pin all 3rd party actions to commit hashes

emilykl · emilykl · commit 15a50294ad6b · 2026-04-13T09:56:29.000-04:00
diff --git a/.github/actions/setup-chrome-for-pytest/action.yml b/.github/actions/setup-chrome-for-pytest/action.yml
@@ -5,7 +5,7 @@ runs:
   steps:
     - name: Set up Chrome
       id: setup-chrome
-      uses: browser-actions/setup-chrome@v2.1.1
+      uses: browser-actions/setup-chrome@4f8e94349a351df0f048634f25fec36c3c91eded  # v2.1.1
       with:
         install-chromedriver: true
     - name: Set BROWSER env var
diff --git a/.github/workflows/build-doc.yml b/.github/workflows/build-doc.yml
@@ -10,10 +10,10 @@ jobs:
   build-doc:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
         with:
           python-version: "3.9"
 
@@ -50,14 +50,14 @@ jobs:
           python check-or-enforce-order.py build/html
 
       - name: Upload HTML docs artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: doc-html
           path: doc/build/html/
 
       - name: Create GitHub App token
         if: github.ref_name == 'doc-prod' && github.event_name == 'push'
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
         id: app-token
         with:
           app-id: ${{ vars.GRAPHING_LIBRARIES_CI_GHAPP_ID }}
@@ -67,7 +67,7 @@ jobs:
 
       - name: Checkout plotly.py-docs (built)
         if: github.ref_name == 'doc-prod' && github.event_name == 'push'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: plotly/plotly.py-docs
           ref: built
@@ -88,7 +88,7 @@ jobs:
 
       - name: Checkout plotly.py-docs (built_ipynb)
         if: github.ref_name == 'doc-prod' && github.event_name == 'push'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: plotly/plotly.py-docs
           ref: built_ipynb
@@ -107,7 +107,7 @@ jobs:
 
       - name: Checkout graphing-library-docs
         if: github.ref_name == 'doc-prod' && github.event_name == 'push'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: plotly/graphing-library-docs
           ref: master
@@ -136,7 +136,7 @@ jobs:
 
       - name: Checkout plotly.py-docs (gh-pages)
         if: github.ref_name == 'doc-prod' && github.event_name == 'push'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: plotly/plotly.py-docs
           ref: gh-pages
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -10,17 +10,17 @@ jobs:
     name: plotly.js dev build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
       - name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
         with:
           node-version: "22"
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
@@ -40,7 +40,7 @@ jobs:
           uv sync --extra dev_build
           python -m build --sdist --wheel -o dist
       - name: Upload dist artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: plotlyjs-dev-build-dist
           path: dist/
@@ -50,17 +50,17 @@ jobs:
     name: Full prod build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
       - name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
         with:
           node-version: "22"
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: PyPI Build
         run: |
           uv venv
@@ -77,7 +77,7 @@ jobs:
         run: |
           tar czf output.tgz output
       - name: Upload output artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: full-build-output
           path: output.tgz
diff --git a/.github/workflows/check-formatting.yml b/.github/workflows/check-formatting.yml
@@ -10,13 +10,13 @@ jobs:
     name: Run ruff check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
diff --git a/.github/workflows/check-js-build.yml b/.github/workflows/check-js-build.yml
@@ -6,9 +6,9 @@ jobs:
     name: Check JS version number and build artifacts
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         python-version: "3.x"
 
@@ -25,12 +25,12 @@ jobs:
           echo "✅ Version number $JSPROJECT_VERSION in $PKGJSON_PATH matches version number $PYPROJECT_VERSION in $PYPROJECT_PATH"
         fi
     - name: Install Node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
       with:
         node-version: '22'
 
     - name: Set up uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
 
     - name: Copy current files to a temporary directory
       run: |
@@ -62,7 +62,7 @@ jobs:
         fi
 
     - name: Store the build artifacts from plotly/labextension
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       if: failure()
       with:
         name: labextension
diff --git a/.github/workflows/run-percy.yml b/.github/workflows/run-percy.yml
@@ -15,21 +15,21 @@ jobs:
       PERCY_PROJECT: plotly/plotly.py
       PERCY_TOKEN: ${{ secrets.PERCY_PYTHON_TOKEN_V0 }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.11"
       - name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
         with:
           node-version: "22"
       - name: Set up Chrome
-        uses: browser-actions/setup-chrome@v2.1.1
+        uses: browser-actions/setup-chrome@4f8e94349a351df0f048634f25fec36c3c91eded  # v2.1.1
         with:
           install-chromedriver: true
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install requirements
         run: |
           uv venv
diff --git a/.github/workflows/run-pytest.yml b/.github/workflows/run-pytest.yml
@@ -14,13 +14,13 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
@@ -41,15 +41,15 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up Chrome for Pytest
         uses: ./.github/actions/setup-chrome-for-pytest
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
@@ -85,15 +85,15 @@ jobs:
     name: Optional tests, Pandas 1 (Python 3.9, Pandas 1.2.4)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.9"
       - name: Set up Chrome for browser tests
         uses: ./.github/actions/setup-chrome-for-pytest
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
@@ -129,17 +129,17 @@ jobs:
     name: Optional tests (Kaleido only), Kaleido v0 (Python 3.12, Kaleido v0.2.1)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.12"
       - name: Set up Chrome
-        uses: browser-actions/setup-chrome@v2.1.1
+        uses: browser-actions/setup-chrome@4f8e94349a351df0f048634f25fec36c3c91eded  # v2.1.1
         with:
           install-chromedriver: true
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
       - name: Install dependencies
         run: |
           uv venv
diff --git a/.github/workflows/test-release.yml b/.github/workflows/test-release.yml
@@ -9,21 +9,21 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         python-version: "3.x"
     
     - name: Install Node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
       with:
         node-version: '22'
 
     - name: Set up uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
 
     - name: Install npm dependencies
       run: |
@@ -43,7 +43,7 @@ jobs:
     - name: Build a binary wheel and a source tarball
       run: python3 -m build
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: python-package-distributions
         path: dist/
@@ -63,7 +63,7 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v7
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
       with:
         name: python-package-distributions
         path: dist/
