diff --git a/.github/workflows/adk-py-test.yaml b/.github/workflows/adk-py-test.yaml index cd422d87..2650f60f 100644 --- a/.github/workflows/adk-py-test.yaml +++ b/.github/workflows/adk-py-test.yaml @@ -13,10 +13,10 @@ jobs: timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml index eb05dc6c..b8596fd8 100644 --- a/.github/workflows/integration-tests.yaml +++ b/.github/workflows/integration-tests.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout parent repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: braintrustdata/braintrust path: braintrust diff --git a/.github/workflows/langchain-py-test.yaml b/.github/workflows/langchain-py-test.yaml index 2ab767a8..d477fa02 100644 --- a/.github/workflows/langchain-py-test.yaml +++ b/.github/workflows/langchain-py-test.yaml @@ -20,10 +20,10 @@ jobs: working-directory: integrations/langchain-py steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 4ea347a8..10690ad3 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,4 +1,3 @@ -# Source: https://github.com/marketplace/actions/pre-commit name: lint on: @@ -11,14 +10,22 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch full history for proper diff - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true - name: Run pre-commit run: | mise exec -- pre-commit run --from-ref origin/${{ github.base_ref || 'main' }} --to-ref HEAD + + ensure-pinned-actions: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@70c4af2ed5282c51ba40566d026d6647852ffa3e # v5.0.1 diff --git a/.github/workflows/publish-py-sdk.yaml b/.github/workflows/publish-py-sdk.yaml index 6a6d425f..06fd4ee5 100644 --- a/.github/workflows/publish-py-sdk.yaml +++ b/.github/workflows/publish-py-sdk.yaml @@ -18,7 +18,7 @@ jobs: outputs: release_tag: ${{ steps.set_release_tag.outputs.release_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for checking branch - name: Set release tag @@ -43,11 +43,11 @@ jobs: RELEASE_TAG: ${{ needs.validate.outputs.release_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for changelog generation - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true @@ -55,13 +55,13 @@ jobs: run: | mise exec -- make -C py install-dev verify-build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: python-sdk-dist path: py/dist/ retention-days: 5 - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: py/dist/ @@ -77,7 +77,7 @@ jobs: echo "release_name=Python SDK v${VERSION}" >> $GITHUB_OUTPUT - name: Create GitHub Release - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: RELEASE_NOTES: ${{ steps.release_notes.outputs.notes }} RELEASE_NAME: ${{ steps.release_notes.outputs.release_name }} @@ -106,7 +106,7 @@ jobs: VERSION="${TAG#py-sdk-v}" echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Post to Slack on success - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: method: chat.postMessage token: ${{ secrets.SLACK_BOT_TOKEN }} @@ -130,7 +130,7 @@ jobs: timeout-minutes: 5 steps: - name: Post to Slack on failure - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: method: chat.postMessage token: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/py.yaml b/.github/workflows/py.yaml index d1efb517..95ce9b72 100644 --- a/.github/workflows/py.yaml +++ b/.github/workflows/py.yaml @@ -25,9 +25,9 @@ jobs: shard: [0, 1] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true @@ -67,9 +67,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true @@ -77,7 +77,7 @@ jobs: run: | mise exec -- make -C py install-build-deps build - name: Upload wheel as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: python-wheel path: py/dist/*.whl diff --git a/.github/workflows/test-publish-py-sdk.yaml b/.github/workflows/test-publish-py-sdk.yaml index aa4700d9..2e4abb57 100644 --- a/.github/workflows/test-publish-py-sdk.yaml +++ b/.github/workflows/test-publish-py-sdk.yaml @@ -30,11 +30,11 @@ jobs: PYPI_REPO: testpypi steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.inputs.ref }} - name: Set up mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3 with: cache: true experimental: true @@ -51,7 +51,7 @@ jobs: VERSION=$(echo "$WHEEL" | sed -n 's/.*braintrust-\([^-]*\)-.*/\1/p') echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Publish to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: repository-url: https://test.pypi.org/legacy/ packages-dir: py/dist/ @@ -63,7 +63,7 @@ jobs: timeout-minutes: 5 steps: - name: Post to Slack on success - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: method: chat.postMessage token: ${{ secrets.SLACK_BOT_TOKEN }} @@ -87,7 +87,7 @@ jobs: timeout-minutes: 5 steps: - name: Post to Slack on failure - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: method: chat.postMessage token: ${{ secrets.SLACK_BOT_TOKEN }}