diff --git a/.github/workflows/lbox-develop.yml b/.github/workflows/lbox-develop.yml index cfad49232..68596abcc 100644 --- a/.github/workflows/lbox-develop.yml +++ b/.github/workflows/lbox-develop.yml @@ -21,10 +21,10 @@ jobs: test-matrix: ${{ steps.matrix.outputs.test-matrix }} package-matrix: ${{ steps.matrix.outputs.publish-matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: list-files: 'json' @@ -47,7 +47,7 @@ jobs: group: lbox-staging-${{ matrix.python-version }}-${{ matrix.package }} cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - uses: ./.github/actions/python-package-shared-setup @@ -83,7 +83,7 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - uses: ./.github/actions/python-package-shared-setup @@ -100,7 +100,7 @@ jobs: rye run toml set --toml-path pyproject.toml project.name ${{ matrix.package }} rye build - name: Publish package distributions to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: dist/ repository-url: https://test.pypi.org/legacy/ @@ -117,20 +117,20 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push (Develop) if: github.event_name == 'push' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: ./libs/${{ matrix.package }}/Dockerfile @@ -149,7 +149,7 @@ jobs: echo "ghcr.io/labelbox/${{ matrix.package }}:${{ github.sha }}" >> "$GITHUB_STEP_SUMMARY" - name: Build and push (Pull Request) if: github.event_name == 'pull_request' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: ./libs/${{ matrix.package }}/Dockerfile diff --git a/.github/workflows/lbox-publish.yml b/.github/workflows/lbox-publish.yml index dcca8e561..271e0799b 100644 --- a/.github/workflows/lbox-publish.yml +++ b/.github/workflows/lbox-publish.yml @@ -27,10 +27,10 @@ jobs: test-matrix: ${{ steps.matrix.outputs.test-matrix }} package-matrix: ${{ steps.matrix.outputs.publish-matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: base: ${{ inputs.prev_sdk_tag }} @@ -52,11 +52,11 @@ jobs: matrix: include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - name: Install the latest version of rye - uses: eifinger/setup-rye@v2 + uses: eifinger/setup-rye@787604a465b1696ad17eedf2f8101df9fc555c94 # v2 with: version: ${{ vars.RYE_VERSION }} enable-cache: true @@ -73,7 +73,7 @@ jobs: run: | cd dist && echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: build-${{ matrix.package }} path: ./dist @@ -83,7 +83,7 @@ jobs: actions: read contents: write id-token: write # Needed to access the workflow's OIDC identity. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true @@ -102,7 +102,7 @@ jobs: group: lbox-staging-${{ matrix.python-version }}-${{ matrix.package }} cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - uses: ./.github/actions/python-package-shared-setup @@ -137,12 +137,12 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build-${{ matrix.package }} path: ./artifact - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: artifact/ verbose: true @@ -158,20 +158,20 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: # ref: ${{ inputs.tag }} ref: ${{ inputs.tag }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 id: build_container with: context: . diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml index 382176478..9b2b3e973 100644 --- a/.github/workflows/notebooks.yml +++ b/.github/workflows/notebooks.yml @@ -20,7 +20,7 @@ jobs: if: github.event.pull_request.merged == false runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 @@ -38,7 +38,7 @@ jobs: git add examples/. git commit -m ":art: Cleaned" || exit 0 - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: ${{ github.head_ref }} @@ -50,7 +50,7 @@ jobs: outputs: addedOrModified: ${{ steps.filter.outputs.addedOrModified }} steps: - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | @@ -62,7 +62,7 @@ jobs: if: ${{ needs.changes.outputs.addedOrModified == 'true' }} && github.event.pull_request.merged == false runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 @@ -80,7 +80,7 @@ jobs: git add examples/. git commit -m ":memo: README updated" || exit 0 - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: ${{ github.head_ref }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 11845e6d2..8b6cb6ccb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -43,11 +43,11 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - name: Install the latest version of rye - uses: eifinger/setup-rye@v2 + uses: eifinger/setup-rye@787604a465b1696ad17eedf2f8101df9fc555c94 # v2 with: version: ${{ vars.RYE_VERSION }} enable-cache: true @@ -63,7 +63,7 @@ jobs: id: hash run: | cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: build path: ./dist @@ -73,7 +73,7 @@ jobs: actions: read contents: write id-token: write # Needed to access the workflow's OIDC identity. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true @@ -102,11 +102,11 @@ jobs: prod-key: PROD_LABELBOX_API_KEY_2 da-test-key: DA_GCP_LABELBOX_API_KEY steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - name: Install the latest version of rye - uses: eifinger/setup-rye@v2 + uses: eifinger/setup-rye@787604a465b1696ad17eedf2f8101df9fc555c94 # v2 with: version: ${{ vars.RYE_VERSION }} enable-cache: true @@ -115,7 +115,7 @@ jobs: rye config --set-bool behavior.use-uv=true - name: Python setup run: rye pin ${{ matrix.python-version }} - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build path: ./dist @@ -151,10 +151,10 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build path: ./artifact @@ -176,12 +176,12 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build path: ./artifact - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: artifact/ container-publish: @@ -198,7 +198,7 @@ jobs: env: CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag }} @@ -207,17 +207,17 @@ jobs: echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 id: build_container with: context: . @@ -246,7 +246,7 @@ jobs: actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: image: ${{ needs. container-publish.outputs.image }} digest: ${{ needs. container-publish.outputs.digest }} diff --git a/.github/workflows/python-package-develop.yml b/.github/workflows/python-package-develop.yml index a9718f300..d371f693a 100644 --- a/.github/workflows/python-package-develop.yml +++ b/.github/workflows/python-package-develop.yml @@ -19,10 +19,10 @@ jobs: outputs: labelbox: ${{ steps.filter.outputs.labelbox }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | @@ -93,7 +93,7 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - uses: ./.github/actions/python-package-shared-setup @@ -110,7 +110,7 @@ jobs: rye run toml set --toml-path pyproject.toml project.name labelbox-test rye build - name: Publish package distributions to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: dist/ repository-url: https://test.pypi.org/legacy/ @@ -124,7 +124,7 @@ jobs: env: CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} @@ -133,10 +133,10 @@ jobs: echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -144,7 +144,7 @@ jobs: - name: Build and push (Develop) if: github.event_name == 'push' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: ./libs/labelbox/Dockerfile @@ -161,7 +161,7 @@ jobs: - name: Build and push (Pull Request) if: github.event_name == 'pull_request' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: ./libs/labelbox/Dockerfile diff --git a/.github/workflows/python-package-shared.yml b/.github/workflows/python-package-shared.yml index 4311020d8..cf13782db 100644 --- a/.github/workflows/python-package-shared.yml +++ b/.github/workflows/python-package-shared.yml @@ -26,7 +26,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref }} - uses: ./.github/actions/python-package-shared-setup @@ -42,7 +42,7 @@ jobs: group: labelbox-python-${{ inputs.test-env }}-${{ inputs.python-version }}-integration cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.sdk-version || github.head_ref }} - uses: ./.github/actions/python-package-shared-setup @@ -62,7 +62,7 @@ jobs: group: labelbox-python-${{ inputs.test-env }}-${{ inputs.python-version }}-unit-data cancel-in-progress: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.sdk-version || github.head_ref }} - uses: ./.github/actions/python-package-shared-setup diff --git a/.github/workflows/secrets_scan.yml b/.github/workflows/secrets_scan.yml index dbe4cc1b9..c123b0978 100644 --- a/.github/workflows/secrets_scan.yml +++ b/.github/workflows/secrets_scan.yml @@ -8,10 +8,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Secret Scanning - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@6c64db94d5b2e09d7e0948fb6bd3166cc6fffbc7 # main with: extra_args: --only-verified