From b69c865738af4e72f3e2113cf7362f41d13ce1ef Mon Sep 17 00:00:00 2001 From: "J. Nick Koston" Date: Sat, 29 Mar 2025 11:36:18 -1000 Subject: [PATCH] chore: pin github actions to specific SHAs to mitigate supply chain attacks (#442) --- .github/workflows/ci.yml | 50 ++++++++++++++--------------- .github/workflows/hacktoberfest.yml | 2 +- .github/workflows/issue-manager.yml | 2 +- .github/workflows/labels.yml | 4 +-- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a54ef04..7392b9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,11 +14,11 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 with: python-version: "3.9" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 # Make sure commit messages follow the conventional commits convention: # https://www.conventionalcommits.org @@ -26,10 +26,10 @@ jobs: name: Lint Commit Messages runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v6 + - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6 test: strategy: @@ -48,12 +48,12 @@ jobs: - "use_cython" runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install libs run: sudo apt-get install -y dbus-daemon python3-gi libgirepository1.0-dev gcc libcairo2-dev pkg-config python3-dev gir1.2-gtk-3.0 - - uses: snok/install-poetry@v1.4.1 + - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 with: python-version: ${{ matrix.python-version }} cache: "poetry" @@ -68,7 +68,7 @@ jobs: - name: Test with Pytest run: dbus-run-session -- poetry run pytest --cov-report=xml --timeout=5 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5 with: token: ${{ secrets.CODECOV_TOKEN }} @@ -78,8 +78,8 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 - - uses: uraimo/run-on-arch-action@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: uraimo/run-on-arch-action@1c358dc49363439f8c563ce8f93005f7fe76b849 # v3 name: Run commands id: runcmd with: @@ -98,12 +98,12 @@ jobs: benchmark: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install libs run: sudo apt-get install -y dbus-daemon python3-gi libgirepository1.0-dev gcc libcairo2-dev pkg-config python3-dev gir1.2-gtk-3.0 - - uses: snok/install-poetry@v1.4.1 + - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 - name: Setup Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 with: python-version: 3.13 cache: "poetry" @@ -112,7 +112,7 @@ jobs: REQUIRE_CYTHON=1 poetry install --only=main,dev shell: bash - name: Run benchmarks - uses: CodSpeedHQ/action@v3 + uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3 with: token: ${{ secrets.CODSPEED_TOKEN }} run: dbus-run-session -- poetry run pytest --no-cov -vvvvv --codspeed tests/benchmarks @@ -134,32 +134,32 @@ jobs: newest_release_tag: ${{ steps.release_tag.outputs.newest_release_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 ref: ${{ github.head_ref || github.ref_name }} # Do a dry run of PSR - name: Test release - uses: python-semantic-release/python-semantic-release@v9.21.0 + uses: python-semantic-release/python-semantic-release@26bb37cfab71a5a372e3db0f48a6eac57519a4a6 # v9.21.0 if: github.ref_name != 'main' with: root_options: --noop # On main branch: actual PSR + upload to PyPI & GitHub - name: Release - uses: python-semantic-release/python-semantic-release@v9.21.0 + uses: python-semantic-release/python-semantic-release@26bb37cfab71a5a372e3db0f48a6eac57519a4a6 # v9.21.0 id: release if: github.ref_name == 'main' with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1 if: steps.release.outputs.released == 'true' - name: Publish package distributions to GitHub Releases - uses: python-semantic-release/upload-to-gh-release@main + uses: python-semantic-release/upload-to-gh-release@0a92b5d7ebfc15a84f9801ebd1bf706343d43711 # main if: steps.release.outputs.released == 'true' with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -187,13 +187,13 @@ jobs: - os: macos-latest musl: "musllinux" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: "v${{ needs.release.outputs.newest_release_tag }}" fetch-depth: 0 # Used to host cibuildwheel - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 - name: Install cibuildwheel run: python -m pip install cibuildwheel==2.22.0 @@ -208,7 +208,7 @@ jobs: REQUIRE_CYTHON: 1 CIBW_ARCHS_LINUX: ${{ matrix.os == 'ubuntu-24.04-arm' && 'aarch64' || 'auto' }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: path: ./wheelhouse/*.whl name: wheels-${{ matrix.os }}-${{ matrix.musl }} @@ -219,7 +219,7 @@ jobs: environment: release steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4 with: # unpacks default artifact into dist/ # if `name: artifact` is omitted, the action will create extra parent dir @@ -227,7 +227,7 @@ jobs: path: dist merge-multiple: true - - uses: pypa/gh-action-pypi-publish@v1.12.4 + - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: user: __token__ password: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/hacktoberfest.yml b/.github/workflows/hacktoberfest.yml index 00239a4..3559167 100644 --- a/.github/workflows/hacktoberfest.yml +++ b/.github/workflows/hacktoberfest.yml @@ -12,6 +12,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: browniebroke/hacktoberfest-labeler-action@v2.3.0 + - uses: browniebroke/hacktoberfest-labeler-action@4b84e14a51c188ef9fb917854ae8310440c27bae # v2.3.0 with: github_token: ${{ secrets.GH_PAT }} diff --git a/.github/workflows/issue-manager.yml b/.github/workflows/issue-manager.yml index de5b0ad..d7b7bdc 100644 --- a/.github/workflows/issue-manager.yml +++ b/.github/workflows/issue-manager.yml @@ -18,7 +18,7 @@ jobs: issue-manager: runs-on: ubuntu-latest steps: - - uses: tiangolo/issue-manager@0.5.1 + - uses: tiangolo/issue-manager@f94f76c8fa2c48bb2982a099c29a0caadb92917e # 0.5.1 with: token: ${{ secrets.GITHUB_TOKEN }} config: > diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index adb437c..b28dbb3 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -11,9 +11,9 @@ jobs: labels: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5 with: python-version: 3.8 - name: Install labels