From 3609ca35c16a803a8bb4bb5a4d32b10a0f73ed17 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Fri, 6 Dec 2024 17:42:32 -0500 Subject: [PATCH 1/4] Drop credential persistence from GitHub workflows We only have a public repo, and should have locked down permissions on the token, but it's best practice not to leak these out into other steps of the job. --- .github/workflows/cibuildwheel.yml | 1 + .github/workflows/circleci.yml | 2 ++ .github/workflows/clean_pr.yml | 1 + .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/cygwin.yml | 1 + .github/workflows/mypy-stubtest.yml | 2 ++ .github/workflows/reviewdog.yml | 6 ++++++ .github/workflows/tests.yml | 1 + 8 files changed, 16 insertions(+) diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 136322878462..98f1a0919176 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -42,6 +42,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 name: Install Python diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index a64b312e8246..2f08ca3fbfb0 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -29,6 +29,8 @@ jobs: name: Post warnings/errors as review steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch result artifacts id: fetch-artifacts diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index 77e49f7c1d9e..4bf86927df57 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -13,6 +13,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: '0' + persist-credentials: false - name: Check for added-and-deleted files run: | git fetch --quiet origin "$GITHUB_BASE_REF" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 203b0eee9ca4..3f09eb3550fa 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml index 5dee68597d5c..41ce97a2d29d 100644 --- a/.github/workflows/cygwin.yml +++ b/.github/workflows/cygwin.yml @@ -82,6 +82,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: cygwin/cygwin-install-action@v4 with: diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml index 5b29a93b7533..6e67bc521620 100644 --- a/.github/workflows/mypy-stubtest.yml +++ b/.github/workflows/mypy-stubtest.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3 uses: actions/setup-python@v5 diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 12b59d866e42..039dabc581c4 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3 uses: actions/setup-python@v5 @@ -38,6 +40,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3 uses: actions/setup-python@v5 @@ -65,6 +69,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: eslint uses: reviewdog/action-eslint@v1 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 9692e0e9a7c7..efd5e58a8359 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -114,6 +114,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 From 5b9f4bcd8aa8cd9144e05010ffa104779d0cc068 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Fri, 6 Dec 2024 21:58:09 -0500 Subject: [PATCH 2/4] Reduce permissions in workflows Moved the permissions to the jobs that need them, though this is probably not a big change for the reviewdog workflow. Also drop the `pull-request` permission from the reviewdog workflow, as it's not in the mypy-stubtest one, and still seems to work. --- .github/workflows/conflictcheck.yml | 5 ++--- .github/workflows/mypy-stubtest.yml | 3 ++- .github/workflows/pr_welcome.yml | 6 ++---- .github/workflows/reviewdog.yml | 8 ++++++-- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml index 3110839e5150..b018101f325c 100644 --- a/.github/workflows/conflictcheck.yml +++ b/.github/workflows/conflictcheck.yml @@ -9,12 +9,11 @@ on: pull_request_target: types: [synchronize] -permissions: - pull-requests: write - jobs: main: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Check if PRs have merge conflicts uses: eps1lon/actions-label-merge-conflict@1b1b1fcde06a9b3d089f3464c96417961dde1168 # v3.0.2 diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml index 6e67bc521620..b79cd56c0626 100644 --- a/.github/workflows/mypy-stubtest.yml +++ b/.github/workflows/mypy-stubtest.yml @@ -4,12 +4,13 @@ on: [pull_request] permissions: contents: read - checks: write jobs: mypy-stubtest: name: mypy-stubtest runs-on: ubuntu-latest + permissions: + checks: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index 533f676a0fab..0e77a94a5080 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -3,13 +3,11 @@ name: PR Greetings on: [pull_request_target] -permissions: - pull-requests: write - jobs: greeting: runs-on: ubuntu-latest - + permissions: + pull-requests: write steps: - uses: actions/first-interaction@v1 with: diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 039dabc581c4..cae69d7554d3 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -4,13 +4,13 @@ on: [pull_request] permissions: contents: read - checks: write - pull-requests: write jobs: flake8: name: flake8 runs-on: ubuntu-latest + permissions: + checks: write steps: - uses: actions/checkout@v4 with: @@ -38,6 +38,8 @@ jobs: mypy: name: mypy runs-on: ubuntu-latest + permissions: + checks: write steps: - uses: actions/checkout@v4 with: @@ -67,6 +69,8 @@ jobs: eslint: name: eslint runs-on: ubuntu-latest + permissions: + checks: write steps: - uses: actions/checkout@v4 with: From 811b09005760fb90ded3158ec9dda3cc43d39aaa Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Sat, 7 Dec 2024 03:01:44 -0500 Subject: [PATCH 3/4] Avoid potentialy user-controlled template expansion in workflows I don't believe `do_no_merge.yml` is unsafe, but there's no need to echo the environment variable (it'll either pass or fail based on the value anyway.) I also don't think the `circleci.yml` context variable is vulnerable, but zizmor warns about it, and it's easy to avoid if turns out to be vulnerable. --- .github/workflows/circleci.yml | 4 +++- .github/workflows/do_not_merge.yml | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 2f08ca3fbfb0..0a65ffc26fe6 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -34,8 +34,10 @@ jobs: - name: Fetch result artifacts id: fetch-artifacts + env: + target_url: "${{ github.event.target_url }}" run: | - python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}" + python .circleci/fetch_doc_logs.py "${target_url}" - name: Set up reviewdog if: "${{ steps.fetch-artifacts.outputs.count != 0 }}" diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml index dde5bfb5ec81..d8664df9ba9a 100644 --- a/.github/workflows/do_not_merge.yml +++ b/.github/workflows/do_not_merge.yml @@ -23,7 +23,6 @@ jobs: echo "This PR cannot be merged because it has one of the following labels: " echo "* status: needs comment/discussion" echo "* status: waiting for other PR" - echo "${{env.has_tag}}" exit 1 - name: Allow merging if: ${{'false' == env.has_tag}} From 06eb6b76828ad4fc4a404cc947f76c8f98536fa7 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Sat, 7 Dec 2024 03:47:10 -0500 Subject: [PATCH 4/4] Pin all actions to SHA commits --- .github/workflows/cibuildwheel.yml | 14 +++++++------- .github/workflows/circleci.yml | 4 ++-- .github/workflows/clean_pr.yml | 2 +- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/cygwin.yml | 10 +++++----- .github/workflows/good-first-issue.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/mypy-stubtest.yml | 6 +++--- .github/workflows/pr_welcome.yml | 2 +- .github/workflows/reviewdog.yml | 16 ++++++++-------- .github/workflows/stale-tidy.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/tests.yml | 18 +++++++++--------- 13 files changed, 43 insertions(+), 43 deletions(-) diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 98f1a0919176..b8cd05367b6a 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -39,12 +39,12 @@ jobs: SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 name: Install Python with: python-version: '3.10' @@ -70,7 +70,7 @@ jobs: run: twine check dist/* - name: Upload sdist result - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: cibw-sdist path: dist/*.tar.gz @@ -133,12 +133,12 @@ jobs: steps: - name: Set up QEMU if: matrix.cibw_archs == 'aarch64' - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: arm64 - name: Download sdist - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cibw-sdist path: dist/ @@ -202,7 +202,7 @@ jobs: unset PIP_CONSTRAINT if: matrix.cibw_archs != 'aarch64' && matrix.os != 'windows-latest' - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: cibw-wheels-${{ runner.os }}-${{ matrix.cibw_archs }} path: ./wheelhouse/*.whl @@ -220,7 +220,7 @@ jobs: contents: read steps: - name: Download packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: cibw-* path: dist diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 0a65ffc26fe6..e0ed6adf4e65 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest name: Post warnings/errors as review steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -41,7 +41,7 @@ jobs: - name: Set up reviewdog if: "${{ steps.fetch-artifacts.outputs.count != 0 }}" - uses: reviewdog/action-setup@v1 + uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0 with: reviewdog_version: latest diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index 4bf86927df57..fc9021c920c0 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: '0' persist-credentials: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3f09eb3550fa..4bf3e680f7b0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,12 +26,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: languages: ${{ matrix.language }} @@ -42,4 +42,4 @@ jobs: pip install --user -v . - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml index 41ce97a2d29d..bde902013412 100644 --- a/.github/workflows/cygwin.yml +++ b/.github/workflows/cygwin.yml @@ -79,12 +79,12 @@ jobs: - name: Fix line endings run: git config --global core.autocrlf input - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - - uses: cygwin/cygwin-install-action@v4 + - uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4 with: packages: >- ccache gcc-g++ gdb git graphviz libcairo-devel libffi-devel @@ -140,21 +140,21 @@ jobs: # FreeType build fails with bash, succeeds with dash - name: Cache pip - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: C:\cygwin\home\runneradmin\.cache\pip key: Cygwin-py3.${{ matrix.python-minor-version }}-pip-${{ hashFiles('requirements/*/*.txt') }} restore-keys: ${{ matrix.os }}-py3.