Update and pin all actions

masklinn · masklinn · commit 0c54802d503a · 2025-12-27T14:14:01.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,27 +4,32 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   checks:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout working copy
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
       with:
         submodules: true
         fetch-depth: 0
         persist-credentials: false
     - name: ruff check
-      uses: chartboost/ruff-action@v1
+      uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1  # 3.5.1
+      with:
+        version: "latest"
     - name: ruff format
       if: always()
-      uses: chartboost/ruff-action@v1
+      uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1  # 3.5.1
       with:
-        args: format --diff
+        version: "latest"
+        args: format --check --diff
     - name: Set up Python
       id: setup_python
       if: always()
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
       with:
         python-version: "3.x"
     - name: Install mypy
@@ -44,12 +49,12 @@ jobs:
 
     steps:
     - name: Checkout working copy
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
       with:
         submodules: true
         persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
       with:
         python-version: "3.x"
     - name: Install dependency
@@ -60,14 +65,14 @@ jobs:
       run: |
         python -mbuild
     - name: Upload sdist
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # 6.0.0
       with:
         name: sdist
         path: dist/*.tar.gz
         retention-days: 1
 
     - name: Upload wheel
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # 6.0.0
       with:
         name: wheel
         path: dist/*.whl
@@ -102,13 +107,13 @@ jobs:
             opts: "--experimental-options --engine.CompileOnly='~tregex re'"
     steps:
     - name: Checkout working copy
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
       with:
         submodules: true
         fetch-depth: 0
         persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -132,7 +137,7 @@ jobs:
     - run: 'python -mpip install --only-binary :all: google-re2 || true'
     - name: download ${{ matrix.source }} artifact
       if: matrix.artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # 7.0.0
       with:
         name: ${{ matrix.source }}
         path: dist/
diff --git a/.github/workflows/release-builtins.yml b/.github/workflows/release-builtins.yml
@@ -2,6 +2,8 @@ name: Publish ua-parser builtins
 
 run-name: Publish ${{ inputs.tag || 'master' }} to ${{ inputs.environment || 'pypy (scheduled)' }}
 
+permissions: {}
+
 on:
   schedule:
     # schedule a dev release on every 1st of the month, at 2034 UTC
@@ -23,13 +25,13 @@ jobs:
     outputs:
       release: ${{ steps.check.outputs.release }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
       with:
         submodules: true
         fetch-depth: 0
         persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
       with:
         python-version: "3.x"
 
@@ -70,7 +72,7 @@ jobs:
         mv ua-parser-builtins/dist .
     - name: Store the distribution packages
       if: ${{ steps.check.outputs.release == 'true' }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # 6.0.0
       with:
         name: python-package-distributions
         path: dist/
@@ -90,12 +92,12 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # 7.0.0
       with:
         name: python-package-distributions
         path: dist/
     - name: Publish
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # 1.13.0
       with:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true
@@ -114,11 +116,11 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # 7.0.0
       with:
         name: python-package-distributions
         path: dist/
     - name: Publish
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # 1.13.0
       with:
         verbose: true
diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml
@@ -5,6 +5,8 @@ on:
   release:
     types: [created]
 
+permissions: {}
+
 env:
   ENVNAME: ${{ github.event_name == 'release' && 'pypi' || 'testpypi' }}
 
@@ -21,11 +23,11 @@ jobs:
 
     steps:
     - name: Checkout working copy
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
       with:
         persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # 6.1.0
       with:
         python-version: "3.x"
     - name: Install dependency
@@ -36,15 +38,15 @@ jobs:
       run: python -mbuild
     - name: Publish to testpypi
       if: ${{ env.ENVNAME == 'testpypi' }}
-      uses: pypa/gh-action-pypi-publish@release/v1  # zizmor: ignore[use-trusted-publishing]
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # 1.13.0
       with:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true
         verbose: true
         password: ${{ secrets.PUBLISH_TOKEN }}
     - name: Publish to pypi
       if: ${{ env.ENVNAME == 'pypi' }}
-      uses: pypa/gh-action-pypi-publish@release/v1  # zizmor: ignore[use-trusted-publishing]
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # 1.13.0
       with:
         verbose: true
         password: ${{ secrets.PUBLISH_TOKEN }}
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -4,6 +4,8 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   zizmor:
     runs-on: ubuntu-latest
@@ -13,20 +15,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # 6.0.1
         with:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867  # 7.1.6
 
       - name: Run zizmor
         run: uvx zizmor --format sarif . > results.sarif 
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7  # 4.31.9
         with:
           sarif_file: results.sarif
           category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,4 @@
+rules:
+  use-trusted-publishing:
+    ignore:
+      - release-main.yml  # can't do that until pypi/support#6661

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +rules:
 +  use-trusted-publishing:
 +    ignore:
 +      - release-main.yml  # can't do that until pypi/support#6661