diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 22f2e0aeadc8..9b6d24ac92b8 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -80,13 +80,13 @@ jobs: - name: Cache Cargo artifacts (Linux/macOS) if: matrix.use-cross - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 with: key: ${{ matrix.architecture }}-${{ matrix.target-suffix }} - name: Cache Cargo artifacts (Windows) if: matrix.use-docker - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 with: key: ${{ matrix.architecture }}-${{ matrix.target-suffix }} diff --git a/.github/workflows/bundle-desktop-intel.yml b/.github/workflows/bundle-desktop-intel.yml index 95e322deed43..e071e71618ba 100644 --- a/.github/workflows/bundle-desktop-intel.yml +++ b/.github/workflows/bundle-desktop-intel.yml @@ -64,7 +64,7 @@ jobs: npm version ${{ inputs.version }} --no-git-tag-version --allow-same-version - name: Cache Rust dependencies - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 with: key: intel @@ -139,7 +139,7 @@ jobs: - name: Configure AWS credentials if: ${{ inputs.signing }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: role-to-assume: "${{ secrets.OSX_CODESIGN_ROLE }}" aws-region: us-west-2 diff --git a/.github/workflows/bundle-desktop-linux.yml b/.github/workflows/bundle-desktop-linux.yml index 9a9504314a8b..bf73cc7d0787 100644 --- a/.github/workflows/bundle-desktop-linux.yml +++ b/.github/workflows/bundle-desktop-linux.yml @@ -95,7 +95,7 @@ jobs: run: source ./bin/activate-hermit && cargo install cross --git https://github.com/cross-rs/cross - name: Cache Rust dependencies - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 with: key: linux diff --git a/.github/workflows/bundle-desktop-windows.yml b/.github/workflows/bundle-desktop-windows.yml index 68e589dc70dc..498e47793fd6 100644 --- a/.github/workflows/bundle-desktop-windows.yml +++ b/.github/workflows/bundle-desktop-windows.yml @@ -49,7 +49,7 @@ jobs: - name: Configure AWS credentials if: inputs.signing && inputs.signing == true - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # ratchet:aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: role-to-assume: ${{ github.ref == 'refs/heads/main' && secrets.WINDOW_SIGNING_ROLE || secrets.WINDOW_SIGNING_ROLE_TAG }} aws-region: us-west-2 diff --git a/.github/workflows/bundle-desktop.yml b/.github/workflows/bundle-desktop.yml index ca85f2fc4ec5..7c76f03768dd 100644 --- a/.github/workflows/bundle-desktop.yml +++ b/.github/workflows/bundle-desktop.yml @@ -169,7 +169,7 @@ jobs: - name: Configure AWS credentials if: ${{ inputs.signing }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: role-to-assume: "${{ secrets.OSX_CODESIGN_ROLE }}" aws-region: us-west-2 diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 30dab67d6faf..d54a3ee515ff 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -109,7 +109,7 @@ jobs: # Create/update the canary release - name: Release canary - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # pin@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: tag: canary name: Canary diff --git a/.github/workflows/create-release-pr.yaml b/.github/workflows/create-release-pr.yaml index 8c82bc917a9f..9d8a51c6838b 100644 --- a/.github/workflows/create-release-pr.yaml +++ b/.github/workflows/create-release-pr.yaml @@ -44,7 +44,7 @@ jobs: fetch-depth: 0 # to generate complete release log - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1 - - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 + - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - name: Validate input and set old version run: | diff --git a/.github/workflows/deploy-docs-and-extensions.yml b/.github/workflows/deploy-docs-and-extensions.yml index ca0620ab4dc5..513106635e9f 100644 --- a/.github/workflows/deploy-docs-and-extensions.yml +++ b/.github/workflows/deploy-docs-and-extensions.yml @@ -74,7 +74,7 @@ jobs: - name: Deploy to /gh-pages if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # pin@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: documentation/build diff --git a/.github/workflows/docs-update-recipe-ref.yml b/.github/workflows/docs-update-recipe-ref.yml index 7ea122e1c335..ab9ed7d9b386 100644 --- a/.github/workflows/docs-update-recipe-ref.yml +++ b/.github/workflows/docs-update-recipe-ref.yml @@ -191,7 +191,7 @@ jobs: if: | steps.extract.outputs.has_changes == 'true' && (github.event.inputs.dry_run != 'true' || github.event_name == 'release') - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: branch: docs/auto-recipe-reference-${{ steps.versions.outputs.new_version }} delete-branch: true diff --git a/.github/workflows/goose-issue-solver.yml