From eb7fc6da1af9a19d847601317d56269d910053c0 Mon Sep 17 00:00:00 2001 From: Tobias Wochinger Date: Tue, 21 Apr 2026 18:25:16 +0200 Subject: [PATCH] chore(ci): pin action version comments to immutable patch tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tightens `# v6`/`# v3` floating-major comments on SHA-pinned actions to their exact patch-level tags (`v6.0.2`, `v6.2.0`, `v3.0.1`). Same SHAs, no behavior change — just removes ambiguity about which release the pin corresponds to, and keeps the version comment truthful if the upstream major ever moves. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/codeql.yml | 2 +- .github/workflows/package-availability-check.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/zizmor.yml | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a460a741..9b820059c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: linting: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install uv and set Python version @@ -37,7 +37,7 @@ jobs: type-checking: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install uv and set Python version @@ -78,7 +78,7 @@ jobs: name: Unit tests on Python ${{ matrix.python-version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install uv and set Python version @@ -141,7 +141,7 @@ jobs: name: ${{ matrix.job_name }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install uv and set Python version diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1834f6f10..290bfee87 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -55,7 +55,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/package-availability-check.yml b/.github/workflows/package-availability-check.yml index 3f43ddd21..836213f89 100644 --- a/.github/workflows/package-availability-check.yml +++ b/.github/workflows/package-availability-check.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies using pip diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc81ae2a4..efff90e16 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -64,7 +64,7 @@ jobs: INPUTS_CONFIRM_MAJOR: ${{ inputs.confirm_major }} - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.GH_ACCESS_TOKEN }} @@ -321,7 +321,7 @@ jobs: - name: Notify Slack on success if: success() - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_RELEASES }} webhook-type: incoming-webhook @@ -405,7 +405,7 @@ jobs: - name: Notify Slack on failure if: failure() - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_ENGINEERING }} webhook-type: incoming-webhook diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 725619c3f..03d663f9d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor