From 87f4948cb05b8fc27fbcaa1c7da28c28bb2ca1ec Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 3 Jun 2026 17:19:36 +0100 Subject: [PATCH 1/2] Pin first-party Actions --- .github/actions/release-initialise/action.yml | 4 +- .github/workflows/__all-platform-bundle.yml | 6 +-- .github/workflows/__analysis-kinds.yml | 10 ++-- .github/workflows/__analyze-ref-input.yml | 6 +-- .github/workflows/__autobuild-action.yml | 4 +- ...obuild-direct-tracing-with-working-dir.yml | 4 +- .github/workflows/__autobuild-working-dir.yml | 2 +- .github/workflows/__build-mode-autobuild.yml | 4 +- .github/workflows/__build-mode-manual.yml | 6 +-- .github/workflows/__build-mode-none.yml | 2 +- .github/workflows/__build-mode-rollback.yml | 2 +- .github/workflows/__bundle-from-nightly.yml | 2 +- .github/workflows/__bundle-from-toolcache.yml | 6 +-- .github/workflows/__bundle-toolcache.yml | 8 ++-- .github/workflows/__bundle-zstd.yml | 8 ++-- .../workflows/__cleanup-db-cluster-dir.yml | 2 +- .github/workflows/__config-export.yml | 6 +-- .github/workflows/__config-input.yml | 4 +- .github/workflows/__cpp-deptrace-disabled.yml | 2 +- .../__cpp-deptrace-enabled-on-macos.yml | 2 +- .github/workflows/__cpp-deptrace-enabled.yml | 2 +- .github/workflows/__diagnostics-export.yml | 6 +-- .../__export-file-baseline-information.yml | 8 ++-- .github/workflows/__extractor-ram-threads.yml | 2 +- .github/workflows/__global-proxy.yml | 2 +- .github/workflows/__go-custom-queries.yml | 6 +-- ...indirect-tracing-workaround-diagnostic.yml | 8 ++-- ...ect-tracing-workaround-no-file-program.yml | 6 +-- .../__go-indirect-tracing-workaround.yml | 4 +- .../workflows/__go-tracing-autobuilder.yml | 4 +- .../__go-tracing-custom-build-steps.yml | 4 +- .../__go-tracing-legacy-workflow.yml | 4 +- .github/workflows/__init-with-registries.yml | 2 +- .../workflows/__javascript-source-root.yml | 2 +- .github/workflows/__job-run-uuid-sarif.yml | 4 +- .github/workflows/__language-aliases.yml | 2 +- .github/workflows/__local-bundle.yml | 6 +-- .../workflows/__multi-language-autodetect.yml | 8 ++-- .github/workflows/__overlay-init-fallback.yml | 2 +- ...ackaging-codescanning-config-inputs-js.yml | 8 ++-- .../__packaging-config-inputs-js.yml | 8 ++-- .github/workflows/__packaging-config-js.yml | 8 ++-- .github/workflows/__packaging-inputs-js.yml | 8 ++-- .github/workflows/__remote-config.yml | 6 +-- .../__resolve-environment-action.yml | 2 +- .../workflows/__rubocop-multi-language.yml | 2 +- .github/workflows/__ruby.yml | 2 +- .github/workflows/__rust.yml | 2 +- .github/workflows/__split-workflow.yml | 6 +-- .github/workflows/__start-proxy.yml | 2 +- .github/workflows/__submit-sarif-failure.yml | 4 +- .github/workflows/__swift-autobuild.yml | 2 +- .github/workflows/__swift-custom-build.yml | 6 +-- .github/workflows/__unset-environment.yml | 6 +-- .github/workflows/__upload-ref-sha-input.yml | 6 +-- .github/workflows/__upload-sarif.yml | 6 +-- .github/workflows/__with-checkout-path.yml | 8 ++-- .../check-expected-release-files.yml | 2 +- .github/workflows/codeql.yml | 6 +-- .github/workflows/codescanning-config-cli.yml | 4 +- .../debug-artifacts-failure-safe.yml | 8 ++-- .github/workflows/debug-artifacts-safe.yml | 8 ++-- .github/workflows/post-release-mergeback.yml | 8 ++-- .github/workflows/pr-checks.yml | 14 +++--- .github/workflows/prepare-release.yml | 2 +- .../workflows/publish-immutable-action.yml | 4 +- .github/workflows/python312-windows.yml | 4 +- .github/workflows/query-filters.yml | 4 +- .github/workflows/rebuild.yml | 4 +- .github/workflows/rollback-release.yml | 4 +- .github/workflows/test-codeql-bundle-all.yml | 4 +- .github/workflows/update-bundle.yml | 6 +-- .github/workflows/update-release-branch.yml | 6 +-- ...e-supported-enterprise-server-versions.yml | 6 +-- pr-checks/checks/analysis-kinds.yml | 8 ++-- pr-checks/checks/bundle-from-toolcache.yml | 4 +- pr-checks/checks/bundle-toolcache.yml | 6 +-- pr-checks/checks/bundle-zstd.yml | 6 +-- pr-checks/checks/config-export.yml | 4 +- pr-checks/checks/diagnostics-export.yml | 4 +- .../export-file-baseline-information.yml | 2 +- ...indirect-tracing-workaround-diagnostic.yml | 4 +- ...ect-tracing-workaround-no-file-program.yml | 2 +- pr-checks/checks/job-run-uuid-sarif.yml | 2 +- .../checks/multi-language-autodetect.yml | 2 +- pr-checks/checks/submit-sarif-failure.yml | 2 +- pr-checks/checks/with-checkout-path.yml | 2 +- pr-checks/sync.ts | 46 ++++++++++++++++--- 88 files changed, 243 insertions(+), 209 deletions(-) diff --git a/.github/actions/release-initialise/action.yml