From f66b9a45a041c0e9273b34e583e8d18c4023e214 Mon Sep 17 00:00:00 2001 From: swadaptive <268603322+swadaptive@users.noreply.github.com> Date: Tue, 5 May 2026 10:31:57 +0100 Subject: [PATCH 1/2] Pin GitHub actions versions to hashes --- .github/workflows/ci.yml | 58 +++++++++++++++++------------------ .github/workflows/codeql.yml | 38 +++++++++++------------ .github/workflows/release.yml | 6 ++-- .github/workflows/slow.yml | 14 ++++----- 4 files changed, 58 insertions(+), 58 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index defe4986ad..bee2753eeb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,11 +41,11 @@ jobs: echo "TMP=$env:RUNNER_TEMP" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "TEMP=$env:RUNNER_TEMP" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ matrix.java }} @@ -62,12 +62,12 @@ jobs: echo "BUILD_JAVA_HOME=$env:JAVA_HOME" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "BUILD_JAVA_VERSION=${{ matrix.java }}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - name: Setup java to run Gradle - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build with Gradle run: ./gradlew - name: Copy test logs @@ -78,7 +78,7 @@ jobs: ./gradlew tarTestLogs - name: Upload crash logs if: always() && steps.copy_test_logs.outputs.file == 'build/distributions/test_logs.tbz2' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: crash-logs-${{ matrix.os }}-java-${{ matrix.java }} path: ${{ steps.copy_test_logs.outputs.file }} @@ -96,11 +96,11 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: 1 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -110,16 +110,16 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Cache NuGet dependencies - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('csharp/**/*.sln') }} restore-keys: | ${{ runner.os }}-nuget- - name: Setup dotnet - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ matrix.dotnet }} dotnet-quality: 'ga' @@ -143,7 +143,7 @@ jobs: CXX: g++-${{ matrix.version }} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Install compiler @@ -152,7 +152,7 @@ jobs: sudo apt-get update sudo apt-get install -y g++-${{ matrix.version }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -162,7 +162,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build run: ./cppbuild/cppbuild @@ -179,7 +179,7 @@ jobs: CXX: clang++-${{ matrix.version }} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Install compiler @@ -190,7 +190,7 @@ jobs: sudo apt-get update sudo apt-get install -y clang-${{ matrix.version }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -200,7 +200,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build run: ./cppbuild/cppbuild @@ -217,11 +217,11 @@ jobs: CXX: clang++ steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -231,7 +231,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build run: cmake --version && ./cppbuild/cppbuild @@ -252,11 +252,11 @@ jobs: echo "TMP=$env:RUNNER_TEMP" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "TEMP=$env:RUNNER_TEMP" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -266,7 +266,7 @@ jobs: echo "BUILD_JAVA_HOME=$env:JAVA_HOME" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build run: cppbuild/cppbuild.cmd @@ -280,7 +280,7 @@ jobs: rust: [ stable, beta, nightly ] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Rust setup @@ -288,7 +288,7 @@ jobs: with: toolchain: ${{ matrix.rust }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -298,7 +298,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - run: ./gradlew runRustTests golang-build: @@ -311,15 +311,15 @@ jobs: version: [ '1.23.x', '1.24.x' ] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ matrix.version }} - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -329,7 +329,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Generate jar run: ./gradlew assemble - name: Run tests diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b763dfafcd..8892163a36 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,12 +39,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ matrix.java }} @@ -56,10 +56,10 @@ jobs: echo "BUILD_JAVA_VERSION=${{ matrix.java }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -68,7 +68,7 @@ jobs: run: ./gradlew - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{matrix.language}}" @@ -89,12 +89,12 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: 1 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Cache NuGet dependencies - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('csharp/**/*.sln') }} @@ -102,7 +102,7 @@ jobs: ${{ runner.os }}-nuget- - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -114,15 +114,15 @@ jobs: echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Setup dotnet - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ matrix.dotnet }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -131,7 +131,7 @@ jobs: run: ./csharp/build.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{matrix.language}}" @@ -152,12 +152,12 @@ jobs: CXX: g++-${{ matrix.version }} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.sha }} - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -169,14 +169,14 @@ jobs: echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Install compiler run: | sudo apt-get install -y g++-${{ matrix.version }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -185,14 +185,14 @@ jobs: run: ./cppbuild/cppbuild - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{ matrix.language }}" upload: false output: sarif-results - name: filter-sarif - uses: advanced-security/filter-sarif@v1 + uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1 with: patterns: | -**/thirdparty/** @@ -200,6 +200,6 @@ jobs: output: sarif-results/${{ matrix.language }}.sarif - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: sarif-results/${{ matrix.language }}.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e49b419b17..2808d09f66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,11 +23,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.ref }} - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} @@ -37,7 +37,7 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ env.JAVA_VERSION }}" >> $GITHUB_ENV - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Publish with Gradle run: ./gradlew publish uploadArtifactsToCentralPortal env: diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml index ed6585eb3b..e30649fbe6 100644 --- a/.github/workflows/slow.yml +++ b/.github/workflows/slow.yml @@ -40,9 +40,9 @@ jobs: DOTNET_CLI_TELEMETRY_OPTOUT: 1 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ matrix.java }} @@ -52,14 +52,14 @@ jobs: echo "BUILD_JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV echo "BUILD_JAVA_VERSION=${{ matrix.java }}" >> $GITHUB_ENV - name: Setup java to run Gradle script - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'zulu' java-version: ${{ env.JAVA_VERSION }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Setup dotnet - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ matrix.dotnet }} - name: Build .NET library @@ -74,12 +74,12 @@ jobs: ./gradlew tarTestLogs - name: Upload crash logs if: always() && steps.copy_test_logs.outputs.file == 'build/distributions/test_logs.tbz2' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: crash-logs-${{ matrix.os }}-property-tests-java-${{matrix.java}}-dotnet-${{matrix.dotnet}} path: ${{ steps.copy_test_logs.outputs.file }} - name: Upload test results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: property-tests From 50db56c121dbda547d8be3424e0d4701513376c9 Mon Sep 17 00:00:00 2001 From: swadaptive <268603322+swadaptive@users.noreply.github.com> Date: Tue, 5 May 2026 10:37:16 +0100 Subject: [PATCH 2/2] Move to rust setup action that support Dependabot-friendly versioning --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bee2753eeb..34d31eec0b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -284,7 +284,7 @@ jobs: with: ref: ${{ github.sha }} - name: Rust setup - uses: dtolnay/rust-toolchain@stable + uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 with: toolchain: ${{ matrix.rust }} - name: Setup java to run Gradle script