diff --git a/.github/workflows/bigframes-docs-deploy.yaml b/.github/workflows/bigframes-docs-deploy.yaml index 0370eda2257c..a50597a96017 100644 --- a/.github/workflows/bigframes-docs-deploy.yaml +++ b/.github/workflows/bigframes-docs-deploy.yaml @@ -14,8 +14,8 @@ on: # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write + pages: write # zizmor: ignore[excessive-permissions] + id-token: write # zizmor: ignore[excessive-permissions] # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -29,14 +29,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox @@ -48,7 +49,7 @@ jobs: run: | nox -s docs - name: Upload artifact - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: packages/bigframes/docs/_build/html/ @@ -62,4 +63,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 diff --git a/.github/workflows/bigtable-conformance.yaml b/.github/workflows/bigtable-conformance.yaml index 0a653c105fa7..0d56e556edd5 100644 --- a/.github/workflows/bigtable-conformance.yaml +++ b/.github/workflows/bigtable-conformance.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_bigtable: ${{ steps.filter.outputs.bigtable }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -48,18 +53,21 @@ jobs: fail-fast: false name: "${{ matrix.client-type }} client / python ${{ matrix.py-version }} / test tag ${{ matrix.test-version }}" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 name: "Checkout google-cloud-python" - - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 name: "Checkout conformance tests" with: repository: googleapis/cloud-bigtable-clients-test ref: ${{ matrix.test-version }} path: packages/google-cloud-bigtable/cloud-bigtable-clients-test - - uses: actions/setup-python@v6 + persist-credentials: false + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.py-version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: go-version: '>=1.20.2' - run: pip install -e . @@ -71,4 +79,4 @@ jobs: CLIENT_TYPE: ${{ matrix.client-type }} PYTHONUNBUFFERED: 1 TEST_ARGS: ${{ matrix.test_args }} - PROXY_PORT: 9999 \ No newline at end of file + PROXY_PORT: 9999 diff --git a/.github/workflows/django-spanner-django5.2_tests.yml b/.github/workflows/django-spanner-django5.2_tests.yml index be4ccc1b3350..b6b99a74edfc 100644 --- a/.github/workflows/django-spanner-django5.2_tests.yml +++ b/.github/workflows/django-spanner-django5.2_tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -62,15 +67,17 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Run Django tests diff --git a/.github/workflows/django-spanner-foreign_keys.yaml b/.github/workflows/django-spanner-foreign_keys.yaml index 181020ed17af..0e3979e4c323 100644 --- a/.github/workflows/django-spanner-foreign_keys.yaml +++ b/.github/workflows/django-spanner-foreign_keys.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,15 +42,17 @@ jobs: services: emulator-0: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Run Django foreign key test diff --git a/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml b/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml index cc3971ed2b06..bb1818cd3664 100644 --- a/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml +++ b/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,16 +42,18 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox diff --git a/.github/workflows/django-spanner-mockserver-tests.yml b/.github/workflows/django-spanner-mockserver-tests.yml index 1d1b2557b8e5..6f5ab06baacc 100644 --- a/.github/workflows/django-spanner-mockserver-tests.yml +++ b/.github/workflows/django-spanner-mockserver-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,9 +42,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python 3.12 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.12" - name: Install nox diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 88a055cbfbcc..11a556323524 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,14 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox @@ -44,14 +45,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox diff --git a/.github/workflows/gapic-generator-tests.yml b/.github/workflows/gapic-generator-tests.yml index f6a47939fc64..d0c1f3082939 100644 --- a/.github/workflows/gapic-generator-tests.yml +++ b/.github/workflows/gapic-generator-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Gapic Generator Specialized Tests on: @@ -36,8 +39,10 @@ jobs: outputs: run_generator: ${{ steps.filter.outputs.generator }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -68,9 +73,11 @@ jobs: logging_scope: ["", "google"] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "${{ matrix.python }}" allow-prereleases: true @@ -89,18 +96,21 @@ jobs: - name: Run Nox env: GOOGLE_SDK_PYTHON_LOGGING_SCOPE: ${{ matrix.logging_scope }} + MATRIX_PYTHON: ${{ matrix.python }} run: | pip install nox cd packages/gapic-generator - nox -s showcase_unit${{ matrix.variant }}-${{ matrix.python }} + nox -s showcase_unit${{ matrix.variant }}-${MATRIX_PYTHON} showcase-mypy: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.latest_stable_python }} - name: Install System Deps @@ -115,9 +125,11 @@ jobs: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.latest_stable_python }} - name: Install