Release 1.214.0

See release notes.

Author: cjdsellers

.github/actions/common-setup/action.yml

@@ -17,7 +17,8 @@ runs:
     # > OS
     - name: Free disk space (Ubuntu)
       if: inputs.free-disk-space == 'true' && runner.os == 'Linux'
-      uses: jlumbroso/free-disk-space@main
+      # https://github.com/jlumbroso/free-disk-space/releases/tag/v1.3.1
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
         tool-cache: true
         android: true
@@ -34,16 +35,16 @@ runs:
         rm -rf "/c/Program Files/dotnet"
         rm -rf "/c/Program Files (x86)/Microsoft Visual Studio/2019"
 
-    # TODO: Temporarily fix-missing to sync outdated package index
     - name: Install runner dependencies
       if: runner.os == 'Linux'
       shell: bash
       run: |
-        sudo apt-get update --fix-missing
+        sudo apt-get update
         sudo apt-get install -y curl clang git libssl-dev make pkg-config
 
     - name: Install mold
-      uses: rui314/setup-mold@v1
+      # https://github.com/rui314/setup-mold
+      uses: rui314/setup-mold@565a5a945b82f5759c6148485163f6ecd90da653 # v1
 
     # > --------------------------------------------------
     # > Rust
@@ -105,7 +106,8 @@ runs:
 
     - name: Cached sccache
       id: cached-sccache
-      uses: actions/cache@v4
+      # https://github.com/actions/cache/releases/tag/v4.2.3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ${{ env.SCCACHE_DIR }}
         key: sccache-${{ runner.os }}-${{ github.workflow }}-${{ github.job }}-${{ hashFiles('**/Cargo.toml', '**/Cargo.lock', '**/poetry.lock') }}
@@ -115,12 +117,14 @@ runs:
           sccache-${{ runner.os }}-
 
     - name: Run sccache
-      uses: mozilla-actions/[email protected]
+      # https://github.com/Mozilla-Actions/sccache-action/releases/tag/v0.0.8
+      uses: mozilla-actions/sccache-action@65101d47ea8028ed0c98a1cdea8dd9182e9b5133 # v0.0.8
 
     # > --------------------------------------------------
     # > Python
     - name: Set up Python environment
-      uses: actions/setup-python@v5
+      # https://github.com/actions/setup-python/releases/tag/v5.4.0
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ inputs.python-version }}
 
@@ -131,7 +135,8 @@ runs:
 
     - name: Cache Python site-packages
       id: cached-site-packages
-      uses: actions/cache@v4
+      # https://github.com/actions/cache/releases/tag/v4.2.3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ~/.local/lib/python${{ inputs.python-version }}/site-packages
         key: ${{ runner.os }}-${{ inputs.python-version }}-site-packages
@@ -140,7 +145,7 @@ runs:
 
     - name: Install pre-commit
       shell: bash
-      run: pip install pre-commit==4.1.0
+      run: pip install pre-commit==4.2.0
 
     # > --------------------------------------------------
     # > UV
@@ -161,7 +166,8 @@ runs:
 
     - name: Cached uv
       id: cached-uv
-      uses: actions/cache@v4
+      # https://github.com/actions/cache/releases/tag/v4.2.3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ${{ env.UV_CACHE_DIR }}
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-uv-${{ hashFiles('**/uv.lock') }}
@@ -170,7 +176,8 @@ runs:
     # > pre-commit
     - name: Cached pre-commit
       id: cached-pre-commit
-      uses: actions/cache@v4
+      # https://github.com/actions/cache/releases/tag/v4.2.3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ~/.cache/pre-commit
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}

.github/actions/common-test-data/action.yml

@@ -6,7 +6,8 @@ runs:
   steps:
       - name: Cached test data
         id: cached-testdata-large
-        uses: actions/cache@v4
+        # https://github.com/actions/cache/releases/tag/v4.2.3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: tests/test_data/large
           key: ${{ runner.os }}-large-files-${{ hashFiles('tests/test_data/large/checksums.json') }}

.github/actions/common-wheel-build/action.yml

@@ -10,11 +10,13 @@ runs:
   using: "composite"
   steps:
     - name: Update version in pyproject.toml
+      if: github.ref != 'refs/heads/master'
       shell: bash
       run: |
         bash ./scripts/ci/update-pyproject-version.sh
 
     - name: Generate updated lock file
+      if: github.ref != 'refs/heads/master'
       shell: bash
       run: uv lock --no-upgrade
 

.github/actions/publish-wheels/action.yml

@@ -5,10 +5,12 @@ runs:
   using: "composite"
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      # https://github.com/actions/checkout/releases/tag/v4.2.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Download built wheels
-      uses: actions/download-artifact@v4
+      # https://github.com/actions/download-artifact/releases/tag/v4.2.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         path: dist/
         pattern: "*.whl"

.github/actions/upload-artifact-wheel/action.yml

@@ -26,7 +26,8 @@ runs:
 
     - name: Upload wheel artifact
       if: github.event_name == 'push'
-      uses: actions/upload-artifact@v4
+      # https://github.com/actions/upload-artifact/releases/tag/v4.6.2
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ env.ASSET_NAME }}
         path: ${{ env.ASSET_PATH }}

.github/workflows/build-docs.yml

@@ -8,6 +8,11 @@ jobs:
   build-docs:
     runs-on: ubuntu-latest
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Fire event to nautilus_docs
         run: |
           curl -L \

.github/workflows/build.yml

@@ -11,8 +11,14 @@ jobs:
     name: pre-commit
     runs-on: ubuntu-latest
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup
@@ -61,10 +67,15 @@ jobs:
         ports:
           - 5432:5432
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup
@@ -136,10 +147,15 @@ jobs:
         ports:
           - 5432:5432
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup
@@ -200,8 +216,14 @@ jobs:
       BUILD_MODE: release
       RUST_BACKTRACE: 1
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup
@@ -252,8 +274,14 @@ jobs:
       PARALLEL_BUILD: false
       RUST_BACKTRACE: 1
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup
@@ -294,10 +322,15 @@ jobs:
       CLOUDFLARE_R2_BUCKET_NAME: "packages"
       CLOUDFLARE_R2_REGION: "auto"
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Publish wheels
         uses: ./.github/actions/publish-wheels
@@ -320,10 +353,15 @@ jobs:
       CLOUDFLARE_R2_BUCKET_NAME: "packages"
       CLOUDFLARE_R2_REGION: "auto"
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Publish wheels
         uses: ./.github/actions/publish-wheels

.github/workflows/codeql-analysis.yml

@@ -10,20 +10,25 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
         language: ['python']
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        # https://github.com/github/codeql-action
+        uses: github/codeql-action/init@70df9def86d22bf0ea4e7f8b956e7b92e7c1ea22  # v2.20.7
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -32,4 +37,5 @@ jobs:
           # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        # https://github.com/github/codeql-action
+        uses: github/codeql-action/analyze@70df9def86d22bf0ea4e7f8b956e7b92e7c1ea22  # v2.20.7

.github/workflows/coverage.yml

@@ -26,10 +26,15 @@ jobs:
         ports:
           - 5432:5432
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
-
     steps:
+      # https://github.com/step-security/harden-runner/releases/tag/v2.11.0
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        # https://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Common setup
         uses: ./.github/actions/common-setup