diff --git a/.github/renovate.json5 b/.github/renovate.json5 index b9baefa8850eb1..150c786334ab11 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -13,7 +13,6 @@ { "matchDepTypes": ["action"], "pinDigests": true, - "matchPackageNames": ["!actions/{/,}**", "!github/{/,}**"], }, { "groupName": "rolldown-related dependencies", diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a31d8d0ebd0f23..63de716535665c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # Assume PRs are less than 50 commits fetch-depth: 50 @@ -76,7 +76,7 @@ jobs: name: "Build&Test: node-${{ matrix.node_version }}, ${{ matrix.os }}" steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -84,7 +84,7 @@ jobs: uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6 - name: Set node version to ${{ matrix.node_version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ matrix.node_version }} cache: "pnpm" @@ -107,7 +107,7 @@ jobs: echo "PLAYWRIGHT_VERSION=$env:PLAYWRIGHT_VERSION" >> $env:GITHUB_ENV - name: Cache Playwright's binary - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: key: ${{ runner.os }}-playwright-bin-v1-${{ env.PLAYWRIGHT_VERSION }} path: ${{ env.PLAYWRIGHT_BROWSERS_PATH }} @@ -151,7 +151,7 @@ jobs: runs-on: ubuntu-latest name: "Lint: node-24, ubuntu-latest" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -159,7 +159,7 @@ jobs: uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6 - name: Set node version to 24 - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: "pnpm" diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 4206f5907ebe8e..e8a4dc6ed713b7 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -14,7 +14,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -22,7 +22,7 @@ jobs: uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6 - name: Set node version to 24 - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: "pnpm" diff --git a/.github/workflows/ecosystem-ci-trigger.yml b/.github/workflows/ecosystem-ci-trigger.yml index 2fbe5782952832..1d1650894330cf 100644 --- a/.github/workflows/ecosystem-ci-trigger.yml +++ b/.github/workflows/ecosystem-ci-trigger.yml @@ -14,7 +14,7 @@ jobs: actions: read # to check workflow status steps: - name: Check User Permissions - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: check-permissions with: script: | @@ -55,7 +55,7 @@ jobs: } - name: Get PR Data - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: get-pr-data with: script: | @@ -105,7 +105,7 @@ jobs: } - name: Check Package Existence - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: check-package env: PR_DATA: ${{ steps.get-pr-data.outputs.result }} @@ -131,7 +131,7 @@ jobs: - name: Generate Token id: generate-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }} private-key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }} @@ -141,7 +141,7 @@ jobs: - name: Trigger Preview Release (if Package Not Found) if: fromJSON(steps.check-package.outputs.result).exists == false - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: trigger-preview-release env: PR_DATA: ${{ steps.get-pr-data.outputs.result }} @@ -162,7 +162,7 @@ jobs: - name: Wait for Preview Release Completion (if Package Not Found) if: fromJSON(steps.check-package.outputs.result).exists == false - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: wait-preview-release env: PR_DATA: ${{ steps.get-pr-data.outputs.result }} @@ -232,7 +232,7 @@ jobs: } - name: Trigger Downstream Workflow - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: trigger env: COMMENT: ${{ github.event.comment.body }} diff --git a/.github/workflows/issue-template-check.yml b/.github/workflows/issue-template-check.yml index 82d3677bce3da0..1696006e3c2ba8 100644 --- a/.github/workflows/issue-template-check.yml +++ b/.github/workflows/issue-template-check.yml @@ -17,13 +17,13 @@ jobs: template_type: ${{ steps.detect.outputs.template_type }} skip: ${{ steps.detect.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Detect issue type id: detect - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const labels = context.payload.issue.labels.map(l => l.name); @@ -107,7 +107,7 @@ jobs: issues: write steps: - name: Write result to summary - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 env: TEMPLATE_TYPE: ${{ needs.evaluate-issue.outputs.template_type }} AGENT_OUTPUT: ${{ needs.evaluate-issue.outputs.agent_output }} diff --git a/.github/workflows/preview-release.yml b/.github/workflows/preview-release.yml index b68f3b4b9bc925..8e66dd618dcd4b 100644 --- a/.github/workflows/preview-release.yml +++ b/.github/workflows/preview-release.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -31,7 +31,7 @@ jobs: uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6 - name: Set node version to 24 - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org/ diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d1a552f47025a5..9be7e5b4db33bb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,7 +18,7 @@ jobs: environment: Release steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -26,7 +26,7 @@ jobs: uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6 - name: Set node version to 24 - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org/ diff --git a/.github/workflows/pull-request-template-check.yml b/.github/workflows/pull-request-template-check.yml index 40416bad753623..f38264015dd48b 100644 --- a/.github/workflows/pull-request-template-check.yml +++ b/.github/workflows/pull-request-template-check.yml @@ -20,7 +20,7 @@ jobs: outputs: agent_output: ${{ steps.agent.outputs.agent_output }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -69,7 +69,7 @@ jobs: pull-requests: write steps: - name: Write result to summary - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 env: AGENT_OUTPUT: ${{ needs.evaluate-pr.outputs.agent_output }} with: diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index ae75bca513d56d..4edb7aae9d1bed 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -16,7 +16,7 @@ jobs: permissions: contents: write # for yyx990803/release-tag to create a release tag steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 1bf32d820220cc..112d7bf8cbb4d3 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: permissions: security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 63cf5eef8034b7..94e8039bf4f323 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,9 +1,4 @@ rules: - unpinned-uses: - config: - policies: - actions/*: ref-pin - github/*: ref-pin cache-poisoning: ignore: - ci.yml # it is not used for publishing