diff --git a/.github/workflows/auto-release.yaml b/.github/workflows/auto-release.yaml index 04bd4d272..848461148 100644 --- a/.github/workflows/auto-release.yaml +++ b/.github/workflows/auto-release.yaml @@ -45,7 +45,7 @@ jobs: git config --global user.name "${name}" - name: Checkout `release` branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 filter: blob:none diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index efdf22ec3..e680f7ff8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: pull-requests: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm id: setup uses: ./.github/actions/setup @@ -75,7 +75,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup - run: pnpm lint @@ -88,7 +88,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup - name: Rebuild the dist/ directory @@ -115,7 +115,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup - name: Run tests @@ -166,7 +166,7 @@ jobs: and leaves the PR blocked on review-required. steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.pull_request.head.sha || '' }} token: ${{ secrets.FRO_BOT_PAT }} @@ -241,7 +241,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup - name: Build runtime @@ -341,7 +341,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup - name: Run deploy/scripts unit tests @@ -595,7 +595,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 @@ -635,7 +635,7 @@ jobs: git config --global user.email "${email}" git config --global user.name "${name}" - name: Checkout `${{ env.RELEASE_BRANCH }}` release branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 ref: ${{ env.RELEASE_BRANCH }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index c051efb01..0779ae6d2 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -24,18 +24,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: javascript queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: '/language:javascript' diff --git a/.github/workflows/copilot-setup-steps.yaml b/.github/workflows/copilot-setup-steps.yaml index d04551dd2..b335c8a4d 100644 --- a/.github/workflows/copilot-setup-steps.yaml +++ b/.github/workflows/copilot-setup-steps.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Node.js and pnpm uses: ./.github/actions/setup diff --git a/.github/workflows/fro-bot.yaml b/.github/workflows/fro-bot.yaml index 0320eb812..028cf4a43 100644 --- a/.github/workflows/fro-bot.yaml +++ b/.github/workflows/fro-bot.yaml @@ -168,7 +168,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 ref: >- diff --git a/.github/workflows/harness-release.yaml b/.github/workflows/harness-release.yaml index e548389f7..b0925e176 100644 --- a/.github/workflows/harness-release.yaml +++ b/.github/workflows/harness-release.yaml @@ -67,10 +67,10 @@ jobs: steps: - name: Checkout harness repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Bun (pinned to upstream packageManager version) - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: # Pinned to match anomalyco/opencode packageManager: bun@1.3.13 bun-version: 1.3.13 @@ -160,7 +160,7 @@ jobs: --integration-commit "$INTEGRATION_COMMIT" - name: Upload binary artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: harness-binary-${{ matrix.platform }}-${{ matrix.arch }} path: ${{ runner.temp }}/harness-build-out/opencode-${{ matrix.platform }}-${{ matrix.arch }}/bin/opencode @@ -187,10 +187,10 @@ jobs: steps: - name: Checkout harness repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Bun (pinned) - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: 1.3.13 @@ -200,7 +200,7 @@ jobs: install-dependencies: 'false' - name: Setup Node.js (for npm trusted publishing via OIDC) - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '24' registry-url: 'https://registry.npmjs.org' @@ -265,25 +265,25 @@ jobs: # Download all four platform binaries. - name: Download linux/x64 binary - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: harness-binary-linux-x64 path: /tmp/harness-binaries/linux-x64 - name: Download linux/arm64 binary - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: harness-binary-linux-arm64 path: /tmp/harness-binaries/linux-arm64 - name: Download darwin/x64 binary - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: harness-binary-darwin-x64 path: /tmp/harness-binaries/darwin-x64 - name: Download darwin/arm64 binary - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: harness-binary-darwin-arm64 path: /tmp/harness-binaries/darwin-arm64 diff --git a/.github/workflows/prepare-release-pr.yaml b/.github/workflows/prepare-release-pr.yaml index dcd7dcd4d..571bdf63c 100644 --- a/.github/workflows/prepare-release-pr.yaml +++ b/.github/workflows/prepare-release-pr.yaml @@ -60,7 +60,7 @@ jobs: git config --global user.name "${name}" - name: Checkout `release` branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 filter: blob:none diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 059fe480a..feb25f899 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -65,6 +65,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: results.sarif