diff --git a/.github/workflows/_build-pkg.yml b/.github/workflows/_build-pkg.yml index e45f137494..322d16f1da 100644 --- a/.github/workflows/_build-pkg.yml +++ b/.github/workflows/_build-pkg.yml @@ -17,13 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 with: python-version: '3.x' @@ -34,7 +34,7 @@ jobs: - name: Check 📦 package run: twine check dist/* - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ inputs.artifact-name }} path: dist diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 317a74ff31..38ec8fefd2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,13 +29,13 @@ jobs: - {python-version: "3.8", os: "macos-latest", os-label: "macOS"} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "${{ matrix.python-version }}" - name: Install tox @@ -46,12 +46,12 @@ jobs: run: tox - name: Upload Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: Test Results (Python ${{ matrix.python-version }} on ${{ matrix.os-label }}) path: pytest.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 test_success: # this aggregates success state of all jobs listed in `needs` @@ -62,7 +62,7 @@ jobs: needs: [test] steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit @@ -80,12 +80,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - name: Upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: Event File path: ${{ github.event_path }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f55e492df7..d800746381 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,20 +12,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.x" - run: | python -m pip install --upgrade pip pip install -e . pip install -r requirements/types.txt - - uses: liskin/gh-problem-matcher-wrap@v2 + - uses: liskin/gh-problem-matcher-wrap@a89a18291dcde8d4e6158adf736b5432987bbf95 # v2.0.2 with: action: add linters: mypy @@ -35,12 +35,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.x" # FIXME: pin pre-commit<4 pending PyCQA/docformatter#287 @@ -48,7 +48,7 @@ jobs: run: python -m pip install 'pre-commit<4' - name: show environment run: python -m pip freeze --local - - uses: actions/cache@v4 + - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pre-commit key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }} @@ -59,12 +59,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.8" diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml index 2ddae24dfa..1758d553cb 100644 --- a/.github/workflows/pypi-release.yml +++ b/.github/workflows/pypi-release.yml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 with: name: package path: dist diff --git a/.github/workflows/test-results.yml b/.github/workflows/test-results.yml index 0700c25319..09b41e6800 100644 --- a/.github/workflows/test-results.yml +++ b/.github/workflows/test-results.yml @@ -17,6 +17,11 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Download and Extract Artifacts uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d with: @@ -25,7 +30,7 @@ jobs: - name: Publish Test Results id: test-results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@afb2984f4d89672b2f9d9c13ae23d53779671984 # v2.19.0 with: commit: ${{ github.event.workflow_run.head_sha }} event_file: artifacts/Event File/event.json diff --git a/.github/workflows/top-issues.yaml b/.github/workflows/top-issues.yaml index e63c20a832..c9312bfef6 100644 --- a/.github/workflows/top-issues.yaml +++ b/.github/workflows/top-issues.yaml @@ -10,6 +10,11 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'PyGithub/PyGithub' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Run top issues action uses: rickstaa/top-issues-action@7e8dda5d5ae3087670f9094b9724a9a091fc3ba1 # v1.3.101 env: