diff --git a/.github/workflows/android-release.yml b/.github/workflows/android-release.yml index 06e3dff2b..63af490e8 100644 --- a/.github/workflows/android-release.yml +++ b/.github/workflows/android-release.yml @@ -66,7 +66,7 @@ jobs: df -h - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: v${{ inputs.version }} fetch-depth: 0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5f906084..ca100754d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: rust: ${{ steps.filter.outputs.rust }} steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Detect changed files id: filter @@ -52,7 +52,7 @@ jobs: pull-requests: write contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 @@ -131,7 +131,7 @@ jobs: if: needs.detect-changes.outputs.rust == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Rust toolchain uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1 @@ -190,7 +190,7 @@ jobs: # rerun gate) while killing a starved run ~24x sooner than the 360min default. timeout-minutes: 15 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bun # Pinned to 1.3.13 to match main (green). The 1.3.14 bump (a5bbd883) was for diff --git a/.github/workflows/create-version-tag.yml b/.github/workflows/create-version-tag.yml index 7b61a92fb..796939742 100644 --- a/.github/workflows/create-version-tag.yml +++ b/.github/workflows/create-version-tag.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml index 7031a9cc8..acacf9777 100644 --- a/.github/workflows/desktop-release.yml +++ b/.github/workflows/desktop-release.yml @@ -40,7 +40,7 @@ jobs: version: ${{ steps.set-version.outputs.version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: v${{ inputs.version }} @@ -104,7 +104,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: v${{ inputs.version }} diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 8c300f878..5dbd41c89 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -27,7 +27,7 @@ jobs: matrix: shard: [1/2, 2/2] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 @@ -83,7 +83,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 diff --git a/.github/workflows/images-publish.yml b/.github/workflows/images-publish.yml index ecf0d2468..a5d562a40 100644 --- a/.github/workflows/images-publish.yml +++ b/.github/workflows/images-publish.yml @@ -59,7 +59,7 @@ jobs: # environment. The version step below reads package.json from the checkout # but routes the value through a $GITHUB_OUTPUT → env var, never interpolated # into a shell with ${{ }} syntax. - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ inputs.ref || github.ref }} @@ -81,7 +81,7 @@ jobs: fi - name: Log in to GHCR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/ios-release.yml b/.github/workflows/ios-release.yml index be97f01a2..89beb9956 100644 --- a/.github/workflows/ios-release.yml +++ b/.github/workflows/ios-release.yml @@ -66,7 +66,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: v${{ inputs.version }} fetch-depth: 0 @@ -196,7 +196,7 @@ jobs: echo "✅ Metal Toolchain removed" - name: Setup Ruby - uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1 + uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1 with: ruby-version: '3.0' bundler-cache: true diff --git a/.github/workflows/pr-metrics.yml b/.github/workflows/pr-metrics.yml index 11431ab9a..9ffda94d8 100644 --- a/.github/workflows/pr-metrics.yml +++ b/.github/workflows/pr-metrics.yml @@ -16,7 +16,7 @@ jobs: metrics: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 diff --git a/.github/workflows/preview-cleanup.yml b/.github/workflows/preview-cleanup.yml index d78267f9f..4886768e5 100644 --- a/.github/workflows/preview-cleanup.yml +++ b/.github/workflows/preview-cleanup.yml @@ -51,7 +51,7 @@ jobs: orphans: ${{ steps.scan.outputs.orphans }} dry_run: ${{ steps.scan.outputs.dry_run }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Pulumi CLI run: | diff --git a/.github/workflows/preview-destroy.yml b/.github/workflows/preview-destroy.yml index 4cb5e59f7..e62acb1e0 100644 --- a/.github/workflows/preview-destroy.yml +++ b/.github/workflows/preview-destroy.yml @@ -56,14 +56,14 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: # Explicit `ref: main` — never run a fork's version of the drop # script with our deploy creds. (pull_request_target defaults to # the base ref anyway, but being explicit prevents accidents if # the trigger is ever changed.) ref: main - - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }} aws-region: us-east-1 diff --git a/.github/workflows/previews-shared-deploy.yml b/.github/workflows/previews-shared-deploy.yml index acdc216c4..9cc6f243f 100644 --- a/.github/workflows/previews-shared-deploy.yml +++ b/.github/workflows/previews-shared-deploy.yml @@ -65,11 +65,11 @@ jobs: runs-on: ubuntu-latest environment: preview steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }} aws-region: ${{ inputs.region || 'us-east-1' }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 9bea9fdf1..459ede9d0 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,7 +26,7 @@ jobs: security-events: write if: github.actor != 'dependabot[bot]' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 @@ -60,7 +60,7 @@ jobs: --json-output semgrep.json - name: Upload SARIF - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 if: always() && hashFiles('semgrep.sarif') != '' continue-on-error: true with: diff --git a/.github/workflows/stack-deploy.yml b/.github/workflows/stack-deploy.yml index c2964d2de..93ea95ec0 100644 --- a/.github/workflows/stack-deploy.yml +++ b/.github/workflows/stack-deploy.yml @@ -106,11 +106,11 @@ jobs: outputs: url: ${{ steps.outputs.outputs.url }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }} aws-region: ${{ inputs.region }} @@ -230,11 +230,11 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 + - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }} aws-region: ${{ inputs.region }} diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 7339d4ef3..3fc16f099 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -23,7 +23,7 @@ jobs: runs-on: ${{ fromJSON('{"windows-arm":"windows-latest","windows-x64":"windows-latest","macos-silicon":"macos-latest","macos-intel":"macos-latest","linux":"ubuntu-24.04"}')[inputs.platform] }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 98b1214aa..95d37fd34 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -75,7 +75,7 @@ jobs: private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} @@ -90,7 +90,7 @@ jobs: - name: Install git-cliff if: ${{ !inputs.nightly }} - uses: taiki-e/install-action@213ccc1a076163c093f914550b94feb90fab916d # v2 + uses: taiki-e/install-action@fd2f5e3d644b484055ebf4268f474c565f148f25 # v2 with: tool: git-cliff