From 0283ea7f29ccec8d224a63afd88eef7c7154373f Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Tue, 3 Mar 2026 09:15:31 -0600 Subject: [PATCH 01/10] Pinned all actions to avoid vendor side exploits. --- .github/workflows/deploy-alpha.yml | 14 +++++------ .github/workflows/deploy.yml | 14 +++++------ .github/workflows/main.yml | 40 +++++++++++++++--------------- .github/workflows/rtd_link.yml | 2 +- 4 files changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 3fe403b5..29122031 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -9,9 +9,9 @@ jobs: last-minute-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -27,12 +27,12 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 with: fetch-depth: 0 fetch-tags: true - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[build] @@ -58,7 +58,7 @@ jobs: gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** --repo '${{ github.repository }}' - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: build path: | @@ -76,7 +76,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ @@ -95,7 +95,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9e8ef9a3..a810b107 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -9,9 +9,9 @@ jobs: last-minute-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -28,12 +28,12 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 with: fetch-depth: 0 fetch-tags: true - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[build] @@ -59,7 +59,7 @@ jobs: gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** --repo '${{ github.repository }}' - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: build path: | @@ -78,7 +78,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ @@ -97,7 +97,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2097542a..c95506ea 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,12 +14,12 @@ jobs: python-version: ["3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 with: fetch-depth: 0 fetch-tags: true - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: ${{ matrix.python-version }} - run: pip install --upgrade pip @@ -42,7 +42,7 @@ jobs: - run: pip install --user . montepy[develop] - run: pip freeze - name: Upload build artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f if: ${{ matrix.python-version == '3.13'}} with: name: build @@ -63,9 +63,9 @@ jobs: sly-version: "0.4" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: ${{ matrix.python-version }} - run: pip install numpy~=${{ matrix.numpy-version }} @@ -84,13 +84,13 @@ jobs: if: ${{ success() || failure() }} - name: Upload test report if: ${{ matrix.python-version == '3.14' && matrix.numpy-version == '2.3' && (success() || failure() )}} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: test path: test_report.xml - name: Upload coverage report if: ${{ matrix.python-version == '3.14' && matrix.numpy-version == '2.3' && (success() || failure() )}} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: coverage path: coverage.xml @@ -109,18 +109,18 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 with: fetch-depth: 0 fetch-tags: true - name: set up python 3.12 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[doc,build] - run: cd doc && make html SPHINXOPTS="-W --keep-going -E" name: Build site strictly - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: website path: doc/build @@ -133,12 +133,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 with: fetch-depth: 0 fetch-tags: true - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[doc,build,demo-test,test] @@ -158,9 +158,9 @@ jobs: steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[format] @@ -170,9 +170,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[test] @@ -187,9 +187,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: python-version: 3.14 - run: pip install . montepy[test] @@ -202,9 +202,9 @@ jobs: if: github.ref != 'refs/heads/main' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 - name: Check for changes - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@668c092af3649c4b664c54e4b704aa46782f6f7c id: changes with: filters: | diff --git a/.github/workflows/rtd_link.yml b/.github/workflows/rtd_link.yml index 529bd484..c9a3463b 100644 --- a/.github/workflows/rtd_link.yml +++ b/.github/workflows/rtd_link.yml @@ -8,6 +8,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@31a30360a2d7530806bff6855aa209167f06a89c with: project-slug: "montepy" From 7f891635849b72a6e34a92998513aca4c4fd918c Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Tue, 3 Mar 2026 09:19:26 -0600 Subject: [PATCH 02/10] Explicitly set all permissions. --- .github/workflows/deploy-alpha.yml | 2 ++ .github/workflows/deploy.yml | 2 ++ .github/workflows/main.yml | 14 ++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 29122031..96d7b81f 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -7,6 +7,8 @@ on: jobs: last-minute-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a810b107..750c4064 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,6 +7,8 @@ on: jobs: last-minute-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c95506ea..9047ac84 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,6 +9,8 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: python-version: ["3.12", "3.13", "3.14"] @@ -107,6 +109,8 @@ jobs: doc-build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 @@ -131,6 +135,8 @@ jobs: doc-test: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 @@ -155,6 +161,8 @@ jobs: format-test: runs-on: ubuntu-latest + permissions: + contents: read steps: @@ -168,6 +176,8 @@ jobs: profile: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 @@ -185,6 +195,8 @@ jobs: benchmark: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 @@ -199,6 +211,8 @@ jobs: changelog-test: runs-on: ubuntu-latest + permissions: + contents: read if: github.ref != 'refs/heads/main' steps: From 6cd8e471f6540e0b2859e82f3b74b17acea3e7e7 Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 09:57:15 -0500 Subject: [PATCH 03/10] Set cooldown for dependabot to avoid brand new releases. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3af63e53..68e6cbc7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,12 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 14 + semver-major-days: 28 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 8 From 043e938b856b959c9d458e5f07707478cd7cdb9c Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 09:58:11 -0500 Subject: [PATCH 04/10] Don't persist checkout credentials to avoid malicious credential extrication. --- .github/workflows/deploy-alpha.yml | 3 +++ .github/workflows/deploy.yml | 3 +++ .github/workflows/main.yml | 13 +++++++++++++ 3 files changed, 19 insertions(+) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 96d7b81f..0ccecae6 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -33,6 +35,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 750c4064..fbb7e90e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -34,6 +36,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9047ac84..9a6f621c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python ${{ matrix.python-version }} uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -66,6 +67,8 @@ jobs: steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python ${{ matrix.python-version }} uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -117,6 +120,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.12 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -143,6 +147,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -167,6 +172,8 @@ jobs: steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -181,6 +188,8 @@ jobs: steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -200,6 +209,8 @@ jobs: steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: set up python 3.14 uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 with: @@ -217,6 +228,8 @@ jobs: steps: - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + persist-credentials: false - name: Check for changes uses: dorny/paths-filter@668c092af3649c4b664c54e4b704aa46782f6f7c id: changes From 5409cacd69a303469a64c56f29cb6f3d5ec9c46d Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 09:58:45 -0500 Subject: [PATCH 05/10] Limit building pypi packages to require approval to avoid remote code exec. --- .github/workflows/deploy-alpha.yml | 2 ++ .github/workflows/deploy.