diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e10848c..16db3b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: runner: [ubuntu-24.04, ubuntu-24.04-arm] python: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Workaround: under `act`, JS-action post steps run via `docker exec` # with a stripped PATH that doesn't include the acttoolcache dir where @@ -50,7 +50,7 @@ jobs: node --version - name: Install uv with Python ${{ matrix.python }} - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python }} enable-cache: true @@ -85,7 +85,7 @@ jobs: - name: Upload coverage to Codecov if: matrix.runner == 'ubuntu-24.04' && matrix.python == '3.12' - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 with: files: ./coverage.xml fail_ci_if_error: false @@ -96,7 +96,7 @@ jobs: name: lint + typecheck runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: act compat — expose node on standard PATH if: env.ACT == 'true' @@ -109,7 +109,7 @@ jobs: node --version - name: Install uv with Python 3.12 - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: '3.12' enable-cache: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f8fc552..9cc4387 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,15 +20,15 @@ jobs: actions: read contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: python queries: security-and-quality - name: Run CodeQL analysis - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:python" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 68aa73e..34e06c0 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,7 +15,7 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Run dependency review uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/examples-lint.yml b/.github/workflows/examples-lint.yml index 830e382..2117190 100644 --- a/.github/workflows/examples-lint.yml +++ b/.github/workflows/examples-lint.yml @@ -33,7 +33,7 @@ jobs: name: cfn-lint over examples runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Workaround: under `act`, JS-action post steps run via `docker exec` # with a stripped PATH that doesn't include the acttoolcache dir where @@ -49,7 +49,7 @@ jobs: node --version - name: Install uv with Python 3.12 - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: '3.12' enable-cache: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 857288e..37341d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: app-id: ${{ vars.RELEASE_PLEASE_APP_ID }} private-key: ${{ secrets.RELEASE_PLEASE_PRIVATE_KEY }} - - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 id: release with: config-file: release-please-config.json @@ -63,13 +63,13 @@ jobs: if: ${{ needs.release-please.outputs.release_created == 'true' }} runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.release-please.outputs.tag_name }} persist-credentials: false - name: Install uv with Python 3.12 - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: '3.12' enable-cache: true @@ -78,7 +78,7 @@ jobs: run: uv build - name: Upload dist/ as workflow artifact - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: dist path: dist/ @@ -94,7 +94,7 @@ jobs: contents: write steps: - name: Download dist/ from build-artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ @@ -124,7 +124,7 @@ jobs: contents: read steps: - name: Download dist/ from build-artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ @@ -153,7 +153,7 @@ jobs: contents: write # for `gh release upload` steps: - name: Download dist/ from build-artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ @@ -189,7 +189,7 @@ jobs: regions: ${{ steps.regions.outputs.regions }} runtimes: ${{ steps.runtimes.outputs.runtimes }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.release-please.outputs.tag_name }} persist-credentials: false @@ -243,7 +243,7 @@ jobs: matrix: region: ${{ fromJSON(needs.set-layer-matrix.outputs.regions) }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.release-please.outputs.tag_name }} persist-credentials: false @@ -261,7 +261,7 @@ jobs: ls -la dist/ - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.LAYER_PUBLISHER_ROLE_ARN }} aws-region: ${{ matrix.region }} @@ -336,7 +336,7 @@ jobs: '{region: $region, arn: $arn}' > "artifacts/arn-${REGION}.json" - name: Upload per-region ARN artifact - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: layer-arn-${{ matrix.region }} path: artifacts/arn-${{ matrix.region }}.json @@ -351,13 +351,13 @@ jobs: permissions: contents: write # gh release edit + gh release upload steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.release-please.outputs.tag_name }} persist-credentials: false - name: Download all per-region ARN artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: artifacts/ pattern: layer-arn-* diff --git a/.github/workflows/secure-workflows.yml b/.github/workflows/secure-workflows.yml index 2108357..b440b27 100644 --- a/.github/workflows/secure-workflows.yml +++ b/.github/workflows/secure-workflows.yml @@ -27,6 +27,6 @@ jobs: name: ensure SHA-pinned actions runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ca46236c6ce584ae24bc6283ba8dcf4b3ec8a066 # v5.0.4