b/.github/actions/release-initialise/action.yml index b3eda48f6b..057d5a5b6d 100644 --- a/.github/actions/release-initialise/action.yml +++ b/.github/actions/release-initialise/action.yml @@ -16,13 +16,13 @@ runs: shell: bash - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 1be1d63758..648679b7bf 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__analysis-kinds.yml b/.github/workflows/__analysis-kinds.yml index 1e43775fff..504c1fcc6e 100644 --- a/.github/workflows/__analysis-kinds.yml +++ b/.github/workflows/__analysis-kinds.yml @@ -72,7 +72,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -92,7 +92,7 @@ jobs: post-processed-sarif-path: '${{ runner.temp }}/post-processed' - name: Upload SARIF files - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -100,7 +100,7 @@ jobs: retention-days: 7 - name: Upload post-processed SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -110,7 +110,7 @@ jobs: - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' EXPECT_PRESENT: 'false' @@ -118,7 +118,7 @@ jobs: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif' EXPECT_PRESENT: 'true' diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 9ad6c3ec7c..5f4bb4d04a 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 7521614f2c..f8cd1275d7 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -64,9 +64,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Prepare test diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 8acd90253f..d0a4e7d783 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -66,9 +66,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin diff --git a/.github/workflows/__autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml index c9fb1e9e9c..f9718baf7b 100644 --- a/.github/workflows/__autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 7619d45936..f22f642e6b 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -66,9 +66,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 93010fe636..515e28223c 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index 5611d23811..4aff835887 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index b4dd4041bb..f7c4d090e6 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__bundle-from-nightly.yml b/.github/workflows/__bundle-from-nightly.yml index a7dc934a0a..5499696453 100644 --- a/.github/workflows/__bundle-from-nightly.yml +++ b/.github/workflows/__bundle-from-nightly.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__bundle-from-toolcache.yml b/.github/workflows/__bundle-from-toolcache.yml index 4c7f21a32b..389981985c 100644 --- a/.github/workflows/__bundle-from-toolcache.yml +++ b/.github/workflows/__bundle-from-toolcache.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -62,7 +62,7 @@ jobs: run: npm install @actions/tool-cache@3 - name: Check toolcache contains CodeQL continue-on-error: true - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -75,7 +75,7 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-toolcache.yml b/.github/workflows/__bundle-toolcache.yml index 7606475875..7e83829d6a 100644 --- a/.github/workflows/__bundle-toolcache.yml +++ b/.github/workflows/__bundle-toolcache.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -73,7 +73,7 @@ jobs: - name: Install @actions/tool-cache run: npm install @actions/tool-cache@3 - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -92,7 +92,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-zstd.yml b/.github/workflows/__bundle-zstd.yml index 85e0695268..45cf73a0ed 100644 --- a/.github/workflows/__bundle-zstd.yml +++ b/.github/workflows/__bundle-zstd.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -82,13 +82,13 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-zstd-bundle.sarif path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index cc41fea77a..249a1f81b6 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 24549dd186..e359764bdd 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -70,13 +70,13 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index a2e4dba2c3..2a82e9aa5c 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -50,9 +50,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index c73161cd8a..9e44285198 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index d2cce49369..825d4acd99 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index 0539d4ce60..c4ac54f3db 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index bdf6b0aee1..418517a159 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -81,13 +81,13 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 359461007d..18fcfafe08 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -102,7 +102,7 @@ jobs: with: output: '${{ runner.temp }}/results' - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index eee08de580..a647124bcc 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__global-proxy.yml b/.github/workflows/__global-proxy.yml index 08c4ad64af..df544fb68a 100644 --- a/.github/workflows/__global-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index cc11dc941d..a595300652 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index e474e1b6f5..2415c7ff8e 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -78,7 +78,7 @@ jobs: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: '1.20' - name: Build code @@ -88,7 +88,7 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index cc94d3bb8a..38718fba2c 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -89,7 +89,7 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 6c8a24e0c9..754299d3ed 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index f44a512f85..5c96e28f11 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index aae22d8c01..7d3ea3aea0 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index cce0102575..68012f0d4d 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 940784361d..2c55e14e4a 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index dc1a395ce9..31662fc166 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index a10ccd1d1d..c0fa820e52 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -67,7 +67,7 @@ jobs: with: output: '${{ runner.temp }}/results' - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index a4cdb034bf..fe9ebef9c3 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__local-bundle.yml b/.github/workflows/__local-bundle.yml index 50eb333492..a6ab9f523f 100644 --- a/.github/workflows/__local-bundle.yml +++ b/.github/workflows/__local-bundle.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 8115b66ee2..f4849b9903 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -104,13 +104,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -125,7 +125,7 @@ jobs: # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer. # See https://github.com/github/codeql-action/pull/3212 if: matrix.version != 'nightly-latest' && matrix.version != 'linked' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' diff --git a/.github/workflows/__overlay-init-fallback.yml b/.github/workflows/__overlay-init-fallback.yml index 0871e6b44b..554e9defcc 100644 --- a/.github/workflows/__overlay-init-fallback.yml +++ b/.github/workflows/__overlay-init-fallback.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 94280eeedb..9c7d842293 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 146bc43552..c446c7ff36 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index fddd971f39..e550e493d5 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 64bd575d55..7d3450d04b 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 4302583d73..277f9293e9 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 982e4e7152..05125ca107 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 5d11093bbd..e2bd040d51 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 6d326ee887..b8d556e534 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -60,7 +60,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml index 1c3d18d16e..91c3d6618e 100644 --- a/.github/workflows/__rust.yml +++ b/.github/workflows/__rust.yml @@ -58,7 +58,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 7dfa812499..64efae65f2 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -80,13 +80,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index 70ec13c96b..7a318b0233 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 2fdfeddfbf..03ea2de232 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -62,7 +62,7 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./init with: languages: javascript diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index cd26309f4e..4962547032 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index efdbde7215..83c06ffd09 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 535362e836..b519e01dd6 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 4e95021495..9a1c91dea9 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index 547828d072..182adbfdea 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -77,13 +77,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index 0d97287577..3d6380462b 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -71,13 +71,13 @@ jobs: steps: # This ensures we don't accidentally use the original checkout for any part of the test. - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -96,7 +96,7 @@ jobs: rm -rf ./* .github .git # Check out the actions repo again, but at a different location. # choose an arbitrary SHA so that we can later test that the commit_oid is not from main - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 path: x/y/z/some-path diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml index 79ce600711..ee6ad120bc 100644 --- a/.github/workflows/check-expected-release-files.yml +++ b/.github/workflows/check-expected-release-files.