diff --git a/.github/workflows/agents-71-codex-belt-dispatcher.yml b/.github/workflows/agents-71-codex-belt-dispatcher.yml index cdf1b1a9..c4520f0e 100644 --- a/.github/workflows/agents-71-codex-belt-dispatcher.yml +++ b/.github/workflows/agents-71-codex-belt-dispatcher.yml @@ -92,7 +92,7 @@ jobs: - name: Mint GitHub App token (preferred) id: app_token if: ${{ env.WORKFLOWS_APP_ID != '' && env.WORKFLOWS_APP_PRIVATE_KEY != '' }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ env.WORKFLOWS_APP_ID }} private-key: ${{ env.WORKFLOWS_APP_PRIVATE_KEY }} @@ -167,7 +167,7 @@ jobs: echo "dry_run=${{ inputs.dry_run }}" >>"$GITHUB_OUTPUT" - name: Checkout repo (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ env.GH_DISPATCH_TOKEN }} fetch-depth: 1 @@ -180,7 +180,7 @@ jobs: - name: Resolve Workflows default branch id: workflows_ref - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -198,7 +198,7 @@ jobs: core.setOutput('ref', data.default_branch); - name: Checkout (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows ref: ${{ steps.workflows_ref.outputs.ref }} @@ -212,7 +212,7 @@ jobs: - name: Resolve candidate issue id: pick - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_DISPATCH_TOKEN }} script: | @@ -307,7 +307,7 @@ jobs: - name: Checkout default branch if: ${{ steps.pick.outputs.issue != '' && steps.mode.outputs.dry_run != 'true' }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.pick.outputs.base }} token: ${{ env.GH_DISPATCH_TOKEN }} @@ -334,7 +334,7 @@ jobs: - name: Transition issue to in-progress if: ${{ steps.pick.outputs.issue != '' && steps.mode.outputs.dry_run != 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_DISPATCH_TOKEN }} script: | diff --git a/.github/workflows/agents-72-codex-belt-worker.yml b/.github/workflows/agents-72-codex-belt-worker.yml index 03727c90..3e6dc0e9 100644 --- a/.github/workflows/agents-72-codex-belt-worker.yml +++ b/.github/workflows/agents-72-codex-belt-worker.yml @@ -122,7 +122,7 @@ jobs: - name: Mint GitHub App token (preferred) id: app_token if: ${{ env.WORKFLOWS_APP_ID != '' && env.WORKFLOWS_APP_PRIVATE_KEY != '' }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ env.WORKFLOWS_APP_ID }} private-key: ${{ env.WORKFLOWS_APP_PRIVATE_KEY }} @@ -192,7 +192,7 @@ jobs: - name: Determine worker mode id: mode - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const coerce = (value) => { @@ -225,7 +225,7 @@ jobs: - name: Resolve worker context id: ctx - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -290,7 +290,7 @@ jobs: .write(); - name: Checkout repo (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ env.GH_BELT_TOKEN }} fetch-depth: 1 @@ -303,7 +303,7 @@ jobs: - name: Resolve Workflows default branch id: workflows_ref - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -321,7 +321,7 @@ jobs: core.setOutput('ref', data.default_branch); - name: Checkout Workflows scripts - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows ref: ${{ steps.workflows_ref.outputs.ref }} @@ -341,7 +341,7 @@ jobs: - name: Determine default branch id: base - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -366,7 +366,7 @@ jobs: - name: Check parallel allowance id: parallel - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -409,7 +409,7 @@ jobs: - name: Evaluate keepalive worker gate if: ${{ inputs.keepalive == true }} id: keepalive_gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: KEEPALIVE: ${{ inputs.keepalive && 'true' || 'false' }} ISSUE_NUMBER: ${{ steps.ctx.outputs.issue }} @@ -466,7 +466,7 @@ jobs: - name: Prune merged step branches if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' }} id: prune - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -551,7 +551,7 @@ jobs: - name: Re-verify issue labels if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }} id: verify - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -584,7 +584,7 @@ jobs: - name: Checkout branch if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.ctx.outputs.branch }} token: ${{ env.GH_BELT_TOKEN }} @@ -592,7 +592,7 @@ jobs: - name: Checkout belt tooling if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows ref: ${{ steps.workflows_ref.outputs.ref }} @@ -602,7 +602,7 @@ jobs: - name: Validate branch prefix if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('node:fs'); @@ -774,7 +774,7 @@ jobs: id: ledger_issue env: ISSUE_NUMBER: ${{ steps.ctx.outputs.issue }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -1023,7 +1023,7 @@ jobs: - name: Ensure issue labels reflect in-progress state if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.verify.outputs.has_in_progress != 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1045,7 +1045,7 @@ jobs: - name: Remove residual status:ready label if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.verify.outputs.has_ready == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1070,7 +1070,7 @@ jobs: - name: Open or refresh agent PR if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' }} id: pr - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1137,7 +1137,7 @@ jobs: - name: Configure auto-merge strategy if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.pr.outputs.number }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1177,7 +1177,7 @@ jobs: - name: Apply automation labels if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.pr.outputs.number }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1201,7 +1201,7 @@ jobs: - name: Ensure PR assignees include automation if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.pr.outputs.number }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1240,7 +1240,7 @@ jobs: - name: Post activation comment if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.pr.outputs.number && inputs.keepalive != true }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | @@ -1316,7 +1316,7 @@ jobs: - name: Sync issue comment with PR link if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') && steps.mode.outputs.dry_run != 'true' && steps.pr.outputs.number }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_BELT_TOKEN }} script: | diff --git a/.github/workflows/agents-73-codex-belt-conveyor.yml b/.github/workflows/agents-73-codex-belt-conveyor.yml index f2efe303..ab3bbc7a 100644 --- a/.github/workflows/agents-73-codex-belt-conveyor.yml +++ b/.github/workflows/agents-73-codex-belt-conveyor.yml @@ -95,7 +95,7 @@ jobs: - name: Mint GitHub App token (preferred) id: app_token if: ${{ env.WORKFLOWS_APP_ID != '' && env.WORKFLOWS_APP_PRIVATE_KEY != '' }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ env.WORKFLOWS_APP_ID }} private-key: ${{ env.WORKFLOWS_APP_PRIVATE_KEY }} @@ -184,7 +184,7 @@ jobs: } >>"$GITHUB_OUTPUT" - name: Checkout retry helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -204,7 +204,7 @@ jobs: - name: Summarise invocation id: summary - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const summary = core.summary; @@ -268,7 +268,7 @@ jobs: - name: Load PR details id: pr - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -329,7 +329,7 @@ jobs: - name: Ensure Gate succeeded id: gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -358,7 +358,7 @@ jobs: - name: Detect bootstrap-only placeholder change id: bootstrap - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -433,7 +433,7 @@ jobs: - name: Merge PR with squash if: ${{ steps.mode.outputs.dry_run != 'true' && steps.bootstrap.outputs.bootstrap != 'true' }} id: merge - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -458,7 +458,7 @@ jobs: - name: Delete branch after merge if: ${{ steps.mode.outputs.dry_run != 'true' && steps.bootstrap.outputs.bootstrap != 'true' && steps.merge.outputs.merged == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -482,7 +482,7 @@ jobs: - name: Close source issue if: ${{ steps.mode.outputs.dry_run != 'true' && steps.bootstrap.outputs.bootstrap != 'true' && steps.merge.outputs.merged == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -528,7 +528,7 @@ jobs: - name: Leave merge confirmation on PR if: ${{ steps.mode.outputs.dry_run != 'true' && steps.bootstrap.outputs.bootstrap != 'true' && steps.merge.outputs.merged == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | @@ -560,7 +560,7 @@ jobs: - name: Re-dispatch dispatcher if: ${{ steps.mode.outputs.dry_run != 'true' && steps.bootstrap.outputs.bootstrap != 'true' && steps.merge.outputs.merged == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.GH_CONVEYOR_TOKEN }} script: | diff --git a/.github/workflows/agents-80-pr-event-hub.yml b/.github/workflows/agents-80-pr-event-hub.yml index 71494909..27cf77f1 100644 --- a/.github/workflows/agents-80-pr-event-hub.yml +++ b/.github/workflows/agents-80-pr-event-hub.yml @@ -74,7 +74,7 @@ jobs: steps: - name: Resolve handler inputs id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const eventName = context.eventName; @@ -216,7 +216,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout scripts - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts/github-api-with-retry.js @@ -230,7 +230,7 @@ jobs: github_token: ${{ github.token }} - name: Remove trigger label - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); @@ -261,7 +261,7 @@ jobs: steps: - name: Check PR is merged id: check-merged - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const pr = context.payload.pull_request; @@ -275,7 +275,7 @@ jobs: - name: Checkout repository if: steps.check-merged.outputs.merged == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows token: ${{ secrets.CODESPACES_WORKFLOWS || github.token }} @@ -286,7 +286,7 @@ jobs: - name: Set up Python if: steps.check-merged.outputs.merged == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION }} @@ -298,7 +298,7 @@ jobs: - name: Collect verification and original issue data id: collect if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); @@ -411,7 +411,7 @@ jobs: - name: Fallback to simple extraction id: fallback if: steps.generate.outcome == 'failure' && steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); @@ -442,7 +442,7 @@ jobs: - name: Create issue if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); @@ -475,7 +475,7 @@ jobs: - name: Remove trigger label if: always() - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); diff --git a/.github/workflows/agents-81-gate-followups.yml b/.github/workflows/agents-81-gate-followups.yml index ef976f89..c368e9d0 100644 --- a/.github/workflows/agents-81-gate-followups.yml +++ b/.github/workflows/agents-81-gate-followups.yml @@ -75,7 +75,7 @@ jobs: security_reason: ${{ steps.security_gate.outputs.reason }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -88,7 +88,7 @@ jobs: run: echo "start_ts=$(date -u +%s)" >> "$GITHUB_OUTPUT" - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -144,7 +144,7 @@ jobs: - name: Evaluate keepalive state id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number || '' }} INPUT_FORCE_RETRY: ${{ github.event.inputs.force_retry || 'false' }} @@ -256,7 +256,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -265,7 +265,7 @@ jobs: github_token: ${{ github.token }} - name: Update summary with running status - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -358,7 +358,7 @@ jobs: environment: agent-standard steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -434,7 +434,7 @@ jobs: echo "$metrics_json" >> keepalive-metrics.ndjson - name: Upload keepalive metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: keepalive-metrics path: keepalive-metrics.ndjson @@ -445,7 +445,7 @@ jobs: if: | needs.run-codex.outputs.changes-made == 'true' || needs.run-claude.outputs.changes-made == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: LLM_COMPLETED_TASKS: >- ${{ @@ -522,7 +522,7 @@ jobs: core.setOutput('commit_tasks_count', result.sources?.commit || 0); - name: Update summary comment - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: AGENT_SUMMARY: >- ${{ @@ -626,9 +626,10 @@ jobs: security_reason: ${{ steps.security_gate.outputs.reason }} steps: - name: Checkout (for security gate + agent registry) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | + .github/actions/setup-api-client .github/scripts/prompt_injection_guard.js .github/scripts/github-rate-limited-wrapper.js .github/scripts/github-api-with-retry.js @@ -645,7 +646,7 @@ jobs: - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -706,7 +707,7 @@ jobs: - name: Evaluate workflow_run id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -1026,7 +1027,7 @@ jobs: environment: agent-standard steps: - name: Checkout (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts/github-api-with-retry.js @@ -1034,7 +1035,7 @@ jobs: sparse-checkout-cone-mode: false - name: Add needs-human label and comment - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -1096,7 +1097,7 @@ jobs: environment: agent-standard steps: - name: Checkout (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts/github-api-with-retry.js @@ -1105,7 +1106,7 @@ jobs: - name: Collect metrics id: collect - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -1270,7 +1271,7 @@ jobs: PY - name: Upload metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: agents-autofix-metrics path: autofix-metrics.ndjson diff --git a/.github/workflows/agents-auto-label.yml b/.github/workflows/agents-auto-label.yml index 7a2c55a6..0024246f 100644 --- a/.github/workflows/agents-auto-label.yml +++ b/.github/workflows/agents-auto-label.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -42,7 +42,7 @@ jobs: github_token: ${{ github.token }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" @@ -52,7 +52,7 @@ jobs: - name: Get repo labels id: get-labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -187,7 +187,7 @@ jobs: if: | steps.match.outputs.has_suggestions == 'true' && steps.match.outputs.auto_apply_labels != '[]' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -234,7 +234,7 @@ jobs: if: | steps.match.outputs.has_suggestions == 'true' && steps.match.outputs.suggested_labels != '[]' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); diff --git a/.github/workflows/agents-auto-pilot.yml b/.github/workflows/agents-auto-pilot.yml index ab62deac..c6ca1e31 100644 --- a/.github/workflows/agents-auto-pilot.yml +++ b/.github/workflows/agents-auto-pilot.yml @@ -102,7 +102,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -111,7 +111,7 @@ jobs: - name: Check if auto-pilot is enabled id: check_enabled - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app_token.outputs.token || github.token }} script: | @@ -144,13 +144,13 @@ jobs: - name: Checkout repository if: steps.check_enabled.outputs.enabled == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} - name: Set up Node if: steps.check_enabled.outputs.enabled == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: '20' @@ -164,7 +164,7 @@ jobs: - name: Resolve Workflows default branch if: steps.check_enabled.outputs.enabled == 'true' id: workflows_ref - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -187,7 +187,7 @@ jobs: - name: Checkout Workflows scripts if: steps.check_enabled.outputs.enabled == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} repository: stranske/Workflows @@ -223,13 +223,13 @@ jobs: - name: Set up Python id: setup-python if: steps.check_enabled.outputs.enabled == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.11' - name: Cache pip (LLM requirements) if: steps.check_enabled.outputs.enabled == 'true' - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 with: path: | ~/.cache/pip @@ -256,7 +256,7 @@ jobs: - name: Determine context if: steps.check_enabled.outputs.enabled == 'true' id: context - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const scriptsPath = process.env.WORKFLOWS_SCRIPTS_PATH || process.env.GITHUB_WORKSPACE; @@ -437,7 +437,7 @@ jobs: - name: Check step count if: steps.context.outputs.should_continue == 'true' id: cycles - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: @@ -478,7 +478,7 @@ jobs: - name: Stop if exceeded if: steps.cycles.outputs.exceeded == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: @@ -1171,7 +1171,7 @@ jobs: - name: Guard - Require optimizer output before apply if: steps.next.outputs.next_step == 'apply' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: @@ -1540,7 +1540,7 @@ jobs: - name: Complexity pre-check if: steps.next.outputs.next_step == 'capability-check' id: complexity_check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: @@ -1645,7 +1645,7 @@ jobs: if: | steps.next.outputs.next_step == 'capability-check' && steps.complexity_check.outputs.too_complex == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} COMPLEXITY_SCORE: ${{ steps.complexity_check.outputs.score }} @@ -1696,7 +1696,7 @@ jobs: steps.next.outputs.next_step == 'capability-check' && steps.complexity_check.outputs.too_complex != 'true' id: capability_step - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} STEP_COUNT: ${{ steps.cycles.outputs.count }} @@ -2017,7 +2017,7 @@ jobs: - name: Execute step - Verify if: steps.next.outputs.next_step == 'verify' id: verify_step - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: @@ -2154,7 +2154,7 @@ jobs: - name: Execute step - Create PR if: steps.next.outputs.next_step == 'create-pr' id: create_pr_step - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} ISSUE_TITLE: ${{ steps.context.outputs.issue_title }} @@ -2861,7 +2861,7 @@ jobs: - name: Report - Monitoring PR if: steps.next.outputs.next_step == 'monitor-pr' id: monitor_pr_step - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} STEP_COUNT: ${{ steps.cycles.outputs.count }} @@ -3020,7 +3020,7 @@ jobs: - name: Execute step - Check Completion & Trigger Merge if: steps.next.outputs.next_step == 'check-completion' id: completion_step - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} PR_NUMBER: ${{ steps.context.outputs.linked_pr }} @@ -3154,7 +3154,7 @@ jobs: # ── Upload auto-pilot metrics for weekly aggregation ─────────── - name: Upload auto-pilot metrics if: always() - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 continue-on-error: true with: name: autopilot-metrics-${{ github.run_id }}-${{ github.run_attempt }} @@ -3177,7 +3177,7 @@ jobs: fromJSON('["format","optimize","apply","capability-check","create-pr","monitor-pr"]'), steps.next.outputs.next_step ) - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} CURRENT_STEP: ${{ steps.next.outputs.next_step }} @@ -3284,7 +3284,7 @@ jobs: - name: Report - Done if: steps.next.outputs.next_step == 'done' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.context.outputs.issue_number }} with: diff --git a/.github/workflows/agents-autofix-dispatcher.yml b/.github/workflows/agents-autofix-dispatcher.yml index 7b741459..d0f2f573 100644 --- a/.github/workflows/agents-autofix-dispatcher.yml +++ b/.github/workflows/agents-autofix-dispatcher.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Mint GitHub App token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -24,7 +24,7 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout workflow helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} sparse-checkout: | @@ -42,7 +42,7 @@ jobs: github_token: ${{ steps.app_token.outputs.token || github.token }} - name: Dispatch autofix workflow - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app_token.outputs.token || github.token }} script: | diff --git a/.github/workflows/agents-autofix-loop.yml b/.github/workflows/agents-autofix-loop.yml index c1db1ac4..eba69d22 100644 --- a/.github/workflows/agents-autofix-loop.yml +++ b/.github/workflows/agents-autofix-loop.yml @@ -65,7 +65,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -73,7 +73,7 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout (for security gate) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} @@ -96,7 +96,7 @@ jobs: - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -202,7 +202,7 @@ jobs: - name: Evaluate gate run id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -648,7 +648,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -656,7 +656,7 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} @@ -665,7 +665,7 @@ jobs: .github/scripts/token_load_balancer.js sparse-checkout-cone-mode: false - name: Add needs-human label and comment - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app_token.outputs.token || github.token }} script: | @@ -737,7 +737,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -745,7 +745,7 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout (for retry helpers) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} @@ -764,7 +764,7 @@ jobs: - name: Collect metrics id: collect - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ env.WRITE_TOKEN }} script: | @@ -930,7 +930,7 @@ jobs: PY - name: Upload metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: agents-autofix-metrics path: autofix-metrics.ndjson diff --git a/.github/workflows/agents-bot-comment-handler.yml b/.github/workflows/agents-bot-comment-handler.yml index 88edf5e7..d51b0186 100644 --- a/.github/workflows/agents-bot-comment-handler.yml +++ b/.github/workflows/agents-bot-comment-handler.yml @@ -65,7 +65,7 @@ jobs: should_run: ${{ steps.resolve.outputs.should_run }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -81,7 +81,7 @@ jobs: - name: Resolve PR number and check conditions id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -198,7 +198,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -213,7 +213,7 @@ jobs: github_token: ${{ github.token }} - name: Dismiss ignored-path bot reviews - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: BOT_AUTHORS: >- Copilot,copilot[bot],github-actions[bot], @@ -374,7 +374,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -389,7 +389,7 @@ jobs: github_token: ${{ github.token }} - name: Remove trigger label - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); diff --git a/.github/workflows/agents-capability-check.yml b/.github/workflows/agents-capability-check.yml index 760c4d9e..be1e385e 100644 --- a/.github/workflows/agents-capability-check.yml +++ b/.github/workflows/agents-capability-check.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -34,7 +34,7 @@ jobs: github_token: ${{ github.token }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" @@ -44,7 +44,7 @@ jobs: - name: Extract issue content id: extract - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const issue = context.payload.issue; @@ -112,7 +112,7 @@ jobs: - name: Add needs-human label if blocked if: steps.check.outputs.recommendation == 'BLOCKED' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -154,7 +154,7 @@ jobs: - name: Post capability report if: steps.check.outputs.check_failed != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: RESULT_JSON: ${{ steps.check.outputs.result_json }} RECOMMENDATION: ${{ steps.check.outputs.recommendation }} diff --git a/.github/workflows/agents-decompose.yml b/.github/workflows/agents-decompose.yml index b20b41f2..2386f28e 100644 --- a/.github/workflows/agents-decompose.yml +++ b/.github/workflows/agents-decompose.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -29,7 +29,7 @@ jobs: github_token: ${{ github.token }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" @@ -39,7 +39,7 @@ jobs: - name: Extract issue content id: extract - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const issue = context.payload.issue; @@ -118,7 +118,7 @@ jobs: - name: Post decomposition comment if: steps.decompose.outputs.decompose_failed != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: SUBTASK_COUNT: ${{ steps.decompose.outputs.subtask_count }} with: @@ -191,7 +191,7 @@ jobs: } - name: Remove trigger label - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: script: | diff --git a/.github/workflows/agents-dedup.yml b/.github/workflows/agents-dedup.yml index 50a01450..a00e4549 100644 --- a/.github/workflows/agents-dedup.yml +++ b/.github/workflows/agents-dedup.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -38,7 +38,7 @@ jobs: github_token: ${{ github.token }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" @@ -48,7 +48,7 @@ jobs: - name: Get open issues id: get-issues - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -195,7 +195,7 @@ jobs: - name: Post duplicate warning if: steps.check.outputs.has_duplicates == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); diff --git a/.github/workflows/agents-guard.yml b/.github/workflows/agents-guard.yml index 4c484ed4..34c7a631 100644 --- a/.github/workflows/agents-guard.yml +++ b/.github/workflows/agents-guard.yml @@ -33,7 +33,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -42,7 +42,7 @@ jobs: - name: Checkout base ref for safety validation if: github.event_name == 'pull_request_target' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.base.sha }} sparse-checkout-cone-mode: false @@ -81,14 +81,14 @@ jobs: if: >- github.event_name == 'pull_request_target' && steps.api_client_base.outputs.available != 'true' - uses: "stranske/Workflows/.github/actions/setup-api-client@v1" + uses: "stranske/Workflows/.github/actions/setup-api-client@6deed4d3937adab2370b4ddf96046ed295efe68f" # v1 with: secrets: ${{ toJSON(secrets) }} github_token: ${{ github.token }} - name: Verify pull_request_target safety invariants if: github.event_name == 'pull_request_target' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const path = require('path'); @@ -104,7 +104,7 @@ jobs: - name: Checkout PR head for pull_request event if: github.event_name == 'pull_request' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout-cone-mode: false sparse-checkout: | @@ -137,13 +137,13 @@ jobs: - name: Setup API client (Workflows fallback) if: github.event_name == 'pull_request' && steps.api_client_head.outputs.available != 'true' - uses: "stranske/Workflows/.github/actions/setup-api-client@v1" + uses: "stranske/Workflows/.github/actions/setup-api-client@6deed4d3937adab2370b4ddf96046ed295efe68f" # v1 with: secrets: ${{ toJSON(secrets) }} github_token: ${{ github.token }} - name: Evaluate protected file changes id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); @@ -404,7 +404,7 @@ jobs: - name: Post guard failure comment if: steps.evaluate.outputs.blocked == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: COMMENT_BODY_B64: ${{ steps.evaluate.outputs.comment_body_b64 }} COMMENT_MARKER: ${{ steps.evaluate.outputs.marker }} @@ -553,7 +553,7 @@ jobs: - name: Report agents guard commit status if: always() - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: BLOCKED: ${{ steps.evaluate.outputs.blocked || 'false' }} SUMMARY: ${{ steps.evaluate.outputs.summary }} diff --git a/.github/workflows/agents-issue-intake.yml b/.github/workflows/agents-issue-intake.yml index c54a41cc..2f0ee489 100644 --- a/.github/workflows/agents-issue-intake.yml +++ b/.github/workflows/agents-issue-intake.yml @@ -122,7 +122,7 @@ jobs: steps: - name: Check labels and extract info id: check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const eventName = context.eventName; diff --git a/.github/workflows/agents-issue-optimizer.yml b/.github/workflows/agents-issue-optimizer.yml index 4978082d..cb3e32a5 100644 --- a/.github/workflows/agents-issue-optimizer.yml +++ b/.github/workflows/agents-issue-optimizer.yml @@ -93,7 +93,7 @@ jobs: id: app_token if: steps.check.outputs.should_run == 'true' continue-on-error: true - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ secrets.WORKFLOWS_APP_ID }} private-key: ${{ secrets.WORKFLOWS_APP_PRIVATE_KEY }} @@ -117,11 +117,11 @@ jobs: - name: Checkout repository if: steps.check.outputs.should_run == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Checkout Workflows repository for scripts if: steps.check.outputs.should_run == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows path: workflows-scripts @@ -139,7 +139,7 @@ jobs: - name: Set up Python if: steps.check.outputs.should_run == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.11' @@ -220,7 +220,7 @@ jobs: env: GH_TOKEN: ${{ steps.token.outputs.token }} ISSUE_NUMBER: ${{ steps.check.outputs.issue_number }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.token.outputs.token }} script: | diff --git a/.github/workflows/agents-keepalive-loop-reporter.yml b/.github/workflows/agents-keepalive-loop-reporter.yml index 391474c0..bef95b31 100644 --- a/.github/workflows/agents-keepalive-loop-reporter.yml +++ b/.github/workflows/agents-keepalive-loop-reporter.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout keepalive scripts - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts @@ -32,7 +32,7 @@ jobs: fetch-depth: 1 - name: Update summary for cancelled/failed runs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/agents-keepalive-loop.yml b/.github/workflows/agents-keepalive-loop.yml index 629e598f..15ec9593 100644 --- a/.github/workflows/agents-keepalive-loop.yml +++ b/.github/workflows/agents-keepalive-loop.yml @@ -71,10 +71,10 @@ jobs: force_retry: ${{ steps.evaluate.outputs.force_retry }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: 20 @@ -93,7 +93,7 @@ jobs: github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'agent:retry' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -161,7 +161,7 @@ jobs: run: echo "start_ts=$(date -u +%s)" >> "$GITHUB_OUTPUT" - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -224,7 +224,7 @@ jobs: - name: Evaluate keepalive state id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number || '' }} INPUT_FORCE_RETRY: >- @@ -383,7 +383,7 @@ jobs: steps.evaluate.outputs.action == 'run' || steps.evaluate.outputs.action == 'fix' || steps.evaluate.outputs.action == 'conflict' - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: keepalive-task-appendix-${{ steps.evaluate.outputs.pr_number }} path: /tmp/keepalive-artifacts/task-appendix.txt @@ -489,10 +489,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: 20 @@ -505,7 +505,7 @@ jobs: - name: Update summary with running status - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -611,10 +611,10 @@ jobs: feedback: ${{ steps.review.outputs.feedback }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: 20 @@ -627,7 +627,7 @@ jobs: - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.11' @@ -636,7 +636,7 @@ jobs: - name: Get recent commits id: commits - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -679,7 +679,7 @@ jobs: - name: Extract acceptance criteria id: criteria - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -779,7 +779,7 @@ jobs: - name: Post review feedback to PR if: steps.review_guard.outputs.should_post_review == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: REVIEW_FEEDBACK: ${{ steps.review.outputs.feedback }} with: @@ -874,7 +874,7 @@ jobs: }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -952,7 +952,7 @@ jobs: echo "$metrics_json" >> keepalive-metrics.ndjson - name: Upload keepalive metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: keepalive-metrics path: keepalive-metrics.ndjson @@ -963,7 +963,7 @@ jobs: if: | needs.run-codex.outputs.changes-made == 'true' || needs.run-claude.outputs.changes-made == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: LLM_COMPLETED_TASKS: >- ${{ @@ -1041,7 +1041,7 @@ jobs: - name: Update summary comment id: update-summary - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: AGENT_SUMMARY: >- ${{ @@ -1132,7 +1132,7 @@ jobs: steps.update-summary.outputs.rate_limit_hit == 'true' && env.KEEPALIVE_APP_ID != '' && env.KEEPALIVE_APP_PRIVATE_KEY != '' - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true env: KEEPALIVE_APP_ID: ${{ secrets.KEEPALIVE_APP_ID }} @@ -1149,7 +1149,7 @@ jobs: failure() && steps.update-summary.outputs.rate_limit_hit == 'true' && steps.keepalive_app_token.outputs.token != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.keepalive_app_token.outputs.token }} script: | diff --git a/.github/workflows/agents-pr-meta.yml b/.github/workflows/agents-pr-meta.yml index 38eaf21f..5c6553f2 100644 --- a/.github/workflows/agents-pr-meta.yml +++ b/.github/workflows/agents-pr-meta.yml @@ -67,7 +67,7 @@ jobs: steps: - name: Resolve PR context id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const pr = context.payload.issue; @@ -117,7 +117,7 @@ jobs: steps: - name: Resolve PR from workflow_run id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const run = context.payload.workflow_run; diff --git a/.github/workflows/agents-verifier.yml b/.github/workflows/agents-verifier.yml index aa73e7eb..22a87418 100644 --- a/.github/workflows/agents-verifier.yml +++ b/.github/workflows/agents-verifier.yml @@ -83,7 +83,7 @@ jobs: pr_number: ${{ steps.check.outputs.pr_number }} steps: - name: Checkout retry helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -99,7 +99,7 @@ jobs: - name: Check trigger conditions id: check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require('fs'); diff --git a/.github/workflows/agents-verify-to-issue-v2.yml b/.github/workflows/agents-verify-to-issue-v2.yml index 4882d410..cea37099 100644 --- a/.github/workflows/agents-verify-to-issue-v2.yml +++ b/.github/workflows/agents-verify-to-issue-v2.