b/.github/workflows/goose-issue-solver.yml index f8cd3ffa797f..b382e186c7fa 100644 --- a/.github/workflows/goose-issue-solver.yml +++ b/.github/workflows/goose-issue-solver.yml @@ -219,7 +219,7 @@ jobs: - name: Create Pull Request if: steps.goose.outputs.has_changes == 'true' - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # pin@v7.0.8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "fix: ${{ steps.issue.outputs.title }}" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f9fe5fdec81b..6a6bae401896 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -111,7 +111,7 @@ jobs: # Create/update the nightly release - name: Release nightly - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # pin@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: tag: ${{ needs.prepare-version.outputs.version }} name: "Nightly ${{ needs.prepare-version.outputs.version }}" diff --git a/.github/workflows/pr-comment-build-cli.yml b/.github/workflows/pr-comment-build-cli.yml index 2800e8810134..e1d738be3714 100644 --- a/.github/workflows/pr-comment-build-cli.yml +++ b/.github/workflows/pr-comment-build-cli.yml @@ -33,7 +33,7 @@ jobs: head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }} steps: - name: Run command action - uses: github/command@v1.3.0 + uses: github/command@v2.0.3 id: command with: command: ".build-cli" @@ -78,7 +78,7 @@ jobs: merge-multiple: true - name: Comment on PR with CLI download links - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@v5 with: issue-number: ${{ needs.trigger-on-command.outputs.pr_number }} body: | diff --git a/.github/workflows/pr-comment-bundle-intel.yml b/.github/workflows/pr-comment-bundle-intel.yml index e908c1a2f466..c1095ead9bfb 100644 --- a/.github/workflows/pr-comment-bundle-intel.yml +++ b/.github/workflows/pr-comment-bundle-intel.yml @@ -36,7 +36,7 @@ jobs: head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }} steps: - name: Run command action - uses: github/command@319d5236cc34ed2cb72a47c058a363db0b628ebe # pin@v1.3.0 + uses: github/command@3442f3fa1efe01bdb024b157083c337902d17372 # v2.0.3 id: command with: command: ".bundle-intel" @@ -85,7 +85,7 @@ jobs: path: intel-dist - name: Comment on PR with Intel download link - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # pin@v4 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: issue-number: ${{ needs.trigger-on-command.outputs.pr_number }} body: | diff --git a/.github/workflows/pr-comment-bundle-windows.yml b/.github/workflows/pr-comment-bundle-windows.yml index 182f1d304d26..6a350f676969 100644 --- a/.github/workflows/pr-comment-bundle-windows.yml +++ b/.github/workflows/pr-comment-bundle-windows.yml @@ -39,7 +39,7 @@ jobs: head_sha: ${{ steps.set_head_sha.outputs.head_sha || github.sha }} steps: - name: Run command action - uses: github/command@319d5236cc34ed2cb72a47c058a363db0b628ebe # pin@v1.3.0 + uses: github/command@3442f3fa1efe01bdb024b157083c337902d17372 # v2.0.3 id: command with: command: ".bundle-windows" @@ -86,7 +86,7 @@ jobs: path: windows-dist - name: Comment on PR with Windows download link - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # pin@v4 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: issue-number: ${{ needs.trigger-on-command.outputs.pr_number }} body: | diff --git a/.github/workflows/pr-comment-bundle.yml b/.github/workflows/pr-comment-bundle.yml index 48de6bd8e308..02a7f06f2d0e 100644 --- a/.github/workflows/pr-comment-bundle.yml +++ b/.github/workflows/pr-comment-bundle.yml @@ -50,7 +50,7 @@ jobs: echo "Repository: ${REPOSITORY}" - name: Run command action - uses: github/command@319d5236cc34ed2cb72a47c058a363db0b628ebe # pin@v1.3.0 + uses: github/command@3442f3fa1efe01bdb024b157083c337902d17372 # v2.0.3 id: command with: command: ".bundle" @@ -127,7 +127,7 @@ jobs: path: arm64-dist - name: Comment on PR with ARM64 download link - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # pin@v4 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: issue-number: ${{ needs.trigger-on-command.outputs.pr_number }} body: | diff --git a/.github/workflows/pr-smoke-test.yml b/.github/workflows/pr-smoke-test.yml index 22daf2baa2f2..eeb1d10c862f 100644 --- a/.github/workflows/pr-smoke-test.yml +++ b/.github/workflows/pr-smoke-test.yml @@ -149,7 +149,7 @@ jobs: python-version: '3.12' - name: Install uv (for error proxy) - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # pin@v6 + uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - name: Run Compaction Tests env: diff --git a/.github/workflows/pr-website-preview.yml b/.github/workflows/pr-website-preview.yml index 7117a51fd972..acfc1f1f8073 