From 5438c744a55483d65720ebcd48b16027b4b1fcad Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 09:51:15 +0200 Subject: [PATCH 01/17] Activate linter for GitHub actions --- .github/workflows/checks.yml | 19 +++++++++++++++++++ .github/workflows/ci.yml | 1 + .github/workflows/merge-gate.yml | 1 + .../templates/github/workflows/checks.yml | 19 +++++++++++++++++++ .../toolbox/templates/github/workflows/ci.yml | 1 + .../templates/github/workflows/merge-gate.yml | 1 + 6 files changed, 42 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 89a4bf141..a9739b676 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -227,3 +227,22 @@ jobs: - name: Check Workflows id: check-workflows run: poetry run -- nox -s workflow:check -- all + + lint-github-actions: + name: Lint GitHub Actions + runs-on: "ubuntu-24.04" + permissions: + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Lint GitHub actions with Zizmor + id: lint-github-actions + uses: zizmorcore/zizmor-action@v0.5.3 + with: + advanced-security: false diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1083e9f2e..5e3ebbd2d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,7 @@ jobs: secrets: inherit permissions: contents: read + actions: read report: name: Report diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index c7e00c394..c8532d8ac 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -11,6 +11,7 @@ jobs: uses: ./.github/workflows/checks.yml permissions: contents: read + actions: read run-fast-tests: name: Fast Tests diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 9d88c6c87..4e6e3bffb 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -226,3 +226,22 @@ jobs: - name: Check Workflows id: check-workflows run: poetry run -- nox -s workflow:check -- all + + lint-github-actions: + name: Lint GitHub Actions + runs-on: "(( os_version ))" + permissions: + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Lint GitHub actions with Zizmor + id: lint-github-actions + uses: zizmorcore/zizmor-action@v0.5.3 + with: + advanced-security: false diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml index c5a86a764..215182c3d 100644 --- a/exasol/toolbox/templates/github/workflows/ci.yml +++ b/exasol/toolbox/templates/github/workflows/ci.yml @@ -12,6 +12,7 @@ jobs: secrets: inherit permissions: contents: read + actions: read report: name: Report diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index e8092fc72..34bddf861 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -10,6 +10,7 @@ jobs: uses: ./.github/workflows/checks.yml permissions: contents: read + actions: read run-fast-tests: name: Fast Tests From c6bbb6ec24d7f9b0566ca7e5e9830f522b7edfff Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:02:01 +0200 Subject: [PATCH 02/17] Add cooldown to dependency updater --- .github/dependabot.yml | 6 +++++- exasol/toolbox/templates/github/dependabot.yml | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fc896980..d3693f0dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -15,4 +17,6 @@ updates: schedule: interval: "weekly" day: "monday" - open-pull-requests-limit: 4 \ No newline at end of file + open-pull-requests-limit: 4 + cooldown: + default-days: 7 diff --git a/exasol/toolbox/templates/github/dependabot.yml b/exasol/toolbox/templates/github/dependabot.yml index e9373b46e..d3693f0dc 100644 --- a/exasol/toolbox/templates/github/dependabot.yml +++ b/exasol/toolbox/templates/github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -16,3 +18,5 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 From d291a5e194c34ae820178c39c3cdc93da22cf623 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:11:51 +0200 Subject: [PATCH 03/17] Create ignore file and fill with everything so we can gradually remove the issues --- .github/zizmor.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..3f151f61c --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,13 @@ +rules: + artipacked: + disable: true + github-env: + disable: true + secrets-inherit: + disable: true + template-injection: + disable: true + unpinned-uses: + disable: true + use-trusted-publishing: + disable: true From 83f78c3d41c5795f4ee29f981f875bd94170c432 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:19:26 +0200 Subject: [PATCH 04/17] Fix credential persistence from actions/checkout --- .github/workflows/fast-tests-extension.yml | 2 ++ .github/workflows/slow-checks.yml | 2 ++ .github/zizmor.yml | 2 -- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index b99aaeeb3..c4f10064a 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -13,6 +13,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8c4cd585f..b1d7f905e 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -26,6 +26,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 3f151f61c..174952c5b 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,6 +1,4 @@ rules: - artipacked: - disable: true github-env: disable: true secrets-inherit: From b1791649ca02c8922144b880b696392f57559e49 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:30:59 +0200 Subject: [PATCH 05/17] Switch checkout@v6 to the v6.0.3 SHA; even in documentation --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 18 +++++++++--------- .github/workflows/dependency-update.yml | 2 +- .github/workflows/fast-tests-extension.yml | 2 +- .github/workflows/fast-tests.yml | 2 +- .github/workflows/gh-pages.yml | 2 +- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- .github/workflows/test-python-environment.yml | 4 ++-- .github/zizmor.yml | 13 ++++++++++++- doc/github_actions/python_environment.rst | 2 +- doc/github_actions/security_issues.rst | 2 +- .../github_workflows/workflow_patcher.rst | 2 +- .../github/workflows/build-and-publish.yml | 2 +- .../github/workflows/check-release-tag.yml | 2 +- .../templates/github/workflows/checks.yml | 18 +++++++++--------- .../github/workflows/dependency-update.yml | 2 +- .../templates/github/workflows/fast-tests.yml | 2 +- .../templates/github/workflows/gh-pages.yml | 2 +- .../templates/github/workflows/matrix-all.yml | 2 +- .../github/workflows/matrix-exasol.yml | 2 +- .../github/workflows/matrix-python.yml | 2 +- .../templates/github/workflows/report.yml | 2 +- .../templates/github/workflows/slow-checks.yml | 2 +- 28 files changed, 56 insertions(+), 45 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 4b6befafa..01087bfba 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index b22a73290..aa09cf3b1 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a9739b676..5295a457c 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -69,7 +69,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -107,7 +107,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -135,7 +135,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -167,7 +167,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -190,7 +190,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -213,7 +213,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -237,7 +237,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 157e32fb5..25df03545 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index c4f10064a..a786b6a00 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index b692b8e38..de5715055 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index dceb9c487..cd8ce4c64 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index cc8e849b0..a960a991f 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index bab0ffb02..d7dbad6ae 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index c671c36f3..eb94dbc5c 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8e2bc1d91..b2dfcff04 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index b1d7f905e..a28ee5214 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index f05267e9a..f17ebd15a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -12,7 +12,7 @@ jobs: outputs: should_run: ${{ steps.diff.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -67,7 +67,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 174952c5b..5391b15b0 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -6,6 +6,17 @@ rules: template-injection: disable: true unpinned-uses: - disable: true + config: + policies: + actions/checkout: hash-pin + actions/cache: ref-pin + actions/deploy-pages: ref-pin + actions/download-artifact: ref-pin + actions/setup-python: ref-pin + actions/upload-artifact: ref-pin + actions/upload-pages-artifact: ref-pin + exasol/python-toolbox/.github/actions/python-environment: ref-pin + ravsamhq/notify-slack-action: ref-pin + zizmorcore/zizmor-action: ref-pin use-trusted-publishing: disable: true diff --git a/doc/github_actions/python_environment.rst b/doc/github_actions/python_environment.rst index f400b02b4..aa31f89eb 100644 --- a/doc/github_actions/python_environment.rst +++ b/doc/github_actions/python_environment.rst @@ -49,7 +49,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Python & Poetry Environment uses: exasol/python-toolbox/.github/actions/python-environment@v4 diff --git a/doc/github_actions/security_issues.rst b/doc/github_actions/security_issues.rst index d85f8ed33..ecb4558fc 100644 --- a/doc/github_actions/security_issues.rst +++ b/doc/github_actions/security_issues.rst @@ -26,7 +26,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Report Security Issues uses: exasol/python-toolbox/.github/actions/security-issues@v1 diff --git a/doc/user_guide/features/github_workflows/workflow_patcher.rst b/doc/user_guide/features/github_workflows/workflow_patcher.rst index d73adeca4..c0a3fc609 100644 --- a/doc/user_guide/features/github_workflows/workflow_patcher.rst +++ b/doc/user_guide/features/github_workflows/workflow_patcher.rst @@ -30,7 +30,7 @@ Model content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 6c42834b4..b2ffc3422 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index eda38dda8..91f4eb01c 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 4e6e3bffb..5c3bd122c 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -41,7 +41,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -68,7 +68,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -106,7 +106,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -134,7 +134,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -166,7 +166,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -189,7 +189,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -212,7 +212,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -236,7 +236,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index f24573f54..ea722d61e 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index c6f03c94f..265243ae9 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index e7ef3210a..ba4fa3b47 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index c24c2f2db..743900cf4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 18b3b851b..b74c8f1f4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 062426ff1..f56ea13ff 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index 21dd0e086..e632ffdaa 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 618e1790a..bdad474c1 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false From 6d0197d8ad2b14222a6fff6c69f181f6d9f39994 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:42:35 +0200 Subject: [PATCH 06/17] Switch upload-pages-artifact@v5 to the v5.0.0 SHA --- .github/workflows/gh-pages.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/gh-pages.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index cd8ce4c64..244a09d59 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -35,7 +35,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 5391b15b0..715a65b36 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -14,7 +14,7 @@ rules: actions/download-artifact: ref-pin actions/setup-python: ref-pin actions/upload-artifact: ref-pin - actions/upload-pages-artifact: ref-pin + actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin ravsamhq/notify-slack-action: ref-pin zizmorcore/zizmor-action: ref-pin diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index ba4fa3b47..db6f5e582 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -34,7 +34,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation From d938c19c1f40fdbf0a46171a0d34f78da43f9020 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:45:55 +0200 Subject: [PATCH 07/17] Switch zizmor action from v0.5.3 to its SHA --- .github/workflows/checks.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/checks.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 5295a457c..eee6c80a9 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -243,6 +243,6 @@ jobs: - name: Lint GitHub actions with Zizmor id: lint-github-actions - uses: zizmorcore/zizmor-action@v0.5.3 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 715a65b36..a1468198b 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -17,6 +17,6 @@ rules: actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin ravsamhq/notify-slack-action: ref-pin - zizmorcore/zizmor-action: ref-pin + zizmorcore/zizmor-action: hash-pin use-trusted-publishing: disable: true diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 5c3bd122c..f87767372 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -242,6 +242,6 @@ jobs: - name: Lint GitHub actions with Zizmor id: lint-github-actions - uses: zizmorcore/zizmor-action@v0.5.3 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: advanced-security: false From c57165c26d496156e5f23779bc6f3fea7fdf0c1b Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:52:13 +0200 Subject: [PATCH 08/17] Switch ravsamhq/notify-slack-action action from v2 to its SHA for v2.5.0 --- .github/workflows/dependency-update.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/dependency-update.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 25df03545..ef16a7878 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -120,7 +120,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a1468198b..624c03852 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -16,7 +16,7 @@ rules: actions/upload-artifact: ref-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin - ravsamhq/notify-slack-action: ref-pin + ravsamhq/notify-slack-action: hash-pin zizmorcore/zizmor-action: hash-pin use-trusted-publishing: disable: true diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index ea722d61e..8363d6e38 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -119,7 +119,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' From 8453aafe173ec014e0deb1e7b72726462a19baf4 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:55:14 +0200 Subject: [PATCH 09/17] Switch actions/upload-artifact action from v7.0.0 to its SHA --- .github/workflows/checks.yml | 4 ++-- .github/workflows/fast-tests.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/checks.yml | 4 ++-- exasol/toolbox/templates/github/workflows/fast-tests.yml | 2 +- exasol/toolbox/templates/github/workflows/slow-checks.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index eee6c80a9..74ecc5d21 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -86,7 +86,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -152,7 +152,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index de5715055..2bafe1107 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -36,7 +36,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index a28ee5214..c387a8965 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -42,7 +42,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-slow path: .coverage diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 624c03852..9c1005056 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -13,7 +13,7 @@ rules: actions/deploy-pages: ref-pin actions/download-artifact: ref-pin actions/setup-python: ref-pin - actions/upload-artifact: ref-pin + actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin ravsamhq/notify-slack-action: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index f87767372..850db33c0 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -85,7 +85,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -151,7 +151,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index 265243ae9..6575b8860 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -35,7 +35,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index bdad474c1..3bfe05dfc 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -44,7 +44,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage From 9f14f6e627ef8d8f1df685c31c3c696133a1a68d Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:19:34 +0200 Subject: [PATCH 10/17] Switch actions/setup-python action from v6 to its v6.2.0 SHA --- .github/actions/python-environment/action.yml | 2 +- .github/actions/security-issues/action.yml | 2 +- .github/zizmor.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 2e0ba3559..2978703eb 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -34,7 +34,7 @@ runs: - name: Set up Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python-version }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 58c969d4b..65047483b 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -32,7 +32,7 @@ runs: steps: - name: Setup Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 9c1005056..0f50ac57a 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -12,7 +12,7 @@ rules: actions/cache: ref-pin actions/deploy-pages: ref-pin actions/download-artifact: ref-pin - actions/setup-python: ref-pin + actions/setup-python: hash-pin actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin From 8a74872918cf40e048f0ee029a1b9a85bde9b606 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:24:50 +0200 Subject: [PATCH 11/17] Switch actions/download-artifact action from v8 to its v8.0.1 SHA --- .github/workflows/report.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/report.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index b2dfcff04..a9254b989 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -31,7 +31,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 0f50ac57a..64f25bbda 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -11,7 +11,7 @@ rules: actions/checkout: hash-pin actions/cache: ref-pin actions/deploy-pages: ref-pin - actions/download-artifact: ref-pin + actions/download-artifact: hash-pin actions/setup-python: hash-pin actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index e632ffdaa..bc7e1fd33 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -30,7 +30,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts From 4a9153e8d4688a883beec2ef287f66d927b40426 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:28:18 +0200 Subject: [PATCH 12/17] Switch actions/deploy-pages action from v5 to its v5.0.0 SHA --- .github/workflows/gh-pages.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/gh-pages.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 244a09d59..ea2f5b88f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -53,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 64f25bbda..fea03c9db 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -10,7 +10,7 @@ rules: policies: actions/checkout: hash-pin actions/cache: ref-pin - actions/deploy-pages: ref-pin + actions/deploy-pages: hash-pin actions/download-artifact: hash-pin actions/setup-python: hash-pin actions/upload-artifact: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index db6f5e582..3f8edbd3b 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -52,4 +52,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 From 0f4e4ce2f8588b802120bf58eea44cf89a81ea10 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:28:27 +0200 Subject: [PATCH 13/17] Add zizmor as a dependency --- poetry.lock | 27 ++++++++++++++++++++++++--- pyproject.toml | 1 + 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index fc191d526..2e052025a 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.0 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand. [[package]] name = "accessible-pygments" @@ -2649,8 +2649,8 @@ astroid = ">=4.0.2,<=4.1.dev0" colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""} dill = [ {version = ">=0.2", markers = "python_version < \"3.11\""}, - {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, {version = ">=0.3.6", markers = "python_version == \"3.11\""}, + {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, ] isort = ">=5,<5.13 || >5.13,<9" mccabe = ">=0.6,<0.8" @@ -4062,7 +4062,28 @@ enabler = ["pytest-enabler (>=3.4)"] test = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more_itertools", "pytest (>=6,!=8.1.*)", "pytest-ignore-flaky"] type = ["pytest-mypy (>=1.0.1) ; platform_python_implementation != \"PyPy\""] +[[package]] +name = "zizmor" +version = "1.25.2" +description = "Static analysis for GitHub Actions" +optional = false +python-versions = ">=3.10" +groups = ["main"] +files = [ + {file = "zizmor-1.25.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17cc8cfd9d472e8b11945a869c198d25cfdf4a33f36fa7a1f9674099f5fb509d"}, + {file = "zizmor-1.25.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d3e301eb4465e2da77857cf01ab4ef0184cf3818e826800b270ab01ae7338977"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:cf64374149b567c9373228b76c8e77a389b4071899f84b82c36ee50fab894e79"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:0beba1601be08bd00c9277e6ed4b026e125b26b379d86d6d98eb708409b3050d"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:c4246f1344d8dbeffc044d7bb11b131773a7db7eb57d9073c45942dfd3543a1f"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:dbb1b5c85b8de8eaa0227c6620f06c8e4fbd0a4da2086e218bc225c0bef0923d"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d670a1e2f00b3cd56febd145bc1a0b2c4caf1cbe5dad8128721843fa877e2d2e"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b75c84d7387389f95edadbe859fb2aaf0a360c5b080932cc53e92ae1db6f09ef"}, + {file = "zizmor-1.25.2-py3-none-win32.whl", hash = "sha256:aa9f4c43b499c55339c3ef2e885133c5017cd9a18d76d9335541203cfa5ae1e7"}, + {file = "zizmor-1.25.2-py3-none-win_amd64.whl", hash = "sha256:af55bd9bd119ea8cbce2a7addc3922503019de32c1fe31106d70b3dc77d77908"}, + {file = "zizmor-1.25.2.tar.gz", hash = "sha256:f26ffeb16659c8922c7b08203ca5a4f8bf5e1a7e8d190734961c40877cf778ea"}, +] + [metadata] lock-version = "2.1" python-versions = ">=3.10,<4.0" -content-hash = "3d5c07aeaab839a92ec06e66addd20d634864518ef66d76623d08d5eaae6817b" +content-hash = "a0c2776376a043679e656b301d640e4b13835be4910ee122da54fd8ef37ed85f" diff --git a/pyproject.toml b/pyproject.toml index 4dbc06d44..569c72ee3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -59,6 +59,7 @@ dependencies = [ "structlog (>=25.5.0,<26.0.0)", "typer[all]>=0.7.0", "twine>=6.1.0,<7", + "zizmor (>=1.25.2,<2.0.0)", ] [project.scripts] From 944f4c5b41688ece754b4b2c02f5bca1b3b44467 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:32:41 +0200 Subject: [PATCH 14/17] Switch actions/cache action from v5 to its v5.0.5 SHA --- .github/actions/python-environment/action.yml | 2 +- .github/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 2978703eb..7abfd448a 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -69,7 +69,7 @@ runs: - name: Cache Poetry environment if: inputs.use-cache == 'true' id: cache-poetry-env - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ steps.setup-cache-variables.outputs.POETRY_ENV_PATH }} key: poetry-env-${{ steps.setup-cache-variables.outputs.POETRY_SHA }}-${{ steps.setup-cache-variables.outputs.IMAGE_OS }}-${{ steps.setup-cache-variables.outputs.IMAGE_VERSION }}-${{ runner.arch }}-${{ inputs.poetry-version }}-${{ inputs.python-version }}-${{ inputs.extras }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index fea03c9db..996766ffa 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -9,7 +9,7 @@ rules: config: policies: actions/checkout: hash-pin - actions/cache: ref-pin + actions/cache: hash-pin actions/deploy-pages: hash-pin actions/download-artifact: hash-pin actions/setup-python: hash-pin From 27e6631079b8cec068a5920b712d87d1ed520247 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:34:47 +0200 Subject: [PATCH 15/17] Make it the default that all except the PTB ones use hashes --- .github/zizmor.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 996766ffa..a8f107c49 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -8,15 +8,7 @@ rules: unpinned-uses: config: policies: - actions/checkout: hash-pin - actions/cache: hash-pin - actions/deploy-pages: hash-pin - actions/download-artifact: hash-pin - actions/setup-python: hash-pin - actions/upload-artifact: hash-pin - actions/upload-pages-artifact: hash-pin + "*": hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin - ravsamhq/notify-slack-action: hash-pin - zizmorcore/zizmor-action: hash-pin use-trusted-publishing: disable: true From 5b0913f5312eec349db1c3970f02e6f8072c11e8 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:40:45 +0200 Subject: [PATCH 16/17] Fix overrides --- .github/workflows/fast-tests.yml | 2 +- .workflow-patcher.yml | 2 +- test/unit/util/workflows/conftest.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index 2bafe1107..06f20755f 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index bdf6d52fe..f5e1c0e7b 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -8,7 +8,7 @@ workflows: # The PTB has unit tests which require the fetch-depth to be 0. - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/test/unit/util/workflows/conftest.py b/test/unit/util/workflows/conftest.py index c1e763f23..beec18e31 100644 --- a/test/unit/util/workflows/conftest.py +++ b/test/unit/util/workflows/conftest.py @@ -27,7 +27,7 @@ class ExamplePatcherYaml: content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 """ From e4a7b2e13fcf8b89c2e0a1eeb6921cf32e293304 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:42:48 +0200 Subject: [PATCH 17/17] Fix as not with v --- .github/workflows/dependency-update.yml | 2 +- exasol/toolbox/templates/github/workflows/dependency-update.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index ef16a7878..4c1ae042a 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -120,7 +120,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 8363d6e38..72d51d0fd 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -119,7 +119,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}'