From e26ebb547056516293f8fba6c2642aadd2b39564 Mon Sep 17 00:00:00 2001 From: Husam Date: Tue, 30 Jun 2026 01:54:22 +0000 Subject: [PATCH] chore(actions): address zizmor findings This PR is an AI assisted attempt to address zizmor findings. It may not catch everything, and should be reviewed by repository owners. If it is unhelpful, feel free to close the PR and address separately. If it is helpful, feel free to approve and merge, or edit/modify as needed to get it to the right state. Repository owners must ultimately ensure compliance by 2026-07-13. The purpose of this PR is to provide some assistance with achieving that as a first pass. This will become a blocking check for new changes to github workflows on 2026-07-13. --- .github/workflows/bigframes-docs-deploy.yaml | 13 +++-- .github/workflows/bigtable-conformance.yaml | 22 +++++--- .../django-spanner-django5.2_tests.yml | 17 ++++-- .../django-spanner-foreign_keys.yaml | 17 ++++-- ...ntegration-tests-against-emulator-3.10.yml | 17 ++++-- .../django-spanner-mockserver-tests.yml | 15 +++-- .github/workflows/docs.yml | 10 ++-- .github/workflows/gapic-generator-tests.yml | 56 +++++++++++++------ .github/workflows/librarian_tidy.yml | 8 ++- .github/workflows/lint.yml | 10 ++-- .github/workflows/main.yml | 7 ++- .github/workflows/regenerate-all.yml | 8 ++- .github/workflows/unittest.yml | 14 +++-- .github/workflows/version_scanner.yml | 8 ++- 14 files changed, 146 insertions(+), 76 deletions(-) diff --git a/.github/workflows/bigframes-docs-deploy.yaml b/.github/workflows/bigframes-docs-deploy.yaml index 0370eda2257c..a50597a96017 100644 --- a/.github/workflows/bigframes-docs-deploy.yaml +++ b/.github/workflows/bigframes-docs-deploy.yaml @@ -14,8 +14,8 @@ on: # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write + pages: write # zizmor: ignore[excessive-permissions] + id-token: write # zizmor: ignore[excessive-permissions] # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -29,14 +29,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox @@ -48,7 +49,7 @@ jobs: run: | nox -s docs - name: Upload artifact - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: packages/bigframes/docs/_build/html/ @@ -62,4 +63,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 diff --git a/.github/workflows/bigtable-conformance.yaml b/.github/workflows/bigtable-conformance.yaml index 0a653c105fa7..0d56e556edd5 100644 --- a/.github/workflows/bigtable-conformance.yaml +++ b/.github/workflows/bigtable-conformance.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_bigtable: ${{ steps.filter.outputs.bigtable }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -48,18 +53,21 @@ jobs: fail-fast: false name: "${{ matrix.client-type }} client / python ${{ matrix.py-version }} / test tag ${{ matrix.test-version }}" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 name: "Checkout google-cloud-python" - - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 name: "Checkout conformance tests" with: repository: googleapis/cloud-bigtable-clients-test ref: ${{ matrix.test-version }} path: packages/google-cloud-bigtable/cloud-bigtable-clients-test - - uses: actions/setup-python@v6 + persist-credentials: false + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.py-version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: go-version: '>=1.20.2' - run: pip install -e . @@ -71,4 +79,4 @@ jobs: CLIENT_TYPE: ${{ matrix.client-type }} PYTHONUNBUFFERED: 1 TEST_ARGS: ${{ matrix.test_args }} - PROXY_PORT: 9999 \ No newline at end of file + PROXY_PORT: 9999 diff --git a/.github/workflows/django-spanner-django5.2_tests.yml b/.github/workflows/django-spanner-django5.2_tests.yml index be4ccc1b3350..b6b99a74edfc 100644 --- a/.github/workflows/django-spanner-django5.2_tests.yml +++ b/.github/workflows/django-spanner-django5.2_tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -62,15 +67,17 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Run Django tests diff --git a/.github/workflows/django-spanner-foreign_keys.yaml b/.github/workflows/django-spanner-foreign_keys.yaml index 181020ed17af..0e3979e4c323 100644 --- a/.github/workflows/django-spanner-foreign_keys.yaml +++ b/.github/workflows/django-spanner-foreign_keys.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,15 +42,17 @@ jobs: services: emulator-0: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Run Django foreign key test diff --git a/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml b/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml index cc3971ed2b06..bb1818cd3664 100644 --- a/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml +++ b/.github/workflows/django-spanner-integration-tests-against-emulator-3.10.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,16 +42,18 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox diff --git a/.github/workflows/django-spanner-mockserver-tests.yml b/.github/workflows/django-spanner-mockserver-tests.yml index 1d1b2557b8e5..6f5ab06baacc 100644 --- a/.github/workflows/django-spanner-mockserver-tests.yml +++ b/.github/workflows/django-spanner-mockserver-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths: @@ -21,8 +24,10 @@ jobs: outputs: run_django_spanner: ${{ steps.filter.outputs.django_spanner }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -37,9 +42,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python 3.12 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.12" - name: Install nox diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 88a055cbfbcc..11a556323524 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,14 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox @@ -44,14 +45,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.10" - name: Install nox diff --git a/.github/workflows/gapic-generator-tests.yml b/.github/workflows/gapic-generator-tests.yml index f6a47939fc64..d0c1f3082939 100644 --- a/.github/workflows/gapic-generator-tests.yml +++ b/.github/workflows/gapic-generator-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Gapic Generator Specialized Tests on: @@ -36,8 +39,10 @@ jobs: outputs: run_generator: ${{ steps.filter.outputs.generator }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: filters: | @@ -68,9 +73,11 @@ jobs: logging_scope: ["", "google"] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "${{ matrix.python }}" allow-prereleases: true @@ -89,18 +96,21 @@ jobs: - name: Run Nox env: GOOGLE_SDK_PYTHON_LOGGING_SCOPE: ${{ matrix.logging_scope }} + MATRIX_PYTHON: ${{ matrix.python }} run: | pip install nox cd packages/gapic-generator - nox -s showcase_unit${{ matrix.variant }}-${{ matrix.python }} + nox -s showcase_unit${{ matrix.variant }}-${MATRIX_PYTHON} showcase-mypy: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.latest_stable_python }} - name: Install System Deps @@ -115,9 +125,11 @@ jobs: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.latest_stable_python }} - name: Install System Deps @@ -145,9 +157,11 @@ jobs: needs: python_config runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python ${{ needs.python_config.outputs.prerelease_python }} - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ needs.python_config.outputs.prerelease_python }} allow-prereleases: true @@ -173,9 +187,11 @@ jobs: python: ${{ fromJSON(needs.python_config.outputs.trimmed_python) }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python }} allow-prereleases: true @@ -196,23 +212,27 @@ jobs: pip install nox cd packages/gapic-generator # Run fragment for current matrix python - nox -s fragment-${{ matrix.python }} + nox -s fragment-${MATRIX_PYTHON} # Run snippetgen only on the latest stable to avoid the "Python not found" error - if [ "${{ matrix.python }}" == "${{ needs.python_config.outputs.latest_stable_python }}" ]; then + if [ "${MATRIX_PYTHON}" == "${{ needs.python_config.outputs.latest_stable_python }}" ]; then nox -s snippetgen fi + env: + MATRIX_PYTHON: ${{ matrix.python }} integration: needs: python_config # Only runs if the Gatekeeper passed if: ${{ needs.python_config.result == 'success' }} runs-on: ubuntu-latest - container: gcr.io/gapic-images/googleapis + container: gcr.io/gapic-images/googleapis # zizmor: ignore[unpinned-images] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Cache Bazel files id: cache-bazel - uses: actions/cache@v5 + uses: actions/cache@caa296126883cff596d87d8935842f9db880ef25 # v5 with: path: ~/.cache/bazel # Ensure CACHE_VERSION is defined in the mono-repo secrets! diff --git a/.github/workflows/librarian_tidy.yml b/.github/workflows/librarian_tidy.yml index ff0d68a62bd9..0dfc1b59879f 100644 --- a/.github/workflows/librarian_tidy.yml +++ b/.github/workflows/librarian_tidy.yml @@ -11,15 +11,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: changes with: filters: | librarian: - 'librarian.yaml' - - uses: googleapis/librarian@main + - uses: googleapis/librarian@main # zizmor: ignore[unpinned-uses] - name: Run librarian tidy if: steps.changes.outputs.librarian == 'true' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1429285836c6..f922f29db4eb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,14 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install nox @@ -53,14 +54,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install nox diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 24fb7f2059ca..8ae9468e7a01 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -36,14 +36,15 @@ jobs: - name: Get current date id: date run: echo "current_date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Set up Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.14" - name: Install script dependencies @@ -53,7 +54,7 @@ jobs: run: python3 scripts/updateapilist.py env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: googleapis/code-suggester@v5 + - uses: googleapis/code-suggester@f9fef85aa02459e30e62526abe950341cbbd768b # v5 env: ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }} with: diff --git a/.github/workflows/regenerate-all.yml b/.github/workflows/regenerate-all.yml index 21e6f0a35743..4f7c41584c00 100644 --- a/.github/workflows/regenerate-all.yml +++ b/.github/workflows/regenerate-all.yml @@ -18,9 +18,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - - uses: googleapis/librarian@main + - uses: googleapis/librarian@main # zizmor: ignore[unpinned-uses] with: protoc-version: "25.3" protoc-checksum: "5ec3474ca09df0511bb2ca66b5ca091fa8943c30aa26285f225d0b1ba60b5665b3419be4cd2322decbb55464039ca0a0405a47e86bcc11491589405d615d280e" @@ -57,7 +59,7 @@ jobs: - name: Create issue if previous step fails if: ${{ failure() }} - uses: googleapis/librarian/.github/actions/create-issue-on-failure@main + uses: googleapis/librarian/.github/actions/create-issue-on-failure@main # zizmor: ignore[unpinned-uses] with: title: "Regeneration failed" body: | diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index f54c3fa446d2..3929a0145963 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -21,14 +21,15 @@ jobs: python: ['3.9', '3.10', "3.11", "3.12", "3.13", "3.14"] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python }} - name: Install nox @@ -45,7 +46,7 @@ jobs: run: | ci/run_conditional_tests.sh - name: Upload coverage results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: coverage-artifact-${{ matrix.python }} path: .coverage-${{ matrix.python }} @@ -57,14 +58,15 @@ jobs: - unit steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Use a fetch-depth of 2 to avoid error `fatal: origin/main...HEAD: no merge base` # See https://github.com/googleapis/google-cloud-python/issues/12013 # and https://github.com/actions/checkout#checkout-head. with: fetch-depth: 2 + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.10" - name: Set number of files changes in packages directory @@ -80,7 +82,7 @@ jobs: python -m pip install coverage - name: Download coverage results if: ${{ steps.packages.outputs.num_files_changed > 0 }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: path: .coverage-results/ - name: Report coverage results diff --git a/.github/workflows/version_scanner.yml b/.github/workflows/version_scanner.yml index 078e4259e491..bad95da490f1 100644 --- a/.github/workflows/version_scanner.yml +++ b/.github/workflows/version_scanner.yml @@ -18,10 +18,12 @@ jobs: name: Version Scan runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.14' @@ -39,7 +41,7 @@ jobs: - name: Upload CSV Results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: version-scanner-results path: version_scanner_output.csv