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Check PR is merged id: check-merged - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ github.token }} script: | @@ -68,7 +68,7 @@ jobs: - name: Checkout repository if: steps.check-merged.outputs.merged == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows token: ${{ steps.select-token.outputs.token }} @@ -91,7 +91,7 @@ jobs: - name: Set up Python if: steps.check-merged.outputs.merged == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION }} @@ -103,7 +103,7 @@ jobs: - name: Collect verification and original issue data id: collect if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.select-token.outputs.token }} script: | @@ -230,7 +230,7 @@ jobs: - name: Fallback to simple extraction id: fallback if: steps.generate.outcome == 'failure' && steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.select-token.outputs.token }} script: | @@ -313,7 +313,7 @@ jobs: - name: Create follow-up issue id: create-issue if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_TITLE: >- ${{ steps.generate.outputs.issue_title || @@ -374,7 +374,7 @@ jobs: - name: Comment on original PR if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.create-issue.outputs.issue_number }} ISSUE_URL: ${{ steps.create-issue.outputs.issue_url }} @@ -417,7 +417,7 @@ jobs: - name: Remove trigger label if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ steps.select-token.outputs.token }} diff --git a/.github/workflows/agents-verify-to-issue.yml b/.github/workflows/agents-verify-to-issue.yml index 07a9794f..a6db3e28 100644 --- a/.github/workflows/agents-verify-to-issue.yml +++ b/.github/workflows/agents-verify-to-issue.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup API client uses: ./.github/actions/setup-api-client @@ -30,7 +30,7 @@ jobs: - name: Check PR is merged id: check-merged - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const pr = context.payload.pull_request; @@ -43,7 +43,7 @@ jobs: - name: Find and extract verification feedback id: extract if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -135,7 +135,7 @@ jobs: - name: Create follow-up issue id: create-issue if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: VERDICT: ${{ steps.extract.outputs.verdict }} CONCERNS_SUMMARY: ${{ steps.extract.outputs.concerns_summary }} @@ -207,7 +207,7 @@ jobs: - name: Comment on original PR if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.create-issue.outputs.issue_number }} with: @@ -235,7 +235,7 @@ jobs: - name: Remove trigger label if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: script: | diff --git a/.github/workflows/agents-verify-to-new-pr.yml b/.github/workflows/agents-verify-to-new-pr.yml index 3f253601..8fe2324d 100644 --- a/.github/workflows/agents-verify-to-new-pr.yml +++ b/.github/workflows/agents-verify-to-new-pr.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Check PR is merged id: check-merged - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ github.token }} script: | @@ -70,7 +70,7 @@ jobs: - name: Checkout repository if: steps.check-merged.outputs.merged == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: stranske/Workflows token: ${{ steps.select-token.outputs.token }} @@ -94,7 +94,7 @@ jobs: - name: Set up Python if: steps.check-merged.outputs.merged == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION }} @@ -106,7 +106,7 @@ jobs: - name: Collect verification and original issue data id: collect if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.select-token.outputs.token }} script: | @@ -251,7 +251,7 @@ jobs: - name: Check chain depth limit id: chain-check if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: CHAIN_DEPTH: ${{ steps.collect.outputs.chain_depth }} MAX_CHAIN_DEPTH: '2' @@ -392,7 +392,7 @@ jobs: steps.check-merged.outputs.merged == 'true' && steps.chain-check.outputs.exceeded != 'true' && steps.extract-verdict.outputs.needs_human == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: LINKED_ISSUE: ${{ steps.collect.outputs.original_issue_number }} NEEDS_HUMAN_REASON: ${{ steps.extract-verdict.outputs.needs_human_reason }} @@ -508,7 +508,7 @@ jobs: steps.check-merged.outputs.merged == 'true' && steps.chain-check.outputs.exceeded != 'true' && steps.extract-verdict.outputs.needs_human != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: FOLLOW_UP_DEPTH: ${{ steps.chain-check.outputs.next_depth }} EXTRACTED_VERDICT: ${{ steps.extract-verdict.outputs.verdict }} @@ -680,7 +680,7 @@ jobs: steps.check-merged.outputs.merged == 'true' && steps.chain-check.outputs.exceeded != 'true' && steps.extract-verdict.outputs.needs_human != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_TITLE: >- ${{ steps.generate.outputs.issue_title || @@ -775,7 +775,7 @@ jobs: steps.chain-check.outputs.exceeded != 'true' && steps.extract-verdict.outputs.needs_human != 'true' && steps.create-issue.outputs.issue_number != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.create-issue.outputs.issue_number }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} @@ -812,7 +812,7 @@ jobs: steps.check-merged.outputs.merged == 'true' && steps.chain-check.outputs.exceeded != 'true' && steps.extract-verdict.outputs.needs_human != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: ISSUE_NUMBER: ${{ steps.create-issue.outputs.issue_number }} ISSUE_URL: ${{ steps.create-issue.outputs.issue_url }} @@ -854,7 +854,7 @@ jobs: - name: Remove trigger label if: steps.check-merged.outputs.merged == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ steps.select-token.outputs.token }} diff --git a/.github/workflows/agents-weekly-metrics.yml b/.github/workflows/agents-weekly-metrics.yml index bbff26bf..3a0a9e0d 100644 --- a/.github/workflows/agents-weekly-metrics.yml +++ b/.github/workflows/agents-weekly-metrics.yml @@ -19,7 +19,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -27,7 +27,7 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} @@ -49,7 +49,7 @@ jobs: - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" @@ -160,14 +160,14 @@ jobs: python scripts/aggregate_agent_metrics.py - name: Upload weekly summary - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: agent-weekly-metrics path: agent-weekly-metrics.md retention-days: 30 - name: Post summary to tracking issue - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app_token.outputs.token || github.token }} script: | diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index