From 4efadec3311e623d872723e2e03b368247d63e5e Mon Sep 17 00:00:00 2001 From: "P. L. Lim" <2090236+pllim@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:08:04 -0400 Subject: [PATCH] MNT: Use hash for Action workflow versions and update if needed (#3205) --- .github/workflows/changelog_check.yml | 2 +- .github/workflows/check_milestone.yml | 2 +- .github/workflows/ci_cron_weekly.yml | 12 +-- .github/workflows/ci_workflows.yml | 10 +-- .github/workflows/codeql-analysis.yml | 108 ++++++++++++------------ .github/workflows/open_actions.yml | 4 +- .github/workflows/predeps_workflows.yml | 4 +- .github/workflows/publish.yml | 6 +- .github/workflows/standalone.yml | 18 ++-- 9 files changed, 83 insertions(+), 83 deletions(-) diff --git a/.github/workflows/changelog_check.yml b/.github/workflows/changelog_check.yml index b533c93a7f..f2889a6ce0 100644 --- a/.github/workflows/changelog_check.yml +++ b/.github/workflows/changelog_check.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check change log entry - uses: scientific-python/action-check-changelogfile@0.3 + uses: scientific-python/action-check-changelogfile@1fc669db9618167166d5a16c10282044f51805c0 # 0.3 env: CHANGELOG_FILENAME: CHANGES.rst GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check_milestone.yml b/.github/workflows/check_milestone.yml index 4be9d79c88..4c93b1889a 100644 --- a/.github/workflows/check_milestone.yml +++ b/.github/workflows/check_milestone.yml @@ -17,7 +17,7 @@ jobs: milestone_checker: runs-on: ubuntu-latest steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: github.repository == 'spacetelescope/jdaviz' with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci_cron_weekly.yml b/.github/workflows/ci_cron_weekly.yml index b7f4701a4f..40a3066ced 100644 --- a/.github/workflows/ci_cron_weekly.yml +++ b/.github/workflows/ci_cron_weekly.yml @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI'))) steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Set up Python to build docs with sphinx - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' - name: Install base dependencies @@ -41,11 +41,11 @@ jobs: if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI'))) steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Set up python - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.11' - name: Install base dependencies @@ -61,11 +61,11 @@ jobs: if: (github.repository == 'spacetelescope/jdaviz' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Extra CI'))) steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Set up python - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.10' - name: Install base dependencies diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml index 1135e1cf28..3095c3ad33 100644 --- a/.github/workflows/ci_workflows.yml +++ b/.github/workflows/ci_workflows.yml @@ -74,11 +74,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Set up python ${{ matrix.python }} on ${{ matrix.os }} - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python }} - name: Install base dependencies @@ -87,7 +87,7 @@ jobs: run: tox -e ${{ matrix.toxenv }} -- ${{ matrix.toxposargs }} - name: Upload coverage to artifacts if: "contains(matrix.toxenv, '-cov')" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: coverage_${{ matrix.toxenv }}.xml path: coverage.xml @@ -101,14 +101,14 @@ jobs: name: Upload Coverage steps: - name: Download coverage artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: coverage pattern: coverage_* merge-multiple: true - name: Upload report to Codecov if: ${{ hashFiles('coverage/') != '' }} - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: token: ${{ secrets.CODECOV_TOKEN }} directory: coverage diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9d8ba541fe..25762a7351 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,54 +1,54 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" - -on: - schedule: - # run every Monday at 3am UTC - - cron: '0 3 * * 1' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - strategy: - fail-fast: true - matrix: - language: [ 'python', 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and build your code if your project - # uses a compiled language - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL" + +on: + schedule: + # run every Monday at 3am UTC + - cron: '0 3 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: true + matrix: + language: [ 'python', 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + fetch-depth: 0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and build your code if your project + # uses a compiled language + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0 diff --git a/.github/workflows/open_actions.yml b/.github/workflows/open_actions.yml index e76e8f4f39..7ec931bc1a 100644 --- a/.github/workflows/open_actions.yml +++ b/.github/workflows/open_actions.yml @@ -14,12 +14,12 @@ jobs: steps: # NOTE: sync-labels due to https://github.com/actions/labeler/issues/112 - name: Label PR - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 if: github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'meeseeksmachine' with: repo-token: "${{ secrets.GITHUB_TOKEN }}" # Special action for a special day. Until next year! #- name: Special comment - # uses: pllim/action-special_pr_comment@main + # uses: pllim/action-special_pr_comment@5126c189c02418a55448480b28efd1a00af48d7b # 0.2 # with: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/predeps_workflows.yml b/.github/workflows/predeps_workflows.yml index 0a803a4cb5..ea52f0566a 100644 --- a/.github/workflows/predeps_workflows.yml +++ b/.github/workflows/predeps_workflows.yml @@ -42,11 +42,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Set up python ${{ matrix.python }} on ${{ matrix.os }} - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: ${{ matrix.python }} - name: Install base dependencies diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2b46c43582..746f37bf94 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,11 +17,11 @@ jobs: if: github.repository == 'spacetelescope/jdaviz' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: '3.10' @@ -46,7 +46,7 @@ jobs: # NOTE: Do not run this part for PR testing. - name: Publish distribution đŸ“Ļ to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2 if: github.event_name != 'pull_request' with: user: __token__ diff --git a/.github/workflows/standalone.yml b/.github/workflows/standalone.yml index c44c03a111..e21b92500e 100644 --- a/.github/workflows/standalone.yml +++ b/.github/workflows/standalone.yml @@ -23,11 +23,11 @@ jobs: matrix: os: [ubuntu, windows] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: "3.11" @@ -62,14 +62,14 @@ jobs: - name: Upload Test artifacts if: github.event_name != 'pull_request' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: test-results-${{ matrix.os }} path: standalone/test-results - name: Upload jdaviz standalone (non-OSX) if: github.event_name != 'pull_request' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: jdaviz-standlone-${{ matrix.os }} path: | @@ -85,17 +85,17 @@ jobs: steps: # osx signing based on https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/ - name: Import Certificates (macOS) - uses: apple-actions/import-codesign-certs@v3 + uses: apple-actions/import-codesign-certs@63fff01cd422d4b7b855d40ca1e9d34d2de9427d # v3 if: ${{ matrix.os == 'macos' }} with: p12-file-base64: ${{ secrets.DEV_ID_APP_CERT }} p12-password: ${{ secrets.DEV_ID_APP_PASSWORD }} - - uses: actions/checkout@v4 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: "3.11" @@ -185,14 +185,14 @@ jobs: - name: Upload Test artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: test-results-${{ matrix.os }} path: standalone/test-results - name: Upload jdaviz standalone (OSX) if: ${{ always() && (matrix.os == 'macos') }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: jdaviz-standlone-${{ matrix.os }} path: standalone/dist/jdaviz.dmg