From 2f7dd2c9bdc6ebb04777b850fcc4014a9df9ef36 Mon Sep 17 00:00:00 2001 From: James Watkins-Harvey Date: Fri, 17 Apr 2026 19:16:25 -0400 Subject: [PATCH] Update and pin all GHA actions --- .github/workflows/build-native-image.yml | 8 ++--- .github/workflows/ci.yml | 36 +++++++++---------- .github/workflows/coverage.yml | 6 ++-- .../workflows/gradle-wrapper-validation.yml | 4 +-- .../workflows/nightly-throughput-stress.yml | 18 +++++----- .github/workflows/prepare-release.yml | 12 +++---- .github/workflows/publish-snapshot.yml | 6 ++-- 7 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/workflows/build-native-image.yml b/.github/workflows/build-native-image.yml index 60e56667f..5f2a35367 100644 --- a/.github/workflows/build-native-image.yml +++ b/.github/workflows/build-native-image.yml @@ -62,7 +62,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive @@ -70,14 +70,14 @@ jobs: - name: Set up Java if: matrix.os_family != 'linux' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: 23 distribution: "graalvm" - name: Set up Gradle if: matrix.os_family != 'linux' - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Build native test server (non-Docker) if: matrix.os_family != 'linux' @@ -105,7 +105,7 @@ jobs: # path ends in a wildcard because on windows the file ends in '.exe' - name: Upload executable to workflow if: ${{ inputs.upload_artifact }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: ${{ matrix.musl && format('{0}_{1}_musl', matrix.os_family, matrix.arch) || format('{0}_{1}', matrix.os_family, matrix.arch)}} path: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d91824be..dcb8b0e3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,20 +14,20 @@ jobs: timeout-minutes: 30 steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive ref: ${{ github.event.pull_request.head.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Run unit tests (Java 23) env: @@ -54,7 +54,7 @@ jobs: run: ./gradlew --no-daemon :temporal-spring-boot-autoconfigure:test -x spotlessCheck -x spotlessApply -x spotlessJava -P edgeDepsTest -P springBoot4Test -PtestJavaVersion=23 - name: Publish Test Report - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6 if: success() || failure() # always run even if the previous step fails with: report_paths: "**/build/test-results/test/TEST-*.xml" @@ -65,14 +65,14 @@ jobs: timeout-minutes: 30 steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive ref: ${{ github.event.pull_request.head.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: | 11 @@ -80,7 +80,7 @@ jobs: distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Start containerized server and dependencies env: @@ -138,7 +138,7 @@ jobs: run: ./gradlew --no-daemon :temporal-sdk:virtualThreadTests -x spotlessCheck -x spotlessApply -x spotlessJava -PtestJavaVersion=21 - name: Publish Test Report - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6 if: success() || failure() # always run even if the previous step fails with: report_paths: "**/build/test-results/test/TEST-*.xml" @@ -149,20 +149,20 @@ jobs: timeout-minutes: 30 steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive ref: ${{ github.event.pull_request.head.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Run cloud test # Only supported in non-fork runs, since secrets are not available in forks. We intentionally @@ -177,7 +177,7 @@ jobs: run: ./gradlew --no-daemon :temporal-sdk:test --tests '*CloudOperationsClientTest' - name: Publish Test Report - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6 if: success() || failure() # always run even if the previous step fails with: report_paths: "**/build/test-results/test/TEST-*.xml" @@ -188,20 +188,20 @@ jobs: timeout-minutes: 20 steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive ref: ${{ github.event.pull_request.head.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Run copyright and code format checks run: ./gradlew --no-daemon spotlessCheck @@ -212,20 +212,20 @@ jobs: timeout-minutes: 20 steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 submodules: recursive ref: ${{ github.event.pull_request.head.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Run javadoc run: ./gradlew --no-daemon javadoc diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index e9ca3e3b2..4b573144f 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -12,18 +12,18 @@ jobs: runs-on: ubuntu-latest-16-cores steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Run Tests run: ./gradlew test -x spotlessCheck -x spotlessApply -Pjacoco -PtestJavaVersion=23 diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 3042503ce..07d8b1a78 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -9,5 +9,5 @@ jobs: name: "Gradle wrapper validation" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: gradle/actions/wrapper-validation@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: gradle/actions/wrapper-validation@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml index 04a08d451..bbf2ee203 100644 --- a/.github/workflows/nightly-throughput-stress.yml +++ b/.github/workflows/nightly-throughput-stress.yml @@ -68,38 +68,38 @@ jobs: echo "==========================================" - name: Checkout SDK - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive fetch-depth: 0 - name: Checkout OMES - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ env.OMES_REPO }} ref: ${{ env.OMES_REF }} path: omes - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: omes/go.mod cache-dependency-path: omes/go.sum - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Build SDK run: ./gradlew build -x test -x virtualThreadTests -PtestJavaVersion=23 - name: Install Temporal CLI - uses: temporalio/setup-temporal@v0 + uses: temporalio/setup-temporal@1059a504f87e7fa2f385e3fa40d1aa7e62f1c6ca # v0 - name: Install Prometheus run: | @@ -154,7 +154,7 @@ jobs: - name: Configure AWS credentials if: always() - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@51635dbf418c2cdd8b3e1497529334d8db7e4063 # v6 with: role-to-assume: ${{ env.AWS_S3_METRICS_UPLOAD_ROLE_ARN }} aws-region: us-west-2 @@ -174,7 +174,7 @@ jobs: - name: Upload logs on failure if: failure() || cancelled() - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: throughput-stress-logs path: ${{ env.WORKER_LOG_DIR }} @@ -182,7 +182,7 @@ jobs: - name: Notify Slack on failure if: failure() || cancelled() - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3 with: webhook-type: incoming-webhook payload: | diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 68ad4cf15..291ed59d8 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -54,7 +54,7 @@ jobs: - name: Checkout repo if: steps.check_release.outputs.already_exists == 'false' - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.INPUT_REF }} @@ -78,7 +78,7 @@ jobs: needs: create_draft_release steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.INPUT_REF }} @@ -92,13 +92,13 @@ jobs: run: git tag "$INPUT_TAG" - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: "23" distribution: "temurin" - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 - name: Set up signing key run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg" @@ -148,7 +148,7 @@ jobs: # when no artifact is specified, all artifacts are downloaded and expanded into CWD - name: Fetch executables - uses: actions/download-artifact@v6 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 # example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64 # the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and @@ -165,7 +165,7 @@ jobs: run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done - name: Upload release archives - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: release-archives path: | diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml index d2e2d5c8c..91d5b07a6 100644 --- a/.github/workflows/publish-snapshot.yml +++ b/.github/workflows/publish-snapshot.yml @@ -31,18 +31,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '23' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@ac396bf1a80af16236baf54bd7330ae21dc6ece5 # v6 # Prefer env variables here rather than inline ${{ secrets.FOO }} to # decrease the likelihood that secrets end up printed to stdout.