diff --git a/.github/workflows/ash-security-comment.yml b/.github/workflows/ash-security-comment.yml index 3cd15980..8941b57b 100644 --- a/.github/workflows/ash-security-comment.yml +++ b/.github/workflows/ash-security-comment.yml @@ -21,7 +21,7 @@ jobs: # scan was skipped because no scannable files changed, or the upload # failed). Later steps guard on this step's outcome. continue-on-error: true - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ash-security-results path: /tmp/ash-results @@ -46,7 +46,7 @@ jobs: - name: Post comment on PR if: steps.pr-info.outputs.pr_number - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: # Pass values via env and read with process.env rather than interpolating # ${{ }} directly into the script body (avoids any script-injection risk). diff --git a/.github/workflows/ash-security-scan.yml b/.github/workflows/ash-security-scan.yml index 3770d6c7..bacb63ae 100644 --- a/.github/workflows/ash-security-scan.yml +++ b/.github/workflows/ash-security-scan.yml @@ -11,7 +11,7 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -21,7 +21,7 @@ jobs: # compromise (CVE-2025-30066) where version tags were retroactively # repointed to a malicious commit. Pinning to an immutable commit SHA is # the documented mitigation. Bump deliberately, never via a floating tag. - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | **/*.ts @@ -46,7 +46,7 @@ jobs: - name: Set up Python if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4.7.1 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v4.7.1 with: python-version: '3.10' @@ -169,7 +169,7 @@ jobs: - name: Upload scan results if: always() && steps.changed-files.outputs.any_changed == 'true' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ash-security-results path: | diff --git a/.github/workflows/blueprints-unit-tests.yml b/.github/workflows/blueprints-unit-tests.yml index 6daa30bb..04582320 100644 --- a/.github/workflows/blueprints-unit-tests.yml +++ b/.github/workflows/blueprints-unit-tests.yml @@ -14,7 +14,7 @@ jobs: actions: read contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0564b447..242a36b3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,10 +21,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: javascript-typescript build-mode: none @@ -32,6 +32,6 @@ jobs: queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:javascript-typescript" diff --git a/.github/workflows/daily-tag.yml b/.github/workflows/daily-tag.yml index 37641580..d0244eb9 100644 --- a/.github/workflows/daily-tag.yml +++ b/.github/workflows/daily-tag.yml @@ -13,7 +13,7 @@ jobs: name: "Create tag on main for changes in last 24 hours" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v7 - name: "Get changes and create TAG" run: | diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 410dd0f7..93142a7d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Dependency Review - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: # Fail PRs that introduce dependencies with known HIGH or CRITICAL # vulnerabilities. "moderate" is intentionally not blocking to avoid diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index c0a7676e..c1ea17e2 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,11 +11,11 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # Need the PR base commit so pre-commit can diff for changed files. fetch-depth: 0 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4.7.1 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v4.7.1 # ShellCheck is invoked as a local "system" hook (see .pre-commit-config.yaml); # it is preinstalled on ubuntu-latest, so no install step is required. - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/stale-issue-pr.yml b/.github/workflows/stale-issue-pr.yml index 0494b1de..5d90f0c6 100644 --- a/.github/workflows/stale-issue-pr.yml +++ b/.github/workflows/stale-issue-pr.yml @@ -19,7 +19,7 @@ jobs: with: egress-policy: audit - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 id: stale with: ascending: true diff --git a/.github/workflows/website-deploy.yaml b/.github/workflows/website-deploy.yaml index 9c7c327d..319f972a 100644 --- a/.github/workflows/website-deploy.yaml +++ b/.github/workflows/website-deploy.yaml @@ -18,7 +18,7 @@ jobs: shell: bash working-directory: website steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20 diff --git a/.github/workflows/website-test-deploy.yml b/.github/workflows/website-test-deploy.yml index 52c2a330..f7df68a1 100644 --- a/.github/workflows/website-test-deploy.yml +++ b/.github/workflows/website-test-deploy.yml @@ -17,7 +17,7 @@ jobs: shell: bash working-directory: website steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20