f02f8d32..996c8f56 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -66,7 +66,7 @@ jobs: caller_actor: ${{ steps.context.outputs.caller_actor }} steps: - name: Checkout for API helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/actions/setup-api-client @@ -82,7 +82,7 @@ jobs: - name: Resolve PR context id: context - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: >- ${{ secrets.AGENTS_AUTOMATION_PAT || secrets.ACTIONS_BOT_PAT || github.token }} diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 5f5dc9d3..acb68d48 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -21,11 +21,11 @@ jobs: github.event.pull_request.user.login == 'dependabot[bot]' steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Get PR metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -36,7 +36,7 @@ jobs: github_token: ${{ github.token }} - name: Wait for checks - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { createTokenAwareRetry } = require('./.github/scripts/github-api-with-retry.js'); @@ -132,7 +132,7 @@ jobs: - name: Enable auto-merge if: success() - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: CODESPACES_WORKFLOWS_PAT: ${{ secrets.CODESPACES_WORKFLOWS }} with: diff --git a/.github/workflows/maint-76-claude-code-review.yml b/.github/workflows/maint-76-claude-code-review.yml index 2a2d9c52..4b63894f 100644 --- a/.github/workflows/maint-76-claude-code-review.yml +++ b/.github/workflows/maint-76-claude-code-review.yml @@ -25,10 +25,33 @@ jobs: pr_number: ${{ steps.resolve.outputs.pr_number }} reason: ${{ steps.resolve.outputs.reason }} steps: + - name: Checkout (for API wrappers) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + sparse-checkout: | + .github/actions/setup-api-client + .github/scripts/github-api-with-retry.js + .github/scripts/github-rate-limited-wrapper.js + .github/scripts/token_load_balancer.js + sparse-checkout-cone-mode: false + + - name: Setup API client + uses: ./.github/actions/setup-api-client + with: + secrets: ${{ toJSON(secrets) }} + github_token: ${{ github.token }} + - id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | + const fs = require('fs'); + const retryPath = './.github/scripts/github-api-with-retry.js'; + const { createTokenAwareRetry } = fs.existsSync(retryPath) + ? require(retryPath) + : { createTokenAwareRetry: async () => ({ withRetry: (fn) => fn(github) }) }; + const { withRetry } = await createTokenAwareRetry({ github, core }); + const eventName = context.eventName; let shouldRun = "false"; let prNumber = ""; @@ -42,10 +65,12 @@ jobs: const pull_number = Number(raw); const { owner, repo } = context.repo; try { - const { data: pr } = await github.rest.pulls.get({ - owner, - repo, - pull_number, + const { data: pr } = await withRetry(async (octokit) => { + return octokit.rest.pulls.get({ + owner, + repo, + pull_number, + }); }); prNumber = String(pull_number); if (pr.state !== "open") { @@ -88,7 +113,7 @@ jobs: workflow_unchanged: ${{ steps.workflow-integrity.outputs.workflow_unchanged }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -156,7 +181,7 @@ jobs: id-token: write steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 diff --git a/.github/workflows/maint-coverage-guard.yml b/.github/workflows/maint-coverage-guard.yml index 18eb8efd..04413ce9 100644 --- a/.github/workflows/maint-coverage-guard.yml +++ b/.github/workflows/maint-coverage-guard.yml @@ -26,14 +26,14 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} private-key: ${{ secrets.WORKFLOWS_APP_PRIVATE_KEY || 'dummy' }} - name: Checkout retry helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} sparse-checkout: | @@ -52,7 +52,7 @@ jobs: - name: Check API quota id: check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: # Higher threshold than orchestrator (1000) so keepalive runs first RATE_LIMIT_THRESHOLD: '2000' @@ -108,7 +108,7 @@ jobs: # Mint GitHub App token early to use for API calls (avoids rate limits) - name: Mint GitHub App Token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 continue-on-error: true with: app-id: ${{ secrets.WORKFLOWS_APP_ID || '0' }} @@ -116,10 +116,10 @@ jobs: owner: ${{ github.repository_owner }} - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Checkout retry helpers - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app_token.outputs.token || github.token }} @@ -130,7 +130,7 @@ jobs: - name: Locate latest Gate workflow run id: discover - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -186,7 +186,7 @@ jobs: - name: Download coverage trend artifact if: ${{ steps.discover.outputs.run_id }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 continue-on-error: true with: name: gate-coverage-trend @@ -196,7 +196,7 @@ jobs: - name: Download coverage payload artifact if: ${{ steps.discover.outputs.run_id }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 continue-on-error: true with: name: gate-coverage diff --git a/.github/workflows/reusable-pr-context.yml b/.github/workflows/reusable-pr-context.yml index f7f6c346..90a5d9be 100644 --- a/.github/workflows/reusable-pr-context.yml +++ b/.github/workflows/reusable-pr-context.yml @@ -135,7 +135,7 @@ jobs: steps: - name: Checkout (for scripts) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts @@ -145,7 +145,7 @@ jobs: id: app_token # Use continue-on-error to handle missing secrets gracefully continue-on-error: true - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ secrets.WORKFLOWS_APP_ID }} private-key: ${{ secrets.WORKFLOWS_APP_PRIVATE_KEY }} @@ -170,7 +170,7 @@ jobs: - name: Fetch PR Context via GraphQL id: context - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.token.outputs.token }} script: |