From ea27ee7d77c11bee1f8aea2e5d8252de324064be Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 26 May 2025 18:25:47 +0000 Subject: [PATCH 1/3] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/adhtruong/mirrors-typos: v1.31.1 → v1.32.0](https://github.com/adhtruong/mirrors-typos/compare/v1.31.1...v1.32.0) - [github.com/asottile/pyupgrade: v3.19.1 → v3.20.0](https://github.com/asottile/pyupgrade/compare/v3.19.1...v3.20.0) - [github.com/astral-sh/ruff-pre-commit: v0.11.5 → v0.11.11](https://github.com/astral-sh/ruff-pre-commit/compare/v0.11.5...v0.11.11) - [github.com/gitleaks/gitleaks: v8.24.3 → v8.26.0](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.26.0) - [github.com/woodruffw/zizmor-pre-commit: v1.5.2 → v1.8.0](https://github.com/woodruffw/zizmor-pre-commit/compare/v1.5.2...v1.8.0) --- .pre-commit-config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a778ce0e9e..c2ee3b20c5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,18 +37,18 @@ repos: - id: trailing-whitespace - repo: https://github.com/adhtruong/mirrors-typos - rev: v1.31.1 + rev: v1.32.0 hooks: - id: typos args: [--force-exclude] - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.11.5 + rev: v0.11.11 hooks: - id: ruff args: [--fix] @@ -57,12 +57,12 @@ repos: ##### Security ##### - repo: https://github.com/gitleaks/gitleaks - rev: v8.24.3 + rev: v8.26.0 hooks: - id: gitleaks - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.5.2 + rev: v1.8.0 hooks: - id: zizmor From 210192d926a9d522ebf9130a71f5349489f4c91a Mon Sep 17 00:00:00 2001 From: Simon Alibert Date: Mon, 2 Jun 2025 19:18:51 +0200 Subject: [PATCH 2/3] Pin actions SHA --- .github/workflows/build-docker-images.yml | 24 +++++++++++------------ .github/workflows/quality.yml | 8 ++++---- .github/workflows/test-docker-build.yml | 8 ++++---- .github/workflows/test.yml | 12 ++++++------ .github/workflows/trufflehog.yml | 4 ++-- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index 0cb11d5762..20974b85a6 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -40,24 +40,24 @@ jobs: git lfs install - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: cache-binary: false - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true persist-credentials: false - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build and Push CPU - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ./docker/lerobot-cpu/Dockerfile @@ -78,24 +78,24 @@ jobs: git lfs install - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: cache-binary: false - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true persist-credentials: false - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build and Push GPU - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ./docker/lerobot-gpu/Dockerfile @@ -110,23 +110,23 @@ jobs: group: aws-general-8-plus steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: cache-binary: false - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build and Push GPU dev - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ./docker/lerobot-gpu-dev/Dockerfile diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 332b543c25..1c048c4fe9 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -33,12 +33,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ env.PYTHON_VERSION }} @@ -64,9 +64,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: typos-action - uses: crate-ci/typos@v1.29.10 + uses: crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10 diff --git a/.github/workflows/test-docker-build.yml b/.github/workflows/test-docker-build.yml index c31025645d..7a1e932740 100644 --- a/.github/workflows/test-docker-build.yml +++ b/.github/workflows/test-docker-build.yml @@ -35,7 +35,7 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -64,17 +64,17 @@ jobs: docker-file: ${{ fromJson(needs.get_changed_files.outputs.matrix) }} steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: cache-binary: false - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Build Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: file: ${{ matrix.docker-file }} context: . diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d91c53646c..8822956cfe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,7 +50,7 @@ jobs: env: MUJOCO_GL: egl steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true # Ensure LFS files are pulled persist-credentials: false @@ -62,7 +62,7 @@ jobs: sudo apt-get install -y libegl1-mesa-dev ffmpeg portaudio19-dev - name: Install uv and python - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true version: ${{ env.UV_VERSION }} @@ -85,7 +85,7 @@ jobs: env: MUJOCO_GL: egl steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true # Ensure LFS files are pulled persist-credentials: false @@ -94,7 +94,7 @@ jobs: run: sudo apt-get update && sudo apt-get install -y ffmpeg - name: Install uv and python - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true version: ${{ env.UV_VERSION }} @@ -117,7 +117,7 @@ jobs: env: MUJOCO_GL: egl steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true # Ensure LFS files are pulled persist-credentials: false @@ -129,7 +129,7 @@ jobs: sudo apt-get install -y libegl1-mesa-dev ffmpeg portaudio19-dev - name: Install uv and python - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true version: ${{ env.UV_VERSION }} diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 166e05908c..704a3baaa6 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -24,12 +24,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Secret Scanning - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@90694bf9af66e7536abc5824e7a87246dbf933cb # v3.88.35 with: extra_args: --only-verified From dad5e2a0d0944f73967c08d932d4677f81cf7f4e Mon Sep 17 00:00:00 2001 From: Simon Alibert Date: Mon, 2 Jun 2025 19:19:16 +0200 Subject: [PATCH 3/3] Zizmor ignore unpinned-images --- .github/workflows/nightly-tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-tests.yml b/.github/workflows/nightly-tests.yml index adac9f20df..be248b3357 100644 --- a/.github/workflows/nightly-tests.yml +++ b/.github/workflows/nightly-tests.yml @@ -33,7 +33,7 @@ jobs: runs-on: group: aws-general-8-plus container: - image: huggingface/lerobot-cpu:latest + image: huggingface/lerobot-cpu:latest # zizmor: ignore[unpinned-images] options: --shm-size "16gb" credentials: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -60,7 +60,7 @@ jobs: CUDA_VISIBLE_DEVICES: "0" TEST_TYPE: "single_gpu" container: - image: huggingface/lerobot-gpu:latest + image: huggingface/lerobot-gpu:latest # zizmor: ignore[unpinned-images] options: --gpus all --shm-size "16gb" credentials: username: ${{ secrets.DOCKERHUB_USERNAME }}