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout CodeQL Action - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Check Expected Release Files run: | bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9f14b05bf3..d604bbd80e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -35,7 +35,7 @@ jobs: security-events: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up default CodeQL bundle id: setup-default uses: ./setup-codeql @@ -87,7 +87,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL uses: ./init id: init @@ -124,7 +124,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL uses: ./init with: diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 0da0f4d38f..3a62bd78d3 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -59,10 +59,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml index 5bb53ecbd6..d044d8420a 100644 --- a/.github/workflows/debug-artifacts-failure-safe.yml +++ b/.github/workflows/debug-artifacts-failure-safe.yml @@ -53,17 +53,17 @@ jobs: - name: Dump GitHub event run: cat "${GITHUB_EVENT_PATH}" - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ^1.13.1 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - name: Assert best-effort artifact scan completed @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download all artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Check expected artifacts exist run: | LANGUAGES="cpp csharp go java javascript python" diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml index 85b037cba6..4699436a11 100644 --- a/.github/workflows/debug-artifacts-safe.yml +++ b/.github/workflows/debug-artifacts-safe.yml @@ -49,17 +49,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ^1.13.1 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - name: Assert best-effort artifact scan completed @@ -87,7 +87,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download all artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Check expected artifacts exist run: | VERSIONS="stable-v2.20.3 default linked nightly-latest" diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 7ba78e2295..313a1e3558 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -44,14 +44,14 @@ jobs: GITHUB_CONTEXT: '${{ toJson(github) }}' run: echo "${GITHUB_CONTEXT}" - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # ensure we have all tags and can push commits - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' @@ -134,7 +134,7 @@ jobs: echo "::endgroup::" - name: Generate token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 6b7656150d..195494c185 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -42,10 +42,10 @@ jobs: if: runner.os == 'Windows' run: git config --global core.autocrlf false - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -91,10 +91,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' @@ -155,7 +155,7 @@ jobs: - name: Upload repo size comment if: steps.fetch-base.outcome == 'success' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: repo-size-comment path: ${{ runner.temp }}/repo-size/ @@ -164,7 +164,7 @@ jobs: - name: 'Backport: Check out base ref' id: checkout-base if: ${{ startsWith(github.head_ref, 'backport-') }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.base_ref }} @@ -203,7 +203,7 @@ jobs: steps: - name: Download repo size comment - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: repo-size-comment path: repo-size-comment diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index fbddee3d52..915148e277 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs diff --git a/.github/workflows/publish-immutable-action.yml b/.github/workflows/publish-immutable-action.yml index e14bc30bc4..3944a81e6d 100644 --- a/.github/workflows/publish-immutable-action.yml +++ b/.github/workflows/publish-immutable-action.yml @@ -20,8 +20,8 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Publish immutable release id: publish - uses: actions/publish-immutable-action@v0.0.4 + uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4 diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 85901bff81..76a9c4ff26 