From b7423ffbe5826697e293963706c75b2dfe9d2788 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Wed, 13 Dec 2023 01:17:13 -0300 Subject: Feat: Hashpin sensitive dependencies on GitHub Actions and enable Dependabot to update them monthly (#3892) * feat: hashpin sensitive dependencies on GHAs Signed-off-by: Diogo Teles Sant'Anna * feat: enable dependabot for monthly updates on GHA Signed-off-by: Diogo Teles Sant'Anna --------- Signed-off-by: Diogo Teles Sant'Anna --- .github/dependabot.yml | 10 ++++++++++ .github/workflows/clang-format-fix.yml | 6 +++--- .github/workflows/release-files.yml | 22 +++++++++++----------- 3 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5a67576 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + groups: + github-actions: + patterns: + - "*" \ No newline at end of file diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index d701d23..80befa2 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -21,9 +21,9 @@ jobs: permissions: contents: write # In order to allow EndBug/add-and-commit to commit changes steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Fix C and Java formatting issues detected by clang-format - uses: DoozyX/clang-format-lint-action@v0.13 + uses: DoozyX/clang-format-lint-action@9ea72631b74e61ce337d0839a90e76180e997283 # v0.13 with: source: '.' extensions: 'c,h,cpp,hpp,java' @@ -31,7 +31,7 @@ jobs: inplace: True style: file exclude: './config ./hl/src/H5LTanalyze.c ./hl/src/H5LTparse.c ./hl/src/H5LTparse.h ./src/H5Epubgen.h ./src/H5Einit.h ./src/H5Eterm.h ./src/H5Edefin.h ./src/H5version.h ./src/H5overflow.h' - - uses: EndBug/add-and-commit@v9 + - uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3 with: author_name: github-actions author_email: 41898282+github-actions[bot]@users.noreply.github.com diff --git a/.github/workflows/release-files.yml b/.github/workflows/release-files.yml index 5a31544..2505534 100644 --- a/.github/workflows/release-files.yml +++ b/.github/workflows/release-files.yml @@ -40,14 +40,14 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Get Sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - run: | git checkout ${{ inputs.file_sha }} - - uses: rickstaa/action-create-tag@v1 + - uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2 id: "tag_create" with: commit_sha: ${{ inputs.file_sha }} @@ -75,7 +75,7 @@ jobs: # Get files created by tarball script - name: Get doxygen (Linux) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: docs-doxygen path: ${{ github.workspace }}/${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen @@ -84,32 +84,32 @@ jobs: run: zip -r ${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen.zip ./${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen - name: Get tgz-tarball (Linux) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: tgz-tarball path: ${{ github.workspace }} - name: Get zip-tarball (Windows) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: zip-tarball path: ${{ github.workspace }} # Get files created by cmake-ctest script - name: Get published binary (Windows) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: zip-vs2022-binary path: ${{ github.workspace }} - name: Get published binary (MacOS) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: tgz-osx12-binary path: ${{ github.workspace }} - name: Get published binary (Linux) - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: tgz-ubuntu-2204-binary path: ${{ github.workspace }} @@ -121,7 +121,7 @@ jobs: - name: PreRelease tag id: create_prerelease if: ${{ (inputs.use_environ == 'snapshots') }} - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: "${{ inputs.use_tag }}" prerelease: true @@ -138,7 +138,7 @@ jobs: - name: Release tag id: create_release if: ${{ (inputs.use_environ == 'release') }} - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: tag_name: "${{ inputs.use_tag }}" prerelease: false @@ -158,7 +158,7 @@ jobs: ls ${{ runner.workspace }} - name: dev-only-docs - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ${{ github.workspace }}/${{ steps.get-file-base.outputs.FILE_BASE }}.doxygen -- cgit v0.12