ezri/dbus-fast
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

chore: pin github actions to specific SHAs to mitigate supply chain attacks (#442)

Browse Source
This commit is contained in:
J. Nick Koston 2025-03-29 11:36:18 -10:00 committed by GitHub
parent 33332d9ec0
commit b69c865738
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
.github/workflows/ci.yml vendored
View File

@ -14,11 +14,11 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
with:
python-version: "3.9"
- uses: pre-commit/action@v3.0.1
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
# Make sure commit messages follow the conventional commits convention:
# https://www.conventionalcommits.org
@ -26,10 +26,10 @@ jobs:
name: Lint Commit Messages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@v6
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
test:
strategy:
@ -48,12 +48,12 @@ jobs:
- "use_cython"
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install libs
run: sudo apt-get install -y dbus-daemon python3-gi libgirepository1.0-dev gcc libcairo2-dev pkg-config python3-dev gir1.2-gtk-3.0
- uses: snok/install-poetry@v1.4.1
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
with:
python-version: ${{ matrix.python-version }}
cache: "poetry"
@ -68,7 +68,7 @@ jobs:
- name: Test with Pytest
run: dbus-run-session -- poetry run pytest --cov-report=xml --timeout=5
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
@ -78,8 +78,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: uraimo/run-on-arch-action@v3
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: uraimo/run-on-arch-action@1c358dc49363439f8c563ce8f93005f7fe76b849 # v3
name: Run commands
id: runcmd
with:
@ -98,12 +98,12 @@ jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install libs
run: sudo apt-get install -y dbus-daemon python3-gi libgirepository1.0-dev gcc libcairo2-dev pkg-config python3-dev gir1.2-gtk-3.0
- uses: snok/install-poetry@v1.4.1
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
- name: Setup Python 3.13
uses: actions/setup-python@v5
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
with:
python-version: 3.13
cache: "poetry"
@ -112,7 +112,7 @@ jobs:
REQUIRE_CYTHON=1 poetry install --only=main,dev
shell: bash
- name: Run benchmarks
uses: CodSpeedHQ/action@v3
uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3
with:
token: ${{ secrets.CODSPEED_TOKEN }}
run: dbus-run-session -- poetry run pytest --no-cov -vvvvv --codspeed tests/benchmarks
@ -134,32 +134,32 @@ jobs:
newest_release_tag: ${{ steps.release_tag.outputs.newest_release_tag }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
ref: ${{ github.head_ref || github.ref_name }}
# Do a dry run of PSR
- name: Test release
uses: python-semantic-release/python-semantic-release@v9.21.0
uses: python-semantic-release/python-semantic-release@26bb37cfab71a5a372e3db0f48a6eac57519a4a6 # v9.21.0
if: github.ref_name != 'main'
with:
root_options: --noop
# On main branch: actual PSR + upload to PyPI & GitHub
- name: Release
uses: python-semantic-release/python-semantic-release@v9.21.0
uses: python-semantic-release/python-semantic-release@26bb37cfab71a5a372e3db0f48a6eac57519a4a6 # v9.21.0
id: release
if: github.ref_name == 'main'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
if: steps.release.outputs.released == 'true'
- name: Publish package distributions to GitHub Releases
uses: python-semantic-release/upload-to-gh-release@main
uses: python-semantic-release/upload-to-gh-release@0a92b5d7ebfc15a84f9801ebd1bf706343d43711 # main
if: steps.release.outputs.released == 'true'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
@ -187,13 +187,13 @@ jobs:
- os: macos-latest
musl: "musllinux"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
ref: "v${{ needs.release.outputs.newest_release_tag }}"
fetch-depth: 0
# Used to host cibuildwheel
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
- name: Install cibuildwheel
run: python -m pip install cibuildwheel==2.22.0
@ -208,7 +208,7 @@ jobs:
REQUIRE_CYTHON: 1
CIBW_ARCHS_LINUX: ${{ matrix.os == 'ubuntu-24.04-arm' && 'aarch64' || 'auto' }}
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
path: ./wheelhouse/*.whl
name: wheels-${{ matrix.os }}-${{ matrix.musl }}
@ -219,7 +219,7 @@ jobs:
environment: release
steps:
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
with:
# unpacks default artifact into dist/
# if `name: artifact` is omitted, the action will create extra parent dir
@ -227,7 +227,7 @@ jobs:
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@v1.12.4
- uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
user: __token__
password: ${{ secrets.PYPI_TOKEN }}

2
.github/workflows/hacktoberfest.yml vendored
View File

@ -12,6 +12,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: browniebroke/hacktoberfest-labeler-action@v2.3.0
- uses: browniebroke/hacktoberfest-labeler-action@4b84e14a51c188ef9fb917854ae8310440c27bae # v2.3.0
with:
github_token: ${{ secrets.GH_PAT }}

2
.github/workflows/issue-manager.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
issue-manager:
runs-on: ubuntu-latest
steps:
- uses: tiangolo/issue-manager@0.5.1
- uses: tiangolo/issue-manager@f94f76c8fa2c48bb2982a099c29a0caadb92917e # 0.5.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
config: >

4
.github/workflows/labels.yml vendored
View File

@ -11,9 +11,9 @@ jobs:
labels:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
with:
python-version: 3.8
- name: Install labels