diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d172a06..23902de 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: matrix: python: ["3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # tests only read the repo; no authenticated git ops - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 diff --git a/.github/workflows/public-microbench.yml b/.github/workflows/public-microbench.yml index 3225635..26ff938 100644 --- a/.github/workflows/public-microbench.yml +++ b/.github/workflows/public-microbench.yml @@ -27,7 +27,7 @@ jobs: microbench: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # read-only benchmark harness; no authenticated git ops - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 diff --git a/.github/workflows/publish-testpypi.yml b/.github/workflows/publish-testpypi.yml index 2346133..74c2c00 100644 --- a/.github/workflows/publish-testpypi.yml +++ b/.github/workflows/publish-testpypi.yml @@ -27,7 +27,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.ref }} persist-credentials: false # build from the tag only; publish is OIDC, not git creds diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 667a873..5162794 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -26,7 +26,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.ref }} persist-credentials: false # build from the tag only; publish is OIDC, not git creds diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index a6375d1..333b36c 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -31,7 +31,7 @@ jobs: matrix: python: ["3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.ref || github.ref }} fetch-depth: 0 @@ -53,7 +53,7 @@ jobs: id-token: write # OIDC for Sigstore signing — short-lived, no stored secret attestations: write # write the build-provenance attestation steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.ref || github.ref }} fetch-depth: 0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4cc4e97..8fb9081 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -11,7 +11,7 @@ jobs: sca-sast: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # read-only SCA/SAST; no authenticated git ops - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0