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -35,11 +35,11 @@ jobs: runs-on: windows-latest steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.12 - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index b55ff8af27..3d1f4275cf 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -35,10 +35,10 @@ jobs: contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository. steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: npm diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index cafc432d98..f1d74dc8f4 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -24,13 +24,13 @@ jobs: pull-requests: write # needed to comment on the PR steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 ref: ${{ env.HEAD_REF }} - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index ba10430f7d..e6a9da61f9 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs @@ -136,7 +136,7 @@ jobs: - name: Generate token if: github.event_name == 'workflow_dispatch' - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 03ab6c37b3..c44dafc590 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -43,7 +43,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -51,7 +51,7 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: true - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - id: init diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 837079481a..94c79bc56e 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -33,7 +33,7 @@ jobs: GITHUB_CONTEXT: '${{ toJson(github) }}' run: echo "$GITHUB_CONTEXT" - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Update git config run: | @@ -41,12 +41,12 @@ jobs: git config --global user.name "github-actions[bot]" - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index 40d25e2163..bef7965742 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -38,7 +38,7 @@ jobs: contents: write # needed to push commits pull-requests: write # needed to create pull request steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs - uses: ./.github/actions/release-initialise @@ -94,14 +94,14 @@ jobs: pull-requests: write # needed to create pull request steps: - name: Generate token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 4cead58f4f..16f6f528c5 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -23,13 +23,13 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" - name: Checkout CodeQL Action - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Checkout Enterprise Releases - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: github/enterprise-releases token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }} diff --git a/pr-checks/checks/analysis-kinds.yml b/pr-checks/checks/analysis-kinds.yml index 7b10f8d792..5b2aaf4aad 100644 --- a/pr-checks/checks/analysis-kinds.yml +++ b/pr-checks/checks/analysis-kinds.yml @@ -46,7 +46,7 @@ steps: post-processed-sarif-path: "${{ runner.temp }}/post-processed" - name: Upload SARIF files - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -54,7 +54,7 @@ steps: retention-days: 7 - name: Upload post-processed SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -64,7 +64,7 @@ steps: - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" EXPECT_PRESENT: "false" @@ -72,7 +72,7 @@ steps: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif" EXPECT_PRESENT: "true" diff --git a/pr-checks/checks/bundle-from-toolcache.yml b/pr-checks/checks/bundle-from-toolcache.yml index 2719ccfb00..0e51e2e12b 100644 --- a/pr-checks/checks/bundle-from-toolcache.yml +++ b/pr-checks/checks/bundle-from-toolcache.yml @@ -7,7 +7,7 @@ steps: run: npm install @actions/tool-cache@3 - name: Check toolcache contains CodeQL continue-on-error: true - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -20,7 +20,7 @@ steps: with: tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-toolcache.yml b/pr-checks/checks/bundle-toolcache.yml index f5315d285a..83d1d7d0b5 100644 --- a/pr-checks/checks/bundle-toolcache.yml +++ b/pr-checks/checks/bundle-toolcache.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -18,7 +18,7 @@ steps: - name: Install @actions/tool-cache run: npm install @actions/tool-cache@3 - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -37,7 +37,7 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-zstd.yml b/pr-checks/checks/bundle-zstd.yml index 810f0b0c12..a961af3c36 100644 --- a/pr-checks/checks/bundle-zstd.yml +++ b/pr-checks/checks/bundle-zstd.