MNT: Use hash for Action workflow versions and update if needed (#3205)

.github/workflows/changelog_check.yml

@@ -14,7 +14,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Check change log entry
- uses: scientific-python/[email protected]
+ uses: scientific-python/action-check-changelogfile@1fc669db9618167166d5a16c10282044f51805c0 # 0.3
  env:
  CHANGELOG_FILENAME: CHANGES.rst
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/check_milestone.yml

@@ -17,7 +17,7 @@ jobs:
  milestone_checker:
  runs-on: ubuntu-latest
  steps:
- - uses: actions/github-script@v7
+ - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
  if: github.repository == 'spacetelescope/jdaviz'
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci_cron_weekly.yml

@@ -23,9 +23,9 @@ jobs:
  runs-on: ubuntu-latest
  if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI')))
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  - name: Set up Python to build docs with sphinx
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: '3.11'
  - name: Install base dependencies
@@ -41,11 +41,11 @@ jobs:
  if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI')))
  steps:
  - name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
  - name: Set up python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: '3.11'
  - name: Install base dependencies
@@ -61,11 +61,11 @@ jobs:
  if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI')))
  steps:
  - name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
  - name: Set up python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: '3.10'
  - name: Install base dependencies

.github/workflows/ci_workflows.yml

@@ -74,11 +74,11 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
  - name: Set up python ${{ matrix.python }} on ${{ matrix.os }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: ${{ matrix.python }}
  - name: Install base dependencies
@@ -87,7 +87,7 @@ jobs:
  run: tox -e ${{ matrix.toxenv }} -- ${{ matrix.toxposargs }}
  - name: Upload coverage to artifacts
  if: "contains(matrix.toxenv, '-cov')"
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
  with:
  name: coverage_${{ matrix.toxenv }}.xml
  path: coverage.xml
@@ -101,14 +101,14 @@ jobs:
  name: Upload Coverage
  steps:
  - name: Download coverage artifacts
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
  with:
  path: coverage
  pattern: coverage_*
  merge-multiple: true
  - name: Upload report to Codecov
  if: ${{ hashFiles('coverage/') != '' }}
- uses: codecov/codecov-action@v4
+ uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
  with:
  token: ${{ secrets.CODECOV_TOKEN }}
  directory: coverage

.github/workflows/codeql-analysis.yml

@@ -1,54 +1,54 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL"
-
-on:
- schedule:
- # run every Monday at 3am UTC
- - cron: '0 3 * * 1'
-
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
-
- strategy:
- fail-fast: true
- matrix:
- language: [ 'python', 'javascript' ]
- # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
- # Learn more:
- # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v4
- with:
- fetch-depth: 0
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v3
- with:
- languages: ${{ matrix.language }}
- # If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
- # Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
- # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
- # If this step fails, then you should remove it and run the build manually (see below)
- - name: Autobuild
- uses: github/codeql-action/autobuild@v3
-
- # ℹ️ Command-line programs to run using the OS shell.
- # 📚 https://git.io/JvXDl
-
- # ✏️ If the Autobuild fails above, remove it and build your code if your project
- # uses a compiled language
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+ schedule:
+ # run every Monday at 3am UTC
+ - cron: '0 3 * * 1'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: true
+ matrix:
+ language: [ 'python', 'javascript' ]
+ # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+ # Learn more:
+ # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ with:
+ fetch-depth: 0
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0
+ with:
+ languages: ${{ matrix.language }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+ # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+ # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+ # If this step fails, then you should remove it and run the build manually (see below)
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0
+
+ # ℹ️ Command-line programs to run using the OS shell.
+ # 📚 https://git.io/JvXDl
+
+ # ✏️ If the Autobuild fails above, remove it and build your code if your project
+ # uses a compiled language
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0

.github/workflows/open_actions.yml

@@ -14,12 +14,12 @@ jobs:
  steps:
  # NOTE: sync-labels due to https://github.com/actions/labeler/issues/112
  - name: Label PR
- uses: actions/labeler@v5
+ uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
  if: github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'meeseeksmachine'
  with:
  repo-token: "${{ secrets.GITHUB_TOKEN }}"
  # Special action for a special day. Until next year!
  #- name: Special comment
- # uses: pllim/action-special_pr_comment@main
+ # uses: pllim/action-special_pr_comment@5126c189c02418a55448480b28efd1a00af48d7b # 0.2
  # with:
  # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/predeps_workflows.yml

@@ -42,11 +42,11 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
  - name: Set up python ${{ matrix.python }} on ${{ matrix.os }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: ${{ matrix.python }}
  - name: Install base dependencies

.github/workflows/publish.yml

@@ -17,11 +17,11 @@ jobs:
  if: github.repository == 'spacetelescope/jdaviz'
 
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
 
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: '3.10'
 
@@ -46,7 +46,7 @@ jobs:
 
  # NOTE: Do not run this part for PR testing.
  - name: Publish distribution 📦 to PyPI
- uses: pypa/gh-action-pypi-publish@release/v1
+ uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2
  if: github.event_name != 'pull_request'
  with:
  user: __token__

.github/workflows/standalone.yml

@@ -23,11 +23,11 @@ jobs:
  matrix:
  os: [ubuntu, windows]
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
 
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: "3.11"
 
@@ -62,14 +62,14 @@ jobs:
 
  - name: Upload Test artifacts
  if: github.event_name != 'pull_request'
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
  with:
  name: test-results-${{ matrix.os }}
  path: standalone/test-results
 
  - name: Upload jdaviz standalone (non-OSX)
  if: github.event_name != 'pull_request'
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
  with:
  name: jdaviz-standlone-${{ matrix.os }}
  path: |
@@ -85,17 +85,17 @@ jobs:
  steps:
  # osx signing based on https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/
  - name: Import Certificates (macOS)
- uses: apple-actions/import-codesign-certs@v3
+ uses: apple-actions/import-codesign-certs@63fff01cd422d4b7b855d40ca1e9d34d2de9427d # v3
  if: ${{ matrix.os == 'macos' }}
  with:
  p12-file-base64: ${{ secrets.DEV_ID_APP_CERT }}
  p12-password: ${{ secrets.DEV_ID_APP_PASSWORD }}
 
- - uses: actions/checkout@v4
+ - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
  with:
  fetch-depth: 0
 
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
  with:
  python-version: "3.11"
 
@@ -185,14 +185,14 @@ jobs:
 
  - name: Upload Test artifacts
  if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
  with:
  name: test-results-${{ matrix.os }}
  path: standalone/test-results
 
  - name: Upload jdaviz standalone (OSX)
  if: ${{ always() && (matrix.os == 'macos') }}
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
  with:
  name: jdaviz-standlone-${{ matrix.os }}
  path: standalone/dist/jdaviz.dmg