diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86c3bab..5b7a1ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,8 @@ jobs: name: Lint (ruff) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-python@v6 with: python-version: "3.12" # Pin ruff so local pre-commit, nox, and CI agree on formatting (no version drift). @@ -36,8 +36,8 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] python-version: ["3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - name: Install @@ -52,8 +52,8 @@ jobs: runs-on: ubuntu-latest # single, most-stable runner; assertions are median-based needs: [lint] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-python@v6 with: python-version: "3.12" - run: python -m pip install -e ".[dev]" @@ -67,8 +67,8 @@ jobs: runs-on: ubuntu-latest needs: [lint, test] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-python@v6 with: python-version: "3.12" - name: Build sdist + wheel @@ -84,7 +84,7 @@ jobs: python -m venv /tmp/fresh /tmp/fresh/bin/python -m pip install dist/*.whl /tmp/fresh/bin/python -c "import tokenhelm; from tokenhelm.adapters import default_adapters; assert [a.provider.value for a in default_adapters()] == ['openai','anthropic','gemini','ollama']; print('OK', tokenhelm.__version__)" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 with: name: dist path: dist/ @@ -94,13 +94,13 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # gitleaks-action scans the PR commit range (^..); a shallow clone # lacks the first commit's parent, so git fails with "ambiguous argument". Full history # (fetch-depth: 0) lets the range resolve. Only this job needs it. fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: "3.12" - name: Dependency vulnerability audit @@ -113,6 +113,6 @@ jobs: # a real CVE in a runtime dependency, so the vulnerability gate is unchanged. pip-audit --desc --skip-editable # audits runtime deps (PyYAML); skips the local pkg - name: Secret scan (gitleaks) - uses: gitleaks/gitleaks-action@v2 + uses: gitleaks/gitleaks-action@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ae82a89..48d0479 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,18 +28,18 @@ jobs: matrix: language: [python] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 67d32c1..c4f6feb 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -22,8 +22,8 @@ jobs: labeler: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: crazy-max/ghaction-github-labeler@v5 + - uses: actions/checkout@v7 + - uses: crazy-max/ghaction-github-labeler@v6 with: yaml-file: .github/labels.yml skip-delete: true # keep labels not listed here (e.g. GitHub defaults you still use) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index da3f81b..35da7bf 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 3784b5f..27aeea5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -17,7 +17,7 @@ jobs: release-please: runs-on: ubuntu-latest steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@v5 with: config-file: release-please-config.json manifest-file: .release-please-manifest.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7abb629..75ad993 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,8 +19,8 @@ jobs: outputs: prerelease: ${{ steps.classify.outputs.prerelease }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v7 + - uses: actions/setup-python@v6 with: python-version: "3.12" - name: Classify tag @@ -50,7 +50,7 @@ jobs: python -m pip install --upgrade build twine python -m build twine check dist/* - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 with: name: dist path: dist/ @@ -66,7 +66,7 @@ jobs: permissions: id-token: write # OIDC — Trusted Publishing, no API token needed steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v8 with: name: dist path: dist/ @@ -85,7 +85,7 @@ jobs: permissions: id-token: write # OIDC — Trusted Publishing, no API token needed steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v8 with: name: dist path: dist/ @@ -99,12 +99,12 @@ jobs: permissions: contents: write # create the GitHub Release and attach artifacts steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v8 with: name: dist path: dist/ - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@v3 with: files: dist/* generate_release_notes: true