Skip to content

Hash-pin github actions versions #2369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
webknjaz merged 1 commit into from
Apr 15, 2026
+21 −20
Merged

Hash-pin github actions versions #2369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@

steps:
- name: Switch to using Python 3.14 by default
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.14
- name: >-
Expand Down Expand Up @@ -144,7 +144,7 @@
) as outputs_file:
print('release-requested=true', file=outputs_file)
- name: Check out src from Git
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: >-
${{
Expand Down Expand Up @@ -179,7 +179,7 @@
- name: Set up pip cache
if: >-
steps.request-check.outputs.release-requested != 'true'
uses: re-actors/cache-python-deps@release/v1
uses: re-actors/cache-python-deps@810325a232f2a28ea124dfba85c7c72fd1774b38 # v1.0.0
with:
cache-key-for-dependency-files: >-
${{ steps.calc-cache-key-files.outputs.cache-key-for-dep-files }}
Expand Down Expand Up @@ -339,16 +339,16 @@
|| ''
}}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Check notice

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Note

credential persistence through GitHub Actions artifacts
Comment thread
sirosen marked this conversation as resolved.
Dismissed
- name: Set up Python ${{ matrix.python-version }} from GitHub
id: python-install
if: "!endsWith(matrix.python-version, '-dev')"
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Set up Python ${{ matrix.python-version }} from deadsnakes
if: endsWith(matrix.python-version, '-dev')
uses: deadsnakes/action@v2.1.1
uses: deadsnakes/action@e640ac8743173a67cca4d7d77cd837e514bf98e8 # v3.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Log python version info (${{ matrix.python-version }})
Expand All @@ -359,7 +359,7 @@
run: |
echo "dir=$(pip cache dir)" >> "${GITHUB_OUTPUT}"
- name: Pip cache
uses: actions/cache@v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: >-
Expand Down Expand Up @@ -415,7 +415,7 @@
if: >-
!cancelled()
&& !inputs.cpython-pip-version
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
files: ./coverage.xml
flags: >-
Expand Down Expand Up @@ -449,9 +449,9 @@
env:
TOXENV: pip${{ matrix.pip-version }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Check notice

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Note

credential persistence through GitHub Actions artifacts
Comment thread
sirosen marked this conversation as resolved.
Dismissed
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache dir
Expand All @@ -460,7 +460,7 @@
run: |
echo "dir=$(pip cache dir)" >> "${GITHUB_OUTPUT}"
- name: Pip cache
uses: actions/cache@v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: >-
Expand Down Expand Up @@ -524,7 +524,7 @@
- name: Notify Codecov that all coverage reports have been uploaded
if: >-
!cancelled()
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
fail_ci_if_error: true
run_command: send-notifications
Expand Down Expand Up @@ -552,6 +552,6 @@

steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@afee1c1eac2a506084c274e9c02c8e0687b48d9e
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ jobs:

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: >-
${{ needs.build-and-test.outputs.dists-artifact-name }}
Expand All @@ -105,11 +105,11 @@ jobs:
needs.build-and-test.outputs.project-version
}} to PyPI
🔏
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
- name: Clean up the publish attestation leftovers
run: rm -fv dist/*.publish.attestation
- name: Upload packages to Jazzband
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
user: jazzband
password: ${{ secrets.JAZZBAND_RELEASE_KEY }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/reusable-qa.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,17 @@
TOXENV: ${{ matrix.toxenv }}
TOX_PARALLEL_NO_SPINNER: 1
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Check notice

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Note

credential persistence through GitHub Actions artifacts
Comment thread
sirosen marked this conversation as resolved.
Dismissed
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache dir
id: pip-cache
run: |
echo "dir=$(pip cache dir)" >> "${GITHUB_OUTPUT}"
- name: Pip cache
uses: actions/cache@v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: >-
Expand All @@ -46,7 +46,7 @@
- name: Prepare cache key
id: cache-key
run: echo "sha-256=$(python -VV | sha256sum | cut -d' ' -f1)" >> "${GITHUB_OUTPUT}"
- uses: actions/cache@v4
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ~/.cache/pre-commit
key: pre-commit|${{ steps.cache-key.outputs.sha-256 }}|${{ hashFiles('.pre-commit-config.yaml') }}
Expand Down
1 change: 1 addition & 0 deletions changelog.d/+0a4c9a70.contrib.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
`pip-tools` CI now pins GitHub Actions versions to hashes -- by {user}`sirosen`.
Loading