System Deps @@ -145,9 +157,11 @@ jobs: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python ${{ needs.python_config.outputs.prerelease_python }} - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.prerelease_python }} allow-prereleases: true @@ -173,9 +187,11 @@ jobs: python: ${{ fromJSON(needs.python_config.outputs.trimmed_python) }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python }} allow-prereleases: true @@ -196,23 +212,27 @@ jobs: pip install nox cd packages/gapic-generator # Run fragment for current matrix python - nox -s fragment-${{ matrix.python }} + nox -s fragment-${MATRIX_PYTHON} # Run snippetgen only on the latest stable to avoid the "Python not found" error - if [ "${{ matrix.python }}" == "${{ needs.python_config.outputs.latest_stable_python }}" ]; then + if [ "${MATRIX_PYTHON}" == "${{ needs.python_config.outputs.latest_stable_python }}" ]; then nox -s snippetgen fi + env: + MATRIX_PYTHON: ${{ matrix.python }} integration: needs: python_config # Only runs if the Gatekeeper passed if: ${{ needs.python_config.result == 'success' }} runs-on: ubuntu-latest - container: gcr.io/gapic-images/googleapis + container: gcr.io/gapic-images/googleapis # zizmor: ignore[unpinned-images] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Cache Bazel files id: cache-bazel - uses: actions/cache@v5 + uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: ~/.cache/bazel # Ensure CACHE_VERSION is defined in the mono-repo secrets! diff --git a/.github/workflows/librarian_tidy.yml b/.github/workflows/librarian_tidy.yml index ff0d68a62bd9..0dfc1b59879f 100644 --- a/.github/workflows/librarian_tidy.yml +++ b/.github/workflows/librarian_tidy.yml @@ -11,15 +11,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: changes with: filters: | librarian: - 'librarian.yaml' - - uses: googleapis/librarian@main + - uses: googleapis/librarian@main # zizmor: ignore[unpinned-uses] - name: Run librarian tidy if: steps.changes.outputs.librarian == 'true' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1429285836c6..f922f29db4eb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,14 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install nox @@ -53,14 +54,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install nox diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 24fb7f2059ca..8ae9468e7a01 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -36,14 +36,15 @@ jobs: - name: Get current date id: date run: echo "current_date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Set up Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install script dependencies @@ -53,7 +54,7 @@ jobs: run: python3 scripts/updateapilist.py env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: googleapis/code-suggester@v5 + - uses: googleapis/code-suggester@f9fef85aa02459e30e62526abe950341cbbd768b # v5 env: ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }} with: diff --git a/.github/workflows/regenerate-all.yml b/.github/workflows/regenerate-all.yml index 21e6f0a35743..4f7c41584c00 100644 --- a/.github/workflows/regenerate-all.yml +++ b/.github/workflows/regenerate-all.yml @@ -18,9 +18,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - - uses: googleapis/librarian@main + - uses: googleapis/librarian@main # zizmor: ignore[unpinned-uses] with: protoc-version: "25.3" protoc-checksum: "5ec3474ca09df0511bb2ca66b5ca091fa8943c30aa26285f225d0b1ba60b5665b3419be4cd2322decbb55464039ca0a0405a47e86bcc11491589405d615d280e" @@ -57,7 +59,7 @@ jobs: - name: Create issue if previous step fails if: ${{ failure() }} - uses: googleapis/librarian/.github/actions/create-issue-on-failure@main + uses: googleapis/librarian/.github/actions/create-issue-on-failure@main # zizmor: ignore[unpinned-uses] with: title: "Regeneration failed" body: | diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index f54c3fa446d2..3929a0145963 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -21,14 +21,15 @@ jobs: python: ['3.9', '3.10', "3.11", "3.12", "3.13", "3.14"] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python }} - name: Install nox @@ -45,7 +46,7 @@ jobs: run: | ci/run_conditional_tests.sh - name: Upload coverage results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: coverage-artifact-${{ matrix.python }} path: .coverage-${{ matrix.python }} @@ -57,14 +58,15 @@ jobs: - unit steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.10" - name: Set number of files changes in packages directory @@ -80,7 +82,7 @@ jobs: python -m pip install coverage - name: Download coverage results if: ${{ steps.packages.outputs.num_files_changed > 0 }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: path: .coverage-results/ - name: Report coverage results diff --git a/.github/workflows/version_scanner.yml b/.github/workflows/version_scanner.yml index 078e4259e491..bad95da490f1 100644 --- a/.github/workflows/version_scanner.yml +++ b/.github/workflows/version_scanner.yml @@ -18,10 +18,12 @@ jobs: name: Version Scan runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.14' @@ -39,7 +41,7 @@ jobs: - name: Upload CSV Results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: version-scanner-results path: version_scanner_output.csv