diff --git a/.github/workflows/architecture-boundaries.yml b/.github/workflows/architecture