diff --git a/.github/workflows/code-pull-request.yml b/.github/workflows/code-pull-request.yml index 3fe40eca..693c46c6 100644 --- a/.github/workflows/code-pull-request.yml +++ b/.github/workflows/code-pull-request.yml @@ -35,7 +35,7 @@ jobs: fetch-depth: 0 - name: Restore Bun Package Cache id: restore-bun-cache - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: /home/runner/.bun/install/cache key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }} @@ -66,7 +66,7 @@ jobs: path: coverage/lcov.info retention-days: 1 - name: Save Bun Cache - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/save@caa296126883cff596d87d8935842f9db880ef25 # v5 if: steps.validate.outcome == 'success' && steps.restore-bun-cache.outputs.cache-hit != 'true' with: path: /home/runner/.bun/install/cache @@ -122,7 +122,7 @@ jobs: # --- PyPI --- - name: Setup Python if: matrix.shim == 'pypi' - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.12" - name: Test PyPI shim @@ -132,7 +132,7 @@ jobs: # --- Go --- - name: Setup Go if: matrix.shim == 'go' - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: go-version: "1.21" cache-dependency-path: shims/go/go.sum @@ -143,7 +143,7 @@ jobs: # --- Maven --- - name: Setup Java if: matrix.shim == 'maven' - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: "11" @@ -154,7 +154,7 @@ jobs: # --- NuGet --- - name: Setup .NET if: matrix.shim == 'nuget' - uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: "8.0.x" - name: Test NuGet shim @@ -164,7 +164,7 @@ jobs: # --- RubyGem --- - name: Setup Ruby if: matrix.shim == 'rubygem' - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 + uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0 with: ruby-version: "4.0.5" - name: Test RubyGem shim diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b9dca6fb..361e3009 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,11 +42,11 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 2b696f19..34535e1f 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -58,7 +58,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.12" - name: Build package @@ -81,7 +81,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5 + - uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: "8.0.x" - name: NuGet login (OIDC) @@ -123,7 +123,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: "temurin" java-version: "11" @@ -152,11 +152,11 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 + - uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0 with: ruby-version: "4.0.5" bundler-cache: true working-directory: shims/rubygem - - uses: rubygems/release-gem@6317d8d1f7e28c24d28f6eff169ea854948bd9f7 # v1.2.0 + - uses: rubygems/release-gem@052cc82692552de3ef2b81fd670e41d13cba8092 # v1.4.0 with: working-directory: shims/rubygem diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 8eb21547..edb653b7 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -83,14 +83,14 @@ jobs: - name: Attest build provenance (Unix) if: runner.os != 'Windows' id: attest-unix - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4 with: subject-path: ${{ matrix.artifact }}.tar.gz - name: Attest build provenance (Windows) if: runner.os == 'Windows' id: attest-win - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4 with: subject-path: ${{ matrix.artifact }}.zip diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7fbd09b3..8fe7b52b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: cache-base: main - name: Restore Bun Package Cache id: restore-bun-cache - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: /home/runner/.bun/install/cache key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }} @@ -94,7 +94,7 @@ jobs: cache-base: main - name: Restore Bun Package Cache id: restore-bun-cache - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: /home/runner/.bun/install/cache key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }} @@ -147,7 +147,7 @@ jobs: cache-base: main - name: Restore Bun Package Cache id: restore-bun-cache - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: /home/runner/.bun/install/cache key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }} @@ -188,7 +188,7 @@ jobs: }" echo "::notice::PostHog annotation created for v${version}" - name: Save Bun Cache - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/save@caa296126883cff596d87d8935842f9db880ef25 # v5 if: steps.validate.outcome == 'success' && steps.restore-bun-cache.outputs.cache-hit != 'true' with: path: /home/runner/.bun/install/cache diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b9525a0d..2c1cb0ca 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: publish_results: true - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: results.sarif