diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index ab1676c8..4a603c5b 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -37,7 +37,7 @@ jobs: actions: read steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: block @@ -48,17 +48,17 @@ jobs: pypi.org:443 - name: Generate App Token id: token_generator - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 with: app-id: ${{ secrets.BIRDHOUSE_HELPER_BOT_ID }} private-key: ${{ secrets.BIRDHOUSE_HELPER_BOT_KEY }} - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: token: ${{ steps.token_generator.outputs.token }} persist-credentials: false - name: Set up Python3 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.x" - name: Import GPG Key diff --git a/.github/workflows/docker-testing.yml b/.github/workflows/docker-testing.yml index 2d1e2f95..d7d16a40 100644 --- a/.github/workflows/docker-testing.yml +++ b/.github/workflows/docker-testing.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: block @@ -33,7 +33,7 @@ jobs: pypi.org:443 registry-1.docker.io:443 - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Docker image (no push) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index fbf20d60..8d5bae41 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -27,7 +27,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2ea0e44a..890cb3c3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,19 +18,22 @@ jobs: lint: name: Code linting runs-on: ubuntu-latest + strategy: + matrix: + python-version: [ "3.13" ] steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: Set up Python${{ matrix.python-version }} - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: "3.x" + python-version: ${{ matrix.python-version }} cache: pip - name: Install CI libraries run: | @@ -53,11 +56,11 @@ jobs: python-version: [ "3.10", "3.11", "3.12" ] steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 59db93db..7d76aec8 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -16,9 +16,12 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write runs-on: ubuntu-latest + strategy: + matrix: + python-version: [ "3.13" ] steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: block @@ -29,13 +32,13 @@ jobs: ruf-repo-cdn.sigstore.dev:443 upload.pypi.org:443 - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - - name: Set up Python3 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + - name: Set up Python${{ matrix.python-version }} + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: "3.x" + python-version: ${{ matrix.python-version }} - name: Install CI libraries run: | python -m pip install --require-hashes -r CI/requirements_ci.txt diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index f01ac362..43be03b4 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -16,9 +16,12 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write runs-on: ubuntu-latest + strategy: + matrix: + python-version: [ "3.13" ] steps: - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: disable-sudo: true egress-policy: block @@ -29,13 +32,13 @@ jobs: ruf-repo-cdn.sigstore.dev:443 test.pypi.org:443 - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - - name: Set up Python3 - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + - name: Set up Python${{ matrix.python-version }} + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: "3.x" + python-version: ${{ matrix.python-version }} - name: Install CI libraries run: | python -m pip install --require-hashes -r CI/requirements_ci.txt