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -27,13 +27,13 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-zstd-bundle.sarif path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/pr-checks/checks/config-export.yml b/pr-checks/checks/config-export.yml index 17dd758453..93c6407355 100644 --- a/pr-checks/checks/config-export.yml +++ b/pr-checks/checks/config-export.yml @@ -14,13 +14,13 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/diagnostics-export.yml b/pr-checks/checks/diagnostics-export.yml index 811335a7c7..61b9ae5efc 100644 --- a/pr-checks/checks/diagnostics-export.yml +++ b/pr-checks/checks/diagnostics-export.yml @@ -27,13 +27,13 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 8f882ef598..c5d5d12dda 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -23,7 +23,7 @@ steps: with: output: "${{ runner.temp }}/results" - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index bd48f1a12c..69f9b47621 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -12,7 +12,7 @@ steps: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.20" - name: Build code @@ -22,7 +22,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 8e3f4234b5..5068df622b 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -23,7 +23,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index b37821d5a1..dc1dd02d43 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -12,7 +12,7 @@ steps: with: output: "${{ runner.temp }}/results" - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index c52dcf9401..fcafe5fb35 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -13,7 +13,7 @@ steps: # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer. # See https://github.com/github/codeql-action/pull/3212 if: matrix.version != 'nightly-latest' && matrix.version != 'linked' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index e776e23c24..2bba971d72 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -21,7 +21,7 @@ permissions: security-events: write # needed to upload the SARIF file steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./init with: languages: javascript diff --git a/pr-checks/checks/with-checkout-path.yml b/pr-checks/checks/with-checkout-path.yml index c53e3b4153..e91066e18e 100644 --- a/pr-checks/checks/with-checkout-path.yml +++ b/pr-checks/checks/with-checkout-path.yml @@ -14,7 +14,7 @@ steps: rm -rf ./* .github .git # Check out the actions repo again, but at a different location. # choose an arbitrary SHA so that we can later test that the commit_oid is not from main - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 path: x/y/z/some-path diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index 27b1d92645..4d7ae200a4 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -7,6 +7,16 @@ import * as yaml from "yaml"; import { BuiltInLanguage } from "../src/languages"; +/** + * Returns a `uses` value for `action` pinned to a commit SHA, with the + * human-readable version recorded in a trailing comment. + */ +function pinnedUses(action: string, sha: string, version: string): yaml.Scalar { + const node = new yaml.Scalar(`${action}@${sha}`); + node.comment = ` ${version}`; + return node; +} + /** Known workflow input names. */ enum KnownInputName { GoVersion = "go-version", @@ -192,7 +202,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Node.js", - uses: "actions/setup-node@v6", + uses: pinnedUses( + "actions/setup-node", + "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e", + "v6.4.0", + ), with: { "node-version": defaultLanguageVersions.javascript, cache: "npm", @@ -210,7 +224,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Go", - uses: "actions/setup-go@v6", + uses: pinnedUses( + "actions/setup-go", + "4a3601121dd01d1626a1e23e37211e3254c1c06c", + "v6.4.0", + ), with: { "go-version": `\${{ inputs.go-version || '${defaultLanguageVersions.go}' }}`, // to avoid potentially misleading autobuilder results where we expect it to download @@ -226,7 +244,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Java", - uses: "actions/setup-java@v5", + uses: pinnedUses( + "actions/setup-java", + "be666c2fcd27ec809703dec50e508c2fdc7f6654", + "v5.2.0", + ), with: { "java-version": `\${{ inputs.java-version || '${defaultLanguageVersions.java}' }}`, distribution: "temurin", @@ -240,7 +262,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Python", - uses: "actions/setup-python@v6", + uses: pinnedUses( + "actions/setup-python", + "a309ff8b426b58ec0e2a45f0f869d46889d02405", + "v6.2.0", + ), with: { "python-version": `\${{ inputs.python-version || '${defaultLanguageVersions.python}' }}`, }, @@ -253,7 +279,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install .NET", - uses: "actions/setup-dotnet@v5", + uses: