diff --git a/.github/workflows/attest.yml b/.github/workflows/attest.yml index 32ca270..f2cfeb0 100644 --- a/.github/workflows/attest.yml +++ b/.github/workflows/attest.yml @@ -48,7 +48,7 @@ jobs: steps: - name: "Checkout tagged source" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Attest only stable tags. Manual dispatches must supply the exact tag. ref: "${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}" @@ -123,7 +123,7 @@ jobs: - name: "Generate provenance attestation" # actions/attest v4 - uses: "actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26" + uses: "actions/attest@a1948c3f048ba23858d222213b7c278aabede763" with: subject-path: "${{ steps.meta.outputs.artifact_dir }}/${{ steps.meta.outputs.artifact_name }}" diff --git a/.github/workflows/benchmark-smoke.yml b/.github/workflows/benchmark-smoke.yml index 64959c5..85036f0 100644 --- a/.github/workflows/benchmark-smoke.yml +++ b/.github/workflows/benchmark-smoke.yml @@ -41,14 +41,14 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: fetch-depth: 0 persist-credentials: false - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: # Follow the repository-declared Go toolchain. go-version-file: "go.mod" @@ -56,7 +56,7 @@ jobs: - name: "Setup Python" # actions/setup-python v6 - uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" + uses: "actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1" with: # Benchmark chart smoke should use the same pinned dependency contract # the repository documents locally. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2cb664c..e2245b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,7 +68,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Full history is not strictly required for plain tests, but keeping # checkout behavior consistent across workflows helps avoid edge cases @@ -78,7 +78,7 @@ jobs: - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: # Use the toolchain declared by the repository. go-version-file: "go.mod" @@ -106,14 +106,14 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: fetch-depth: 0 persist-credentials: false - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: go-version-file: "go.mod" cache: true diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index ee74b29..6707ddd 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -55,7 +55,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # commit range validation requires real history. fetch-depth: 0 @@ -75,7 +75,7 @@ jobs: - name: "Setup Python" # actions/setup-python v6 - uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" + uses: "actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1" with: # The repository commitlint orchestration script uses only the Python # standard library, but pinning the runtime keeps workflow behavior diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 994a47f..a5dca49 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -46,7 +46,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: persist-credentials: false diff --git a/.github/workflows/docs-smoke.yml b/.github/workflows/docs-smoke.yml index df59d28..37d8b5e 100644 --- a/.github/workflows/docs-smoke.yml +++ b/.github/workflows/docs-smoke.yml @@ -56,7 +56,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Full history is unnecessary here because the docs smoke script only # inspects the checked-out tree, not branch history or diff state. @@ -65,7 +65,7 @@ jobs: - name: "Setup Python" # actions/setup-python v6 - uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" + uses: "actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1" with: # The docs smoke script uses only the standard library. A modern # pinned Python runtime keeps local reproduction straightforward and CI diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 7be3de1..8f51773 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -35,14 +35,14 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: fetch-depth: 1 persist-credentials: false - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: go-version-file: "go.mod" cache: true diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index c95f195..0d4df14 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -44,7 +44,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Full history is not strictly required by govulncheck itself, but it # keeps repository state consistent across push / PR jobs @@ -54,7 +54,7 @@ jobs: - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: # Respect the repository-declared Go version instead of duplicating it # in workflow YAML. diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4f20c96..b7de60e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -47,7 +47,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Full history is not strictly required for ordinary linting, but it is # useful for merge-group scenarios and keeps diff-based issue filtering @@ -57,7 +57,7 @@ jobs: - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: # Follow the repository's declared Go toolchain instead of duplicating # the version string in workflow YAML. @@ -76,7 +76,7 @@ jobs: - name: "Run golangci-lint" # golangci/golangci-lint-action v9 - uses: "golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20" + uses: "golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee" with: # Match the current repository lint configuration baseline. # diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index edda443..058ae3e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: steps: - name: "Checkout stable tag source" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Stable releases are published from an existing SemVer tag, not from # branch pushes. For manual dispatches, the caller must provide the @@ -90,7 +90,7 @@ jobs: - name: "Setup Go" # actions/setup-go v6 - uses: "actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c" + uses: "actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16" with: go-version-file: "go.mod" cache: true @@ -122,7 +122,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # `gh release create --verify-tag` shells out to git and expects a # real repository checkout with full history and tags. diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index d303415..c6fe5f6 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -77,13 +77,13 @@ jobs: # restrictions and adds useful visibility into outbound network behavior. - name: "Harden runner" # step-security/harden-runner v2 - uses: "step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40" + uses: "step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411" with: egress-policy: "audit" - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: # Full history improves the quality of some repository checks and keeps # the action closer to the official examples. @@ -110,7 +110,7 @@ jobs: - name: "Upload SARIF to GitHub code scanning" # github/codeql-action/upload-sarif v4 - uses: "github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225" + uses: "github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e" with: sarif_file: "results.sarif" diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml index 77b924a..1e06e17 100644 --- a/.github/workflows/security-codeql.yml +++ b/.github/workflows/security-codeql.yml @@ -61,7 +61,7 @@ jobs: steps: - name: "Checkout repository" # actions/checkout v6 - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" + uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" with: persist-credentials: false @@ -80,7 +80,7 @@ jobs: # right default until proven otherwise. - name: "Initialize CodeQL" # github/codeql-action/init v4 - uses: "github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225" + uses: "github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e" with: languages: "${{ matrix.language }}" build-mode: "autobuild" @@ -98,6 +98,6 @@ jobs: - name: "Perform CodeQL analysis" # github/codeql-action/analyze v4 - uses: "github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225" + uses: "github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e" with: category: "/language:${{ matrix.language }}"