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 0ccecae6..75063dce 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -23,6 +23,8 @@ jobs: build-packages: name: Build, sign, and release packages on github + environment: + name: build-pypi runs-on: ubuntu-latest needs: [last-minute-test] permissions: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index fbb7e90e..875cd890 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,6 +24,8 @@ jobs: build-packages: name: Build, sign, and release packages on github + environment: + name: build-pypi runs-on: ubuntu-latest needs: [last-minute-test] permissions: From fbbccc9e7d1bf680168d1438394cd59274bd814f Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 09:59:25 -0500 Subject: [PATCH 06/10] Avoid useless GHA and try to do gh release create ourselves. --- .github/workflows/deploy-alpha.yml | 8 +++----- .github/workflows/deploy.yml | 8 +++----- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 75063dce..d6c70bac 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -56,11 +56,9 @@ jobs: ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b - with: - tag: v${{ steps.get_version.outputs.version }} - name: Release ${{ steps.get_version.outputs.version }} - draft: true + run:| gh release create "v${ steps.get_version.outputs.version }" \ + --title="Release ${ steps.get_version.outputs.version }" \ + --generate-notes -d - run: >- gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 875cd890..23ecbee8 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,11 +57,9 @@ jobs: ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b - with: - tag: v${{ steps.get_version.outputs.version }} - name: Release ${{ steps.get_version.outputs.version }} - draft: true + run:| gh release create "v${ steps.get_version.outputs.version }" \ + --title="Release ${ steps.get_version.outputs.version }" \ + --generate-notes -d - run: >- gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** From 8889eb0d14d0ceb160a13000dc200d37a424b9cb Mon Sep 17 00:00:00 2001 From: Micah Gale Date: Mon, 9 Mar 2026 10:03:13 -0500 Subject: [PATCH 07/10] Fixed yaml syntax. --- .github/workflows/deploy.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 23ecbee8..baaf1ab2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,9 +57,10 @@ jobs: ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - run:| gh release create "v${ steps.get_version.outputs.version }" \ - --title="Release ${ steps.get_version.outputs.version }" \ - --generate-notes -d + run: | + gh release create "v${ steps.get_version.outputs.version }" \ + --title="Release ${ steps.get_version.outputs.version }" \ + --generate-notes -d - run: >- gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** From 76d3f9a7408481fc8b0903baf5b444ca2bff3fbe Mon Sep 17 00:00:00 2001 From: Micah Gale Date: Mon, 9 Mar 2026 10:04:06 -0500 Subject: [PATCH 08/10] Fixed yaml syntax. --- .github/workflows/deploy-alpha.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index d6c70bac..f6d902b8 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -56,7 +56,8 @@ jobs: ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - run:| gh release create "v${ steps.get_version.outputs.version }" \ + run: | + gh release create "v${ steps.get_version.outputs.version }" \ --title="Release ${ steps.get_version.outputs.version }" \ --generate-notes -d - run: >- From fe900c1b65b81886e82667c7f0845f2722cb26f9 Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 10:29:34 -0500 Subject: [PATCH 09/10] Pinned to actually released actions. --- .github/workflows/main.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9a6f621c..de04eb5f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,13 +16,13 @@ jobs: python-version: ["3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true persist-credentials: false - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} - run: pip install --upgrade pip @@ -66,11 +66,11 @@ jobs: sly-version: "0.4" steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} - run: pip install numpy~=${{ matrix.numpy-version }} @@ -116,13 +116,13 @@ jobs: contents: read steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true persist-credentials: false - name: set up python 3.12 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[doc,build] @@ -143,13 +143,13 @@ jobs: contents: read steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[doc,build,demo-test,test] @@ -171,11 +171,11 @@ jobs: steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[format] @@ -187,11 +187,11 @@ jobs: contents: read steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[test] @@ -208,11 +208,11 @@ jobs: contents: read steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[test] @@ -227,7 +227,7 @@ jobs: if: github.ref != 'refs/heads/main' steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Check for changes From fa0b7d8421c0460d1b2ceea43ccb7b430b001d07 Mon Sep 17 00:00:00 2001 From: "Micah D. Gale" Date: Mon, 9 Mar 2026 10:32:34 -0500 Subject: [PATCH 10/10] pinned more packages. --- .github/workflows/deploy-alpha.yml | 10 +++++----- .github/workflows/deploy.yml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index f6d902b8..d45d9103 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -11,11 +11,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -33,13 +33,13 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[build] @@ -50,7 +50,7 @@ jobs: run: .github/scripts/check_version.py --alpha - run: python -m build . - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@cd06a1783504a0c8e550f0d0cd47d3bbae8d71bd + uses: sigstore/gh-action-sigstore-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: inputs: >- ./dist/*.tar.gz diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index baaf1ab2..58dbb89c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,11 +11,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -34,13 +34,13 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@0c366fd6a839edf440554fa01a7085ccba70ac98 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[build] @@ -51,7 +51,7 @@ jobs: run: .github/scripts/check_version.py - run: python -m build . - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@cd06a1783504a0c8e550f0d0cd47d3bbae8d71bd + uses: sigstore/gh-action-sigstore-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: inputs: >- ./dist/*.tar.gz