100644 --- a/.github/workflows/pr-website-preview.yml +++ b/.github/workflows/pr-website-preview.yml @@ -40,7 +40,7 @@ jobs: npm run build - name: Deploy preview - uses: rossjrw/pr-preview-action@8ff09e486b4c23709012eedd3b42e9f0b95dd0c5 # v1 + uses: rossjrw/pr-preview-action@ffa7509e91a3ec8dfc2e5536c4d5c1acdf7a6de9 # v1.8.1 if: ${{ github.event.pull_request.head.repo.full_name == 'block/goose' }} with: source-dir: documentation/build @@ -56,7 +56,7 @@ jobs: with: fetch-depth: 0 - - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4 + - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - name: Clean up gh-pages branch run: | diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index f8008f2e4fde..be275c59c694 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -24,10 +24,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # pin@v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to GitHub Container Registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # pin@v3.5.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -35,7 +35,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # pin@v5.8.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ghcr.io/${{ github.repository_owner }}/goose tags: | diff --git a/.github/workflows/recipe-security-scanner.yml b/.github/workflows/recipe-security-scanner.yml index 83d6709061ca..fe8c454f2ca7 100644 --- a/.github/workflows/recipe-security-scanner.yml +++ b/.github/workflows/recipe-security-scanner.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit @@ -103,7 +103,7 @@ jobs: - name: Set up Docker Buildx if: steps.find_recipes.outputs.has_recipes == 'true' && steps.recipe_changes.outputs.recipe_files_changed == 'true' - uses: docker/setup-buildx-action@1583c0f09d26c58c59d25b0eef29792b7ce99d9a + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Prune Docker caches if: steps.find_recipes.outputs.has_recipes == 'true' && steps.recipe_changes.outputs.recipe_files_changed == 'true' diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index c3f0c1373558..d553de8cf8c8 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Comment with download link - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # pin@v4 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: issue-number: ${{ github.event.number }} body: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1c4ea780bf6d..6c044f799a2c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,7 +100,7 @@ jobs: # Create/update the versioned release - name: Release versioned - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # pin@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: token: ${{ secrets.GITHUB_TOKEN }} artifacts: | @@ -117,7 +117,7 @@ jobs: # Create/update the stable release - name: Release stable - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # pin@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: tag: stable name: Stable diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fc8755fdce9a..7529c986d352 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: results.sarif diff --git a/.github/workflows/test-finder.yml b/.github/workflows/test-finder.yml index 47df9e319510..aa81007270bc 100644 --- a/.github/workflows/test-finder.yml +++ b/.github/workflows/test-finder.yml @@ -153,7 +153,7 @@ jobs: - name: Create Pull Request if: steps.find_untested.outputs.patch_created == 'true' && github.event.inputs.dry_run != 'true' - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # pin@v7.0.8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "test: add test for ${{ steps.find_untested.outputs.function_name }}" diff --git a/.github/workflows/update-health-dashboard.yml b/.github/workflows/update-health-dashboard.yml index 28cab1651bc9..3eae41955cbd 100644 --- a/.github/workflows/update-health-dashboard.yml +++ b/.github/workflows/update-health-dashboard.yml @@ -26,7 +26,7 @@ jobs: steps: - name: 'Download previous metrics' - uses: dawidd6/action-download-artifact@688efa90a08f3552e7c1420c8313e215164e8b14 + uses: dawidd6/action-download-artifact@0bd50d53a6d7fb5cb921e607957e9cc12b4ce392 # v12 with: name: health-metrics path: . diff --git a/.github/workflows/update-release-pr.yaml b/.github/workflows/update-release-pr.yaml index fc5cc94afe9a..4472ee0576cb 100644 --- a/.github/workflows/update-release-pr.yaml +++ b/.github/workflows/update-release-pr.yaml @@ -27,7 +27,7 @@ jobs: path: './prior-version' - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1 - - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 + - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 - name: Extract version from branch name env: