From f52800a87ab02a614b576df1ea944b1366e40660 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Houpert?= <10154151+lhoupert@users.noreply.github.com> Date: Thu, 2 Apr 2026 16:57:34 +0100 Subject: [PATCH] ci: pin GitHub Actions to SHA digests Refs #50 --- .github/workflows/publish-docs.yml | 4 ++-- .github/workflows/release.yml | 10 +++++----- .github/workflows/test-python.yml | 12 ++++++------ 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index a71c39e..7ae594e 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -21,13 +21,13 @@ jobs: env: CI: "TRUE" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # We need to additionally fetch the gh-pages branch for mike deploy with: fetch-depth: 0 - name: Install a specific version of uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 with: enable-cache: true version: "0.5.x" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e48d793..9117210 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install a specific version of uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: version: "latest" @@ -23,7 +23,7 @@ jobs: run: | uv run python -m build - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: path: ./dist/ @@ -39,11 +39,11 @@ jobs: permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: artifact path: dist merge-multiple: true - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index dc1ef36..560ba0d 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -18,17 +18,17 @@ jobs: name: Run pre-commit on Python code runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" # Use ruff-action so we get annotations in the Github UI - - uses: astral-sh/ruff-action@v3 + - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6 # v3 - name: Cache pre-commit virtualenvs - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/pre-commit key: pre-commit-3|${{ hashFiles('.pre-commit-config.yaml') }} @@ -46,10 +46,10 @@ jobs: matrix: python-version: ["3.9", "3.10", "3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 with: enable-cache: true version: "0.5.x"