diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 981551ae..877817c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,13 +16,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20' cache: 'npm' @@ -96,12 +96,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_ENABLE_SUMMARY: true @@ -118,10 +118,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20' cache: 'npm' @@ -140,7 +140,7 @@ jobs: # Upload build artifacts to share with test jobs - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: dist path: dist/ @@ -154,10 +154,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20' cache: 'npm' @@ -167,7 +167,7 @@ jobs: # Download pre-built dist (skip build step, saves ~15-20s) - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ @@ -185,10 +185,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20' cache: 'npm' @@ -198,7 +198,7 @@ jobs: # Download pre-built dist (skip build step, saves ~25-30s on Windows) - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 69a387e1..d7291f56 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -24,10 +24,10 @@ jobs: exit 1 - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '20' registry-url: 'https://registry.npmjs.org' diff --git a/scripts/validate-secrets.js b/scripts/validate-secrets.js index 292dd347..82be1ffa7 100755 --- a/scripts/validate-secrets.js +++ b/scripts/validate-secrets.js @@ -25,7 +25,7 @@ const args = [ '--rm', '-v', `${projectPath}:/path`, - 'ghcr.io/gitleaks/gitleaks:latest', + 'ghcr.io/gitleaks/gitleaks:v8.30.1', 'detect', '--source=/path', '--verbose', diff --git a/src/providers/plugins/litellm/litellm.template.ts b/src/providers/plugins/litellm/litellm.template.ts index 0ad6c6e4..4e5da7e4 100644 --- a/src/providers/plugins/litellm/litellm.template.ts +++ b/src/providers/plugins/litellm/litellm.template.ts @@ -41,7 +41,7 @@ litellm --port 4000 ## Docker \`\`\`bash -docker run -p 4000:4000 ghcr.io/berriai/litellm:main-latest +docker run -p 4000:4000 ghcr.io/berriai/litellm:v1.82.3-stable.patch.2 \`\`\` diff --git a/src/workflows/templates/github/code-ci.yml b/src/workflows/templates/github/code-ci.yml index af6a3bb1..be314285 100644 --- a/src/workflows/templates/github/code-ci.yml +++ b/src/workflows/templates/github/code-ci.yml @@ -40,18 +40,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Full history for better context - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '24' - name: Cache CodeMie CLI id: cache-codemie-cli - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: ~/.npm key: codemie-cli-${{ runner.os }}-${{ hashFiles('~/.npm/_cacache') }} @@ -65,19 +65,19 @@ jobs: run: codemie install claude - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: '1.8.0' virtualenvs-create: true virtualenvs-in-project: true - name: Cache Poetry dependencies - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: ~/.cache/pypoetry key: poetry-cache-${{ runner.os }}-py3.11-${{ hashFiles('**/poetry.lock') }} @@ -86,7 +86,7 @@ jobs: - name: Load cached venv id: cached-poetry-dependencies - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: .venv key: venv-${{ runner.os }}-py3.11-${{ hashFiles('**/poetry.lock') }} @@ -283,7 +283,7 @@ jobs: - name: Upload CodeMie Code Output if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: codemie-code-output-${{ github.run_number }} path: /tmp/claude-output.log diff --git a/src/workflows/templates/github/inline-fix.yml b/src/workflows/templates/github/inline-fix.yml index 01d32201..7bc734c2 100644 --- a/src/workflows/templates/github/inline-fix.yml +++ b/src/workflows/templates/github/inline-fix.yml @@ -57,7 +57,7 @@ jobs: steps: - name: Add "eyes" reaction to show we're working - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -95,7 +95,7 @@ jobs: - name: Extract PR and branch information id: pr_info - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -168,14 +168,14 @@ jobs: console.log('='.repeat(50)); - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ steps.pr_info.outputs.branch_name }} fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '24' @@ -186,19 +186,19 @@ jobs: run: codemie install claude - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.11' - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: '1.8.0' virtualenvs-create: true virtualenvs-in-project: true - name: Cache Poetry dependencies - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: ~/.cache/pypoetry key: poetry-cache-${{ runner.os }}-py3.11-${{ hashFiles('**/poetry.lock') }} @@ -207,7 +207,7 @@ jobs: - name: Load cached venv id: cached-poetry-dependencies - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: .venv key: venv-${{ runner.os }}-py3.11-${{ hashFiles('**/poetry.lock') }} @@ -420,7 +420,7 @@ jobs: - name: Upload CodeMie Output if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: codemie-fix-output-${{ github.run_number }} path: /tmp/codemie-fix-output.log @@ -530,7 +530,7 @@ jobs: - name: Reply to comment with success if: success() && steps.check_push.outputs.has_commits == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -599,7 +599,7 @@ jobs: - name: Reply to comment with no changes if: success() && steps.check_push.outputs.has_commits == 'false' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -630,7 +630,7 @@ jobs: - name: Reply to comment with failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 continue-on-error: true with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/src/workflows/templates/github/pr-review.yml b/src/workflows/templates/github/pr-review.yml index ea25fdaa..d1ec5ec4 100644 --- a/src/workflows/templates/github/pr-review.yml +++ b/src/workflows/templates/github/pr-review.yml @@ -80,12 +80,12 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '24' @@ -184,7 +184,7 @@ jobs: "command": "npx", "args": [ "-y", - "@modelcontextprotocol/server-github" + "@modelcontextprotocol/server-github@2025.4.8" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_TOKEN" @@ -616,7 +616,7 @@ jobs: - name: Upload Review Output if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: codemie-review-output-${{ github.run_number }} path: /tmp/codemie-review-output.log @@ -624,7 +624,7 @@ jobs: - name: Post failure comment if: failure() && steps.claude_review.outcome == 'failure' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.generate_token.outputs.token }} script: |