diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 2e0ba3559..7abfd448a 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -34,7 +34,7 @@ runs: - name: Set up Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python-version }} @@ -69,7 +69,7 @@ runs: - name: Cache Poetry environment if: inputs.use-cache == 'true' id: cache-poetry-env - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ steps.setup-cache-variables.outputs.POETRY_ENV_PATH }} key: poetry-env-${{ steps.setup-cache-variables.outputs.POETRY_SHA }}-${{ steps.setup-cache-variables.outputs.IMAGE_OS }}-${{ steps.setup-cache-variables.outputs.IMAGE_VERSION }}-${{ runner.arch }}-${{ inputs.poetry-version }}-${{ inputs.python-version }}-${{ inputs.extras }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 58c969d4b..65047483b 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -32,7 +32,7 @@ runs: steps: - name: Setup Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fc896980..d3693f0dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -15,4 +17,6 @@ updates: schedule: interval: "weekly" day: "monday" - open-pull-requests-limit: 4 \ No newline at end of file + open-pull-requests-limit: 4 + cooldown: + default-days: 7 diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 4b6befafa..01087bfba 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index b22a73290..aa09cf3b1 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 89a4bf141..74ecc5d21 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -69,7 +69,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -86,7 +86,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -107,7 +107,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -135,7 +135,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -152,7 +152,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -167,7 +167,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -190,7 +190,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -213,7 +213,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -227,3 +227,22 @@ jobs: - name: Check Workflows id: check-workflows run: poetry run -- nox -s workflow:check -- all + + lint-github-actions: + name: Lint GitHub Actions + runs-on: "ubuntu-24.04" + permissions: + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Lint GitHub actions with Zizmor + id: lint-github-actions + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1083e9f2e..5e3ebbd2d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,7 @@ jobs: secrets: inherit permissions: contents: read + actions: read report: name: Report diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 157e32fb5..4c1ae042a 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 @@ -120,7 +120,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index b99aaeeb3..a786b6a00 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -12,7 +12,9 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index b692b8e38..06f20755f 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 @@ -36,7 +36,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index dceb9c487..ea2f5b88f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -35,7 +35,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation @@ -53,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index cc8e849b0..a960a991f 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index bab0ffb02..d7dbad6ae 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index c671c36f3..eb94dbc5c 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index c7e00c394..c8532d8ac 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -11,6 +11,7 @@ jobs: uses: ./.github/workflows/checks.yml permissions: contents: read + actions: read run-fast-tests: name: Fast Tests diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8e2bc1d91..a9254b989 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -31,7 +31,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8c4cd585f..c387a8965 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -25,7 +25,9 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -40,7 +42,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-slow path: .coverage diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index f05267e9a..f17ebd15a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -12,7 +12,7 @@ jobs: outputs: should_run: ${{ steps.diff.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -67,7 +67,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..a8f107c49 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,14 @@ +rules: + github-env: + disable: true + secrets-inherit: + disable: true + template-injection: + disable: true + unpinned-uses: + config: + policies: + "*": hash-pin + exasol/python-toolbox/.github/actions/python-environment: ref-pin + use-trusted-publishing: + disable: true diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index bdf6d52fe..f5e1c0e7b 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -8,7 +8,7 @@ workflows: # The PTB has unit tests which require the fetch-depth to be 0. - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/doc/github_actions/python_environment.rst b/doc/github_actions/python_environment.rst index f400b02b4..aa31f89eb 100644 --- a/doc/github_actions/python_environment.rst +++ b/doc/github_actions/python_environment.rst @@ -49,7 +49,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Python & Poetry Environment uses: exasol/python-toolbox/.github/actions/python-environment@v4 diff --git a/doc/github_actions/security_issues.rst b/doc/github_actions/security_issues.rst index d85f8ed33..ecb4558fc 100644 --- a/doc/github_actions/security_issues.rst +++ b/doc/github_actions/security_issues.rst @@ -26,7 +26,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Report Security Issues uses: exasol/python-toolbox/.github/actions/security-issues@v1 diff --git a/doc/user_guide/features/github_workflows/workflow_patcher.rst b/doc/user_guide/features/github_workflows/workflow_patcher.rst index d73adeca4..c0a3fc609 100644 --- a/doc/user_guide/features/github_workflows/workflow_patcher.rst +++ b/doc/user_guide/features/github_workflows/workflow_patcher.rst @@ -30,7 +30,7 @@ Model content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/dependabot.yml b/exasol/toolbox/templates/github/dependabot.yml index e9373b46e..d3693f0dc 100644 --- a/exasol/toolbox/templates/github/dependabot.yml +++ b/exasol/toolbox/templates/github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -16,3 +18,5 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 6c42834b4..b2ffc3422 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index eda38dda8..91f4eb01c 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 9d88c6c87..850db33c0 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -41,7 +41,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -68,7 +68,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -85,7 +85,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -106,7 +106,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -134,7 +134,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -151,7 +151,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -166,7 +166,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -189,7 +189,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -212,7 +212,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -226,3 +226,22 @@ jobs: - name: Check Workflows id: check-workflows run: poetry run -- nox -s workflow:check -- all + + lint-github-actions: + name: Lint GitHub Actions + runs-on: "(( os_version ))" + permissions: + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Lint GitHub actions with Zizmor + id: lint-github-actions + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml index c5a86a764..215182c3d 100644 --- a/exasol/toolbox/templates/github/workflows/ci.yml +++ b/exasol/toolbox/templates/github/workflows/ci.yml @@ -12,6 +12,7 @@ jobs: secrets: inherit permissions: contents: read + actions: read report: name: Report diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index f24573f54..72d51d0fd 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 @@ -119,7 +119,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index c6f03c94f..6575b8860 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -35,7 +35,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index e7ef3210a..3f8edbd3b 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -34,7 +34,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation @@ -52,4 +52,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index c24c2f2db..743900cf4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 18b3b851b..b74c8f1f4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 062426ff1..f56ea13ff 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index e8092fc72..34bddf861 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -10,6 +10,7 @@ jobs: uses: ./.github/workflows/checks.yml permissions: contents: read + actions: read run-fast-tests: name: Fast Tests diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index 21dd0e086..bc7e1fd33 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -30,7 +30,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 618e1790a..3bfe05dfc 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -44,7 +44,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage diff --git a/poetry.lock b/poetry.lock index fc191d526..2e052025a 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.0 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand. [[package]] name = "accessible-pygments" @@ -2649,8 +2649,8 @@ astroid = ">=4.0.2,<=4.1.dev0" colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""} dill = [ {version = ">=0.2", markers = "python_version < \"3.11\""}, - {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, {version = ">=0.3.6", markers = "python_version == \"3.11\""}, + {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, ] isort = ">=5,<5.13 || >5.13,<9" mccabe = ">=0.6,<0.8" @@ -4062,7 +4062,28 @@ enabler = ["pytest-enabler (>=3.4)"] test = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more_itertools", "pytest (>=6,!=8.1.*)", "pytest-ignore-flaky"] type = ["pytest-mypy (>=1.0.1) ; platform_python_implementation != \"PyPy\""] +[[package]] +name = "zizmor" +version = "1.25.2" +description = "Static analysis for GitHub Actions" +optional = false +python-versions = ">=3.10" +groups = ["main"] +files = [ + {file = "zizmor-1.25.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17cc8cfd9d472e8b11945a869c198d25cfdf4a33f36fa7a1f9674099f5fb509d"}, + {file = "zizmor-1.25.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d3e301eb4465e2da77857cf01ab4ef0184cf3818e826800b270ab01ae7338977"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:cf64374149b567c9373228b76c8e77a389b4071899f84b82c36ee50fab894e79"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:0beba1601be08bd00c9277e6ed4b026e125b26b379d86d6d98eb708409b3050d"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:c4246f1344d8dbeffc044d7bb11b131773a7db7eb57d9073c45942dfd3543a1f"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:dbb1b5c85b8de8eaa0227c6620f06c8e4fbd0a4da2086e218bc225c0bef0923d"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d670a1e2f00b3cd56febd145bc1a0b2c4caf1cbe5dad8128721843fa877e2d2e"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b75c84d7387389f95edadbe859fb2aaf0a360c5b080932cc53e92ae1db6f09ef"}, + {file = "zizmor-1.25.2-py3-none-win32.whl", hash = "sha256:aa9f4c43b499c55339c3ef2e885133c5017cd9a18d76d9335541203cfa5ae1e7"}, + {file = "zizmor-1.25.2-py3-none-win_amd64.whl", hash = "sha256:af55bd9bd119ea8cbce2a7addc3922503019de32c1fe31106d70b3dc77d77908"}, + {file = "zizmor-1.25.2.tar.gz", hash = "sha256:f26ffeb16659c8922c7b08203ca5a4f8bf5e1a7e8d190734961c40877cf778ea"}, +] + [metadata] lock-version = "2.1" python-versions = ">=3.10,<4.0" -content-hash = "3d5c07aeaab839a92ec06e66addd20d634864518ef66d76623d08d5eaae6817b" +content-hash = "a0c2776376a043679e656b301d640e4b13835be4910ee122da54fd8ef37ed85f" diff --git a/pyproject.toml b/pyproject.toml index 4dbc06d44..569c72ee3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -59,6 +59,7 @@ dependencies = [ "structlog (>=25.5.0,<26.0.0)", "typer[all]>=0.7.0", "twine>=6.1.0,<7", + "zizmor (>=1.25.2,<2.0.0)", ] [project.scripts] diff --git a/test/unit/util/workflows/conftest.py b/test/unit/util/workflows/conftest.py index c1e763f23..beec18e31 100644 --- a/test/unit/util/workflows/conftest.py +++ b/test/unit/util/workflows/conftest.py @@ -27,7 +27,7 @@ class ExamplePatcherYaml: content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 """