From 63680f7b2d313c2cc9a8ac8deb0398c142c4235e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 10 May 2026 15:27:16 +0000 Subject: [PATCH 1/2] chore: record baseline validation Agent-Logs-Url: https://github.com/gofiber/.github/sessions/2d04561f-aed1-432f-be9c-4cba40e9c7b0 Co-authored-by: gaby <835733+gaby@users.noreply.github.com> --- .github/actions/clean-release-notes/action.yml | 2 +- .github/workflows/go-lint-single.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/clean-release-notes/action.yml b/.github/actions/clean-release-notes/action.yml index 5b30abd..0a0e1e3 100644 --- a/.github/actions/clean-release-notes/action.yml +++ b/.github/actions/clean-release-notes/action.yml @@ -49,7 +49,7 @@ runs: # The Go source lives next to this action.yml, so ${{ github.action_path }} # already points at everything we need. No separate checkout required. - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: # The go.mod shipped with the action pins the required Go version. go-version-file: ${{ github.action_path }}/go.mod diff --git a/.github/workflows/go-lint-single.yml b/.github/workflows/go-lint-single.yml index 525b7f7..8c7ac1b 100644 --- a/.github/workflows/go-lint-single.yml +++ b/.github/workflows/go-lint-single.yml @@ -28,14 +28,14 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: go.mod cache: false - - uses: golangci/golangci-lint-action@v9 + - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 with: version: ${{ inputs.golangci-lint-version }} args: ${{ inputs.golangci-lint-args }} From 9b267efac6108b26961d073f0ae0b27dfb6da42e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 10 May 2026 15:28:04 +0000 Subject: [PATCH 2/2] chore: pin github action references Agent-Logs-Url: https://github.com/gofiber/.github/sessions/2d04561f-aed1-432f-be9c-4cba40e9c7b0 Co-authored-by: gaby <835733+gaby@users.noreply.github.com> --- .github/actions/cleanup-release-draft/action.yml | 2 +- .github/workflows/after-release.yml | 2 +- .github/workflows/auto-labeler.yml | 2 +- .github/workflows/dependabot-automerge.yml | 2 +- .github/workflows/dependabot-on-demand.yml | 2 +- .github/workflows/go-lint-multi.yml | 10 +++++----- .github/workflows/security-golang.yml | 10 +++++----- .github/workflows/sync-docs.yml | 6 +++--- .github/workflows/weekly-release.yml | 8 ++++---- 9 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/actions/cleanup-release-draft/action.yml b/.github/actions/cleanup-release-draft/action.yml index c425007..95dc7b9 100644 --- a/.github/actions/cleanup-release-draft/action.yml +++ b/.github/actions/cleanup-release-draft/action.yml @@ -44,7 +44,7 @@ runs: - name: Clean release notes if: steps.draft.outputs.found == 'true' - uses: gofiber/.github/.github/actions/clean-release-notes@main + uses: gofiber/.github/.github/actions/clean-release-notes@2a2c623de2cfdc4c6b52ecf52907be260a01949b # main with: release-id: ${{ steps.draft.outputs.id }} env: diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index a7e553c..6363e1c 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -55,7 +55,7 @@ jobs: matrix: repo: ${{ fromJson(needs.wait.outputs.matrix) }} steps: - - uses: gofiber/.github/.github/actions/trigger-dependabot@main + - uses: gofiber/.github/.github/actions/trigger-dependabot@2a2c623de2cfdc4c6b52ecf52907be260a01949b # main with: repo: ${{ matrix.repo }} token: ${{ secrets.dispatch-token }} diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 9074094..2192015 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Apply labels id: labeler - uses: gofiber/multi-labeler@v0.3.1 + uses: gofiber/multi-labeler@a077013094ec75b67ddaee83d34ae75b5ced0a34 # v0.3.1 with: github-token: ${{ secrets.github-token != '' && secrets.github-token || secrets.GITHUB_TOKEN }} config-path: ${{ inputs.config-path }} diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 4c1a77e..7ec37d2 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Fetch metadata id: metadata - uses: dependabot/fetch-metadata@v3 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3 with: github-token: ${{ secrets.github-token != '' && secrets.github-token || github.token }} diff --git a/.github/workflows/dependabot-on-demand.yml b/.github/workflows/dependabot-on-demand.yml index c53647e..b2bff72 100644 --- a/.github/workflows/dependabot-on-demand.yml +++ b/.github/workflows/dependabot-on-demand.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.push-token || github.token }} diff --git a/.github/workflows/go-lint-multi.yml b/.github/workflows/go-lint-multi.yml index ec67ccd..e4542ad 100644 --- a/.github/workflows/go-lint-multi.yml +++ b/.github/workflows/go-lint-multi.yml @@ -38,7 +38,7 @@ jobs: outputs: packages: ${{ steps.set-packages.outputs.packages }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # Full history needed for dorny/paths-filter on PRs. # On push/dispatch this is unnecessary but harmless. @@ -93,7 +93,7 @@ jobs: - name: Filter changes if: github.event_name == 'pull_request' id: filter - uses: dorny/paths-filter@v4 + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 with: filters: ${{ steps.discover.outputs.filters }} @@ -126,14 +126,14 @@ jobs: matrix: package: ${{ fromJSON(needs.changes.outputs.packages) }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: "${{ matrix.package }}/go.mod" cache: false - - uses: golangci/golangci-lint-action@v9 + - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 env: GOWORK: 'off' with: diff --git a/.github/workflows/security-golang.yml b/.github/workflows/security-golang.yml index dadc0eb..a5fc66f 100644 --- a/.github/workflows/security-golang.yml +++ b/.github/workflows/security-golang.yml @@ -40,7 +40,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 @@ -65,15 +65,15 @@ jobs: actions: read steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml index 302e332..2381caa 100644 --- a/.github/workflows/sync-docs.yml +++ b/.github/workflows/sync-docs.yml @@ -71,19 +71,19 @@ jobs: timeout-minutes: 30 steps: - name: Checkout source repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 - name: Checkout central scripts - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: gofiber/.github path: .central - name: Setup Node.js if: inputs.event-mode == 'release' || inputs.event-mode == 'release-all' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ inputs.node-version }} diff --git a/.github/workflows/weekly-release.yml b/.github/workflows/weekly-release.yml index 0f71848..23337e3 100644 --- a/.github/workflows/weekly-release.yml +++ b/.github/workflows/weekly-release.yml @@ -317,7 +317,7 @@ jobs: steps.draft.outputs.no-draft == 'false' && steps.bump.outputs.is_major != 'true' && steps.pending.outputs.pending != 'true' - uses: gofiber/.github/.github/actions/clean-release-notes@main + uses: gofiber/.github/.github/actions/clean-release-notes@2a2c623de2cfdc4c6b52ecf52907be260a01949b # main with: release-id: ${{ steps.draft.outputs.id }} bots: ${{ inputs.bot-logins }} @@ -388,18 +388,18 @@ jobs: timeout-minutes: 360 steps: - name: Checkout caller repo (for release-plan.yml) - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: ${{ inputs.release-plan-path }} - name: Checkout central repo (for cleanup tool) - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: gofiber/.github path: .central - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: .central/.github/actions/clean-release-notes/go.mod cache: false