${{ matrix.python-minor-version }}-pip- - name: Cache ccache - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: C:\cygwin\home\runneradmin\.ccache key: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-${{ hashFiles('src/*') }} restore-keys: Cygwin-py3.${{ matrix.python-minor-version }}-ccache- - name: Cache Matplotlib - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: | C:\cygwin\home\runneradmin\.cache\matplotlib diff --git a/.github/workflows/good-first-issue.yml b/.github/workflows/good-first-issue.yml index 8905511fc01d..cc15717e3351 100644 --- a/.github/workflows/good-first-issue.yml +++ b/.github/workflows/good-first-issue.yml @@ -12,7 +12,7 @@ jobs: issues: write steps: - name: Add comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index dc7a0716bfe8..8e2002353164 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -10,6 +10,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: sync-labels: true diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml index b79cd56c0626..57acc3616ae6 100644 --- a/.github/workflows/mypy-stubtest.yml +++ b/.github/workflows/mypy-stubtest.yml @@ -12,17 +12,17 @@ jobs: permissions: checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' - name: Set up reviewdog - uses: reviewdog/action-setup@v1 + uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9 - name: Install tox run: python -m pip install tox diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index 0e77a94a5080..3bb172ca70e7 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -9,7 +9,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/first-interaction@v1 + - uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: >+ diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index cae69d7554d3..24980f7a075b 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -12,12 +12,12 @@ jobs: permissions: checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' @@ -25,7 +25,7 @@ jobs: run: pip3 install -r requirements/testing/flake8.txt - name: Set up reviewdog - uses: reviewdog/action-setup@v1 + uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9 - name: Run flake8 env: @@ -41,12 +41,12 @@ jobs: permissions: checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.10' @@ -54,7 +54,7 @@ jobs: run: pip3 install -r requirements/testing/mypy.txt -r requirements/testing/all.txt - name: Set up reviewdog - uses: reviewdog/action-setup@v1 + uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9 - name: Run mypy env: @@ -72,12 +72,12 @@ jobs: permissions: checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: eslint - uses: reviewdog/action-eslint@v1 + uses: reviewdog/action-eslint@9b5b0150e399e1f007ee3c27bc156549810a64e3 # v1.33.0 with: filter_mode: nofilter github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale-tidy.yml b/.github/workflows/stale-tidy.yml index 92a81ee856e4..ab16c9f1fa1c 100644 --- a/.github/workflows/stale-tidy.yml +++ b/.github/workflows/stale-tidy.yml @@ -9,7 +9,7 @@ jobs: if: github.repository == 'matplotlib/matplotlib' runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} operations-per-run: 300 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c606d4288bd2..4dc964a0ea73 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,7 +9,7 @@ jobs: if: github.repository == 'matplotlib/matplotlib' runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} operations-per-run: 20 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index efd5e58a8359..47f6a09eb72d 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -111,13 +111,13 @@ jobs: pyside6-ver: '!=6.5.1' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 if: matrix.python-version != '3.13t' with: python-version: ${{ matrix.python-version }} @@ -205,7 +205,7 @@ jobs: esac - name: Cache pip - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 if: startsWith(runner.os, 'Linux') with: path: ~/.cache/pip @@ -213,7 +213,7 @@ jobs: restore-keys: | ${{ matrix.os }}-py${{ matrix.python-version }}-pip- - name: Cache pip - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 if: startsWith(runner.os, 'macOS') with: path: ~/Library/Caches/pip @@ -221,7 +221,7 @@ jobs: restore-keys: | ${{ matrix.os }}-py${{ matrix.python-version }}-pip- - name: Cache ccache - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: | ~/.ccache @@ -229,7 +229,7 @@ jobs: restore-keys: | ${{ matrix.os }}-py${{ matrix.python-version }}-ccache- - name: Cache Matplotlib - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: | ~/.cache/matplotlib @@ -410,12 +410,12 @@ jobs: fi - name: Upload code coverage if: ${{ !cancelled() && github.event_name != 'schedule' }} - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 with: name: "${{ matrix.python-version }} ${{ matrix.os }} ${{ matrix.name-suffix }}" token: ${{ secrets.CODECOV_TOKEN }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: failure() with: name: "${{ matrix.python-version }} ${{ matrix.os }} ${{ matrix.name-suffix }} result images" @@ -432,7 +432,7 @@ jobs: steps: - name: Create issue on failure - uses: imjohnbo/issue-bot@v3 + uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd # v3.4.4 with: title: "[TST] Upcoming dependency test failures" body: |