diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 012281755ec..36b704bf0bb 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -14,9 +14,9 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies @@ -26,7 +26,7 @@ jobs: TRIVY_DOWNLOAD_URL: ${{ vars.TRIVY_DOWNLOAD_URL }} run: tox -vv -e trivy-scan - name: Upload Trivy results artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: trivy-results path: | @@ -37,9 +37,9 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies @@ -47,7 +47,7 @@ jobs: - name: Bandit Scanning run: tox -e bandit-scan - name: Upload Bandit artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: bandit-report path: .tox/bandit-report.txt diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 574f7543b1e..d94d0b738ae 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -15,9 +15,9 @@ jobs: pages: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies @@ -65,7 +65,7 @@ jobs: git add ./latest ${{ env.RELEASE_VERSION }} git commit -m "Update documentation" -a || true - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@fcea09907c44d7a7a3331c9c04080d55d87c95fe # master with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: gh-pages diff --git a/.github/workflows/docs_stable.yml b/.github/workflows/docs_stable.yml index 14648f53675..1a6c5e58733 100644 --- a/.github/workflows/docs_stable.yml +++ b/.github/workflows/docs_stable.yml @@ -14,11 +14,11 @@ jobs: pages: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 # otherwise, you will failed to push refs to dest repo - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies @@ -65,7 +65,7 @@ jobs: git add ./stable ${{ env.RELEASE_VERSION }} git commit -m "Update documentation" -a || true - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@fcea09907c44d7a7a3331c9c04080d55d87c95fe # master with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: gh-pages diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8d0e2077a72..93e119c9336 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,6 +12,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/pre_merge.yml b/.github/workflows/pre_merge.yml index b36eec1f481..75841750e34 100644 --- a/.github/workflows/pre_merge.yml +++ b/.github/workflows/pre_merge.yml @@ -24,9 +24,9 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies @@ -69,9 +69,9 @@ jobs: options: --runtime=nvidia --env-file=/home/runner/.nvidia.env --shm-size=24g steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Install Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.8" - name: Install dependencies @@ -79,7 +79,7 @@ jobs: - name: Run unit test run: tox -vv -e unittest-all-py38-pt1 - name: Upload coverage artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: coverage path: .tox/coverage.xml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8ad38e241be..470f5fcac1e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build wheels - uses: pypa/cibuildwheel@v2.13.1 - - uses: actions/upload-artifact@v3 + uses: pypa/cibuildwheel@0ecddd92b62987d7a2ae8911f4bb8ec9e2e4496a # v2.13.1 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: path: ./wheelhouse/*.whl @@ -26,16 +26,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python 3.10 - uses: actions/setup-python@v3 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install pypa/build run: python -m pip install build - name: Build sdist run: python -m build --sdist - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: path: dist/*.tar.gz @@ -48,7 +48,7 @@ jobs: packages: write steps: - name: Download artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: # unpacks default artifact into dist/ # if `name: artifact` is omitted, the action will create extra parent dir @@ -57,13 +57,13 @@ jobs: # to determine where to publish the source distribution to PyPI or TestPyPI - name: Check tag id: check-tag - uses: actions-ecosystem/action-regex-match@v2 + uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2.0.2 with: text: ${{ github.ref }} regex: '^refs/tags/[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+rc[0-9]+|rc[0-9]+)?$' - name: Upload package distributions to github if: ${{ steps.check-tag.outputs.match != '' }} - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: dist/* @@ -72,12 +72,12 @@ jobs: file_glob: true - name: Publish package distributions to PyPI if: ${{ steps.check-tag.outputs.match != '' }} - uses: pypa/gh-action-pypi-publish@v1.7.1 + uses: pypa/gh-action-pypi-publish@22b4d1f12511f2696162c08546dafbaa903448a2 # v1.7.1 with: password: ${{ secrets.PYPI_API_TOKEN }} - name: Publish package distributions to TestPyPI if: ${{ steps.check-tag.outputs.match == '' }} - uses: pypa/gh-action-pypi-publish@v1.7.1 + uses: pypa/gh-action-pypi-publish@22b4d1f12511f2696162c08546dafbaa903448a2 # v1.7.1 with: password: ${{ secrets.TESTPYPI_API_TOKEN }} repository-url: https://test.pypi.org/legacy/ diff --git a/.github/workflows/publish_internal.yml b/.github/workflows/publish_internal.yml index 66cf99082ec..3b03f59369a 100644 --- a/.github/workflows/publish_internal.yml +++ b/.github/workflows/publish_internal.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build wheels - uses: pypa/cibuildwheel@v2.13.1 - - uses: actions/upload-artifact@v3 + uses: pypa/cibuildwheel@0ecddd92b62987d7a2ae8911f4bb8ec9e2e4496a # v2.13.1 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: path: ./wheelhouse/*.whl @@ -24,16 +24,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python 3.10 - uses: actions/setup-python@v3 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install pypa/build run: python -m pip install build~=1.0.3 - name: Build sdist run: python -m build --sdist - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: path: dist/*.tar.gz @@ -46,13 +46,13 @@ jobs: packages: write steps: - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.10" - name: Install dependencies run: python -m pip install twine~=4.0.2 - name: Download artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: # unpacks default artifact into dist/ # if `name: artifact` is omitted, the action will create extra parent dir @@ -60,7 +60,7 @@ jobs: path: dist - name: Check tag id: check-tag - uses: actions-ecosystem/action-regex-match@v2 + uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2.0.2 with: text: ${{ github.ref }} regex: '^refs/heads/releases/[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+rc[0-9]+|rc[0-9]+)?$' diff --git a/.github/workflows/run_tests_in_tox.yml b/.github/workflows/run_tests_in_tox.yml index d2591cbcb50..a3a7ffd3ba3 100644 --- a/.github/workflows/run_tests_in_tox.yml +++ b/.github/workflows/run_tests_in_tox.yml @@ -45,9 +45,9 @@ jobs: timeout-minutes: ${{ inputs.timeout-minutes }} steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ inputs.python-version }} - name: Install dependencies @@ -60,7 +60,7 @@ jobs: GH_CTX_SHA: ${{ github.sha }} run: tox -vv -e tests-${{ inputs.toxenv-task }}-${{ inputs.toxenv-pyver }}-${{ inputs.toxenv-ptver }} -- ${{ inputs.tests-dir }} - name: Upload test results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ inputs.artifact-prefix }}-${{ inputs.toxenv-task }}-${{ inputs.toxenv-pyver }}-${{ inputs.toxenv-ptver }} path: | diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index bcf7ea9f33a..abf3f564cfb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: persist-credentials: false @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/stale_marker.yml b/.github/workflows/stale_marker.yml index f028ca8b68e..3cc85425def 100644 --- a/.github/workflows/stale_marker.yml +++ b/.github/workflows/stale_marker.yml @@ -10,7 +10,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v4 + - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4.1.1 with: stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days." stale-pr-message: "This PR is stale because it has been open 90 days with no activity."