diff --git a/.github/workflows/anneal-release.yml b/.github/workflows/anneal-release.yml index 3dc652f436..0349df17e3 100644 --- a/.github/workflows/anneal-release.yml +++ b/.github/workflows/anneal-release.yml @@ -275,7 +275,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "Release Anneal ${{ github.event.inputs.version }}" author: Google PR Creation Bot diff --git a/.github/workflows/anneal.yml b/.github/workflows/anneal.yml index 6cdf26e9f3..632bf84dcb 100644 --- a/.github/workflows/anneal.yml +++ b/.github/workflows/anneal.yml @@ -44,7 +44,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -70,7 +70,7 @@ jobs: - name: Build Docker image (Dry Run) id: build_dry - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: anneal file: anneal/Dockerfile @@ -102,7 +102,7 @@ jobs: echo "[{\"name\": \"Docker Build Time\", \"unit\": \"seconds\", \"value\": $duration}]" > build_time.json - name: Store build time benchmark - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 with: name: Docker Build Time tool: 'customSmallerIsBetter' @@ -138,7 +138,7 @@ jobs: # dry-run build above. - name: Build and push Docker image if: steps.check_remote.outputs.match != 'true' - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 # NOTE: All arguments here must match the dry-run step above exactly # in order to ensure we hit the cache for the local build! with: @@ -177,7 +177,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -215,7 +215,7 @@ jobs: # We use github-action-benchmark to manage the history of image sizes. # It is configured to store results in a dedicated branch to avoid # complex cache management. - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 with: name: Docker Image Size tool: 'customSmallerIsBetter' @@ -246,7 +246,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -339,7 +339,7 @@ jobs: ]' > output.json - name: Store CI duration benchmarks - uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 + uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1 with: name: CI Durations tool: 'customSmallerIsBetter' @@ -390,7 +390,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml index 23aae08b26..03a1d7136d 100644 --- a/.github/workflows/backport-pr.yml +++ b/.github/workflows/backport-pr.yml @@ -62,7 +62,7 @@ jobs: echo "AUTHOR=$AUTHOR" >> $GITHUB_ENV - name: Submit PR - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: author: "${{ env.AUTHOR }}" committer: "${{ env.AUTHOR }}" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f502cd0e41..0c2d30a7ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -307,7 +307,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -322,7 +322,7 @@ jobs: echo "tag=${REF_NAME//\//-}" >> "$GITHUB_OUTPUT" - name: Load image from cache - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: .github/workflows/Dockerfile @@ -989,7 +989,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: # Only scan the .github directory to avoid scanning vendored dependencies inputs: .github @@ -1015,7 +1015,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -1030,7 +1030,7 @@ jobs: echo "tag=${REF_NAME//\//-}" >> "$GITHUB_OUTPUT" - name: Build and cache layers - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: .github/workflows/Dockerfile diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 96a9863754..b4fad086be 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -31,7 +31,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -40,4 +40,4 @@ jobs: with: persist-credentials: false - name: 'Dependency Review' - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index a178b7aefe..4e2e9f843d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -93,7 +93,7 @@ jobs: fi - name: Upload Cargo doc output to GitHub Pages - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: target/doc deploy: diff --git a/.github/workflows/release-crate-version.yml b/.github/workflows/release-crate-version.yml index 1c04f28fdf..0e04b3f9f1 100644 --- a/.github/workflows/release-crate-version.yml +++ b/.github/workflows/release-crate-version.yml @@ -44,7 +44,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "Release ${{ github.event.inputs.version }}" author: Google PR Creation Bot diff --git a/.github/workflows/roll-pinned-toolchain-versions.yml b/.github/workflows/roll-pinned-toolchain-versions.yml index c99d94821e..2c39331049 100644 --- a/.github/workflows/roll-pinned-toolchain-versions.yml +++ b/.github/workflows/roll-pinned-toolchain-versions.yml @@ -118,7 +118,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "[ci] Roll pinned ${{ matrix.toolchain }} toolchain" author: Google PR Creation Bot @@ -164,7 +164,7 @@ jobs: sed -i -E -e "s/^( *kani-version:)( [0-9]+\.[0-9]+\.[0-9]+)/\1 $KANI_LATEST/" .github/workflows/ci.yml - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "[ci] Roll pinned Kani version" author: Google PR Creation Bot diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 25180c752a..ddf03511de 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: sarif_file: results.sarif