From 4fc768b7f7194a05b13ad3e7bc5bfde84ed9ede7 Mon Sep 17 00:00:00 2001 From: bashonly <88596187+bashonly@users.noreply.github.com> Date: Tue, 17 Mar 2026 13:04:32 -0500 Subject: [PATCH] [ci] Bump actions pins (#16252) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Bump actions/cache v5.0.2 → v5.0.3 * Bump actions/download-artifact v7.0.0 → v8.0.1 * Bump actions/setup-node v6.2.0 → v6.3.0 * Bump actions/upload-artifact v6.0.0 → v7.0.0 * Bump docker/setup-qemu-action v3.7.0 → v4.0.0 * Bump github/codeql-action v4.31.9 → v4.33.0 * Bump oven-sh/setup-bun v2.1.2 → v2.2.0 * Bump zizmorcore/zizmor-action v0.4.1 → v0.5.2 * Bump actionlint v1.7.9 → v1.7.11 * Bump zizmor v1.22.0 → v1.23.1 * Adapt zizmor configuration to new version Authored by: bashonly --- .github/workflows/build.yml | 14 +++++++------- .github/workflows/challenge-tests.yml | 4 ++-- .github/workflows/codeql.yml | 4 ++-- .github/workflows/release-master.yml | 2 +- .github/workflows/release-nightly.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- .github/workflows/test-workflows.yml | 8 ++++---- .github/zizmor.yml | 4 ++++ 8 files changed, 24 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4ddfb0b158..36deb3beb5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -231,7 +231,7 @@ jobs: [[ "${version}" != "${downgraded_version}" ]] - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-bin-${{ github.job }} path: | @@ -267,7 +267,7 @@ jobs: - name: Set up QEMU if: matrix.qemu_platform - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: image: tonistiigi/binfmt:qemu-v10.0.4-56@sha256:30cc9a4d03765acac9be2ed0afc23af1ad018aed2c28ea4be8c2eb9afe03fbd1 cache-image: false @@ -294,7 +294,7 @@ jobs: docker compose up --build --exit-code-from "${SERVICE}" "${SERVICE}" - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-bin-${{ matrix.os }}_${{ matrix.arch }} path: | @@ -384,7 +384,7 @@ jobs: [[ "$version" != "$downgraded_version" ]] - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-bin-${{ github.job }} path: | @@ -501,7 +501,7 @@ jobs: } - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-bin-${{ github.job }}-${{ matrix.arch }} path: | @@ -521,7 +521,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: artifact pattern: build-bin-* @@ -590,7 +590,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-${{ github.job }} path: | diff --git a/.github/workflows/challenge-tests.yml b/.github/workflows/challenge-tests.yml index 107229c85f..4291b516b8 100644 --- a/.github/workflows/challenge-tests.yml +++ b/.github/workflows/challenge-tests.yml @@ -50,13 +50,13 @@ jobs: with: deno-version: '2.0.0' # minimum supported version - name: Install Bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: # minimum supported version is 1.0.31 but earliest available Windows version is 1.1.0 bun-version: ${{ (matrix.os == 'windows-latest' && '1.1.0') || '1.0.31' }} no-cache: true - name: Install Node - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20.0' # minimum supported version - name: Install QuickJS (Linux) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dbd643f69c..44b1623a15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,12 +36,12 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: languages: ${{ matrix.language }} build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml index da8e75d696..219cb9d17f 100644 --- a/.github/workflows/release-master.yml +++ b/.github/workflows/release-master.yml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist name: build-pypi diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index bc48e75b68..126c0a901c 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -27,7 +27,7 @@ jobs: run: echo "head=$(git rev-parse HEAD)" | tee -a "${GITHUB_OUTPUT}" - name: Cache nightly commit hash - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1 with: @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist name: build-pypi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 992e80a0fb..c35a8546ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -214,7 +214,7 @@ jobs: - name: Upload artifacts if: github.event.workflow != '.github/workflows/release.yml' # Reusable workflow_call - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-pypi path: | @@ -243,7 +243,7 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: artifact pattern: build-* diff --git a/.github/workflows/test-workflows.yml b/.github/workflows/test-workflows.yml index 21aa7744e4..cddacd0bbd 100644 --- a/.github/workflows/test-workflows.yml +++ b/.github/workflows/test-workflows.yml @@ -26,8 +26,8 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} env: - ACTIONLINT_VERSION: "1.7.9" - ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4 + ACTIONLINT_VERSION: "1.7.11" + ACTIONLINT_SHA256SUM: 900919a84f2229bac68ca9cd4103ea297abc35e9689ebb842c6e34a3d1b01b0a ACTIONLINT_REPO: https://github.com/rhysd/actionlint jobs: @@ -76,8 +76,8 @@ jobs: with: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 with: advanced-security: false persona: pedantic - version: v1.22.0 + version: v1.23.1 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 01645c87e8..7b76933c56 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -9,6 +9,10 @@ rules: obfuscation: ignore: - release.yml # Not actual obfuscation + secrets-outside-env: + ignore: + - build.yml + - release.yml unpinned-uses: config: policies: