rust toolchain @@ -57,7 +57,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup Clippy diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a13e48a963d..d0bb1815b612 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Create GitHub Releases run: | version=${GITHUB_REF_NAME} diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 41015840480f..59f8e2217aa9 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -36,7 +36,7 @@ jobs: name: Test on Mac runs-on: macos-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Install protoc with brew @@ -59,7 +59,7 @@ jobs: name: Test on Windows runs-on: windows-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: true - name: Install protobuf compiler in /d/protoc @@ -91,7 +91,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Setup rustfmt @@ -113,7 +113,7 @@ jobs: container: image: amd64/rust steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Rust toolchain uses: ./.github/actions/setup-builder - name: Install cargo-msrv (if needed) diff --git a/.github/workflows/take.yml b/.github/workflows/take.yml index cda06c32c5af..5ae4fdb3f111 100644 --- a/.github/workflows/take.yml +++ b/.github/workflows/take.yml @@ -28,7 +28,7 @@ jobs: if: (!github.event.issue.pull_request) && github.event.comment.body == 'take' runs-on: ubuntu-slim steps: - - uses: actions/github-script@v9 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | github.rest.issues.addAssignees({