pinnedUses( + "actions/setup-dotnet", + "9a946fdbd5fb07b82b2f5a4466058b876ab72bb2", + "v5.3.0", + ), with: { "dotnet-version": `\${{ inputs.dotnet-version || '${defaultLanguageVersions.csharp}' }}`, }, @@ -456,7 +486,11 @@ function generateJob( const steps: Step[] = [ { name: "Check out repository", - uses: "actions/checkout@v6", + uses: pinnedUses( + "actions/checkout", + "df4cb1c069e1874edd31b4311f1884172cec0e10", + "v6.0.3", + ), }, ...setupInfo.steps, { From fd3f10809d17ee45d1526bbf47fed6d1d87602bb Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 3 Jun 2026 17:21:10 +0100 Subject: [PATCH 2/2] Update sync-back script This is intended as a workaround until https://github.com/github/codeql-action/pull/3556 is merged. --- pr-checks/sync-back.test.ts | 35 +++++++++++++++++++++++++++++++++++ pr-checks/sync-back.ts | 32 +++++++++++++++++++++++++++----- 2 files changed, 62 insertions(+), 5 deletions(-) diff --git a/pr-checks/sync-back.test.ts b/pr-checks/sync-back.test.ts index 8b46217492..52d4c98f3f 100755 --- a/pr-checks/sync-back.test.ts +++ b/pr-checks/sync-back.test.ts @@ -188,6 +188,41 @@ const steps = [ const result = updateSyncTs(syncTsPath, actionVersions); assert.equal(result, false); }); + + await it("updates SHA-pinned pinnedUses references", () => { + /** Test updating `pinnedUses(...)` references with new SHA and version */ + const syncTsContent = ` +const steps = [ + { + uses: pinnedUses( + "actions/setup-node", + "0000000000000000000000000000000000000000", + "v6.0.0", + ), + }, +]; +`; + + fs.writeFileSync(syncTsPath, syncTsContent); + + const actionVersions = { + "actions/setup-node": "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0", + }; + + const result = updateSyncTs(syncTsPath, actionVersions); + assert.equal(result, true); + + const updatedContent = fs.readFileSync(syncTsPath, "utf8"); + + assert.ok( + updatedContent.includes('"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e"'), + ); + assert.ok(updatedContent.includes('"v6.4.0"')); + assert.ok( + !updatedContent.includes("0000000000000000000000000000000000000000"), + ); + assert.ok(!updatedContent.includes('"v6.0.0"')); + }); }); describe("updateTemplateFiles", async () => { diff --git a/pr-checks/sync-back.ts b/pr-checks/sync-back.ts index 5d7275e812..bb442b2fe1 100755 --- a/pr-checks/sync-back.ts +++ b/pr-checks/sync-back.ts @@ -68,6 +68,10 @@ export function scanGeneratedWorkflows( /** * Update hardcoded action versions in pr-checks/sync.ts * + * Handles both inline `uses: "owner/action@ref"` strings and SHA-pinned + * references expressed via the `pinnedUses("owner/action", "", "version")` + * helper. + * * @param syncTsPath - Path to sync.ts file * @param actionVersions - Map of action names to versions (may include comments) * @returns True if the file was modified, false otherwise @@ -87,18 +91,36 @@ export function updateSyncTs( for (const [actionName, versionWithComment] of Object.entries( actionVersions, )) { - // Extract just the version part (before any comment) for sync.ts - const version = versionWithComment.includes("#") + // Split the scanned value into the ref (e.g. a commit SHA) and the optional + // trailing version comment (e.g. `v6.0.3`). + const ref = versionWithComment.includes("#") ? versionWithComment.split("#")[0].trim() : versionWithComment.trim(); + const versionComment = versionWithComment.includes("#") + ? versionWithComment.split("#")[1].trim() + : ""; + + const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // Look for patterns like uses: "actions/setup-node@v4" // Note that this will break if we store an Action uses reference in a // variable - that's a risk we're happy to take since in that case the // PR checks will just fail. - const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); - const pattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g"); - content = content.replace(pattern, `$1${actionName}@${version}$2`); + const usesPattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g"); + content = content.replace(usesPattern, `$1${actionName}@${ref}$2`); + + // Look for SHA-pinned references expressed via the `pinnedUses` helper, e.g. + // `pinnedUses("actions/checkout", "", "v6.0.3")`, updating both the + // pinned ref and the version comment. + const pinnedPattern = new RegExp( + `(pinnedUses\\(\\s*")${escaped}("\\s*,\\s*")[^"]*("\\s*,\\s*")([^"]*)(")`, + "g", + ); + content = content.replace( + pinnedPattern, + (_match, p1, p2, p3, oldVersion, p5) => + `${p1}${actionName}${p2}${ref}${p3}${versionComment || oldVersion}${p5}`, + ); } if (content !== originalContent) {