From d7eb64d54ea9d340b1db3ebbeec6249f907402af Mon Sep 17 00:00:00 2001 From: shudonglin Date: Sat, 27 Jun 2026 22:59:17 +0800 Subject: [PATCH] ci: update workflow action pins --- .github/workflows/alert-bridge.yml | 2 +- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/dispatch-infra-build.yml | 2 +- .github/workflows/docker-build.yml | 14 ++++++------- .github/workflows/docker-image-alpha.yml | 20 +++++++++--------- .github/workflows/docker-image-nightly.yml | 14 ++++++------- .github/workflows/electron-build.yml | 14 ++++++------- .github/workflows/pr-check.yml | 2 +- .github/workflows/release.yml | 24 +++++++++++----------- .github/workflows/sync-pr-autopilot.yml | 2 +- .github/workflows/sync-to-gitee.yml | 6 +++--- 11 files changed, 54 insertions(+), 54 deletions(-) diff --git a/.github/workflows/alert-bridge.yml b/.github/workflows/alert-bridge.yml index 3a62df80120..5ff45f8bcac 100644 --- a/.github/workflows/alert-bridge.yml +++ b/.github/workflows/alert-bridge.yml @@ -31,7 +31,7 @@ jobs: - name: Upload alerts artifact if: ${{ inputs.mode == 'list' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: alerts path: alerts.json diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1328f8840bb..4371078e8dd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,25 +39,25 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Go if: matrix.language == 'go' - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5.1.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: go.mod cache: false - name: Initialize CodeQL - uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dispatch-infra-build.yml b/.github/workflows/dispatch-infra-build.yml index 15f87847f19..d47a0d66a2c 100644 --- a/.github/workflows/dispatch-infra-build.yml +++ b/.github/workflows/dispatch-infra-build.yml @@ -25,7 +25,7 @@ jobs: SOURCE_RUN_ID: ${{ github.run_id }} steps: - name: Harden the runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 892ce53ec8e..876870f3df9 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Check out - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: ${{ github.event_name == 'workflow_dispatch' && 0 || 1 }} ref: ${{ github.event.inputs.tag || github.ref }} @@ -61,23 +61,23 @@ jobs: echo "Building tag: ${TAG} for ${{ matrix.arch }}" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Extract metadata (labels) id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: calciumion/new-api - name: Build & push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: ${{ matrix.platform }} @@ -92,7 +92,7 @@ jobs: sbom: true - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign image with cosign run: cosign sign --yes calciumion/new-api@${{ steps.build.outputs.digest }} @@ -116,7 +116,7 @@ jobs: run: echo "TAG=${{ needs.build_single_arch.outputs.tag }}" >> $GITHUB_ENV - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docker-image-alpha.yml b/.github/workflows/docker-image-alpha.yml index 116dd145215..9e836e0bf2f 100644 --- a/.github/workflows/docker-image-alpha.yml +++ b/.github/workflows/docker-image-alpha.yml @@ -30,7 +30,7 @@ jobs: id-token: write steps: - name: Check out (shallow) - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 1 @@ -47,16 +47,16 @@ jobs: run: echo "GHCR_REPOSITORY=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to Docker Hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to GHCR - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -64,7 +64,7 @@ jobs: - name: Extract metadata (labels) id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | calciumion/new-api @@ -72,7 +72,7 @@ jobs: - name: Build & push single-arch (to both registries) id: build - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: ${{ matrix.platform }} @@ -89,7 +89,7 @@ jobs: sbom: true - name: Install cosign - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Sign image with cosign run: | @@ -114,7 +114,7 @@ jobs: contents: read steps: - name: Check out (shallow) - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 1 @@ -129,7 +129,7 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Log in to Docker Hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -149,7 +149,7 @@ jobs: calciumion/new-api:${VERSION}-arm64 - name: Log in to GHCR - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/docker-image-nightly.yml b/.github/workflows/docker-image-nightly.yml index dc5927afeb8..8f36d8921e4 100644 --- a/.github/workflows/docker-image-nightly.yml +++ b/.github/workflows/docker-image-nightly.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Check out (shallow) - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 1 @@ -46,23 +46,23 @@ jobs: echo "Publishing version: $VERSION for ${{ matrix.arch }}" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Extract metadata (labels) id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | calciumion/new-api - name: Build & push single-arch - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: ${{ matrix.platform }} @@ -83,7 +83,7 @@ jobs: steps: - name: Check out (shallow) - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 1 @@ -95,7 +95,7 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/electron-build.yml b/.github/workflows/electron-build.yml index f1abd3e82ff..d8d64f57574 100644 --- a/.github/workflows/electron-build.yml +++ b/.github/workflows/electron-build.yml @@ -26,22 +26,22 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Setup Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: '>=1.25.1' @@ -119,7 +119,7 @@ jobs: - name: Upload artifacts (Windows) if: runner.os == 'Windows' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: windows-build path: | @@ -134,10 +134,10 @@ jobs: steps: - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Upload to Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 with: files: | windows-build/* diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 2dcda35e676..c6962883ea7 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -13,7 +13,7 @@ jobs: pr-quality: runs-on: ubuntu-latest steps: - - uses: peakoss/anti-slop@v0.2.1 + - uses: peakoss/anti-slop@57858eead489d08b255fab2af45a506c2ca6eab2 # v0.3.0 with: max-failures: 4 require-description: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 32bdefdddd3..6e519749794 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,14 +19,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Build Frontend (default) @@ -48,7 +48,7 @@ jobs: VITE_REACT_APP_VERSION=$VERSION bun run build cd ../.. - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: '>=1.25.1' - name: Build Backend (amd64) @@ -64,7 +64,7 @@ jobs: run: sha256sum new-api-* > checksums-linux.txt - name: Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -78,14 +78,14 @@ jobs: runs-on: macos-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Build Frontend (default) @@ -108,7 +108,7 @@ jobs: VITE_REACT_APP_VERSION=$VERSION bun run build cd ../.. - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: '>=1.25.1' - name: Build Backend @@ -119,7 +119,7 @@ jobs: run: shasum -a 256 new-api-macos-* > checksums-macos.txt - name: Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -136,14 +136,14 @@ jobs: shell: bash steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Build Frontend (default) @@ -165,7 +165,7 @@ jobs: VITE_REACT_APP_VERSION=$VERSION bun run build cd ../.. - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: '>=1.25.1' - name: Build Backend @@ -176,7 +176,7 @@ jobs: run: sha256sum new-api-*.exe > checksums-windows.txt - name: Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/sync-pr-autopilot.yml b/.github/workflows/sync-pr-autopilot.yml index 12c59cddcb6..a4f7cbbb4a7 100644 --- a/.github/workflows/sync-pr-autopilot.yml +++ b/.github/workflows/sync-pr-autopilot.yml @@ -39,7 +39,7 @@ jobs: RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }} steps: - name: Checkout (for the autopilot script) - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/sync-to-gitee.yml b/.github/workflows/sync-to-gitee.yml index 4f515a188db..c48cb0d7a3f 100644 --- a/.github/workflows/sync-to-gitee.yml +++ b/.github/workflows/sync-to-gitee.yml @@ -21,7 +21,7 @@ jobs: runs-on: sync steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -54,7 +54,7 @@ jobs: - name: Create Gitee Release id: create_release - uses: nICEnnnnnnnLee/action-gitee-release@v2.0.0 + uses: nICEnnnnnnnLee/action-gitee-release@44b412edade0c837fb0ad7d73f4674ec07c8b722 # v2.0.0 with: gitee_action: create_release gitee_owner: ${{ env.GITEE_OWNER }} @@ -67,7 +67,7 @@ jobs: - name: Upload Assets to Gitee if: hashFiles('release_assets/*') != '' - uses: nICEnnnnnnnLee/action-gitee-release@v2.0.0 + uses: nICEnnnnnnnLee/action-gitee-release@44b412edade0c837fb0ad7d73f4674ec07c8b722 # v2.0.0 with: gitee_action: upload_asset gitee_owner: ${{ env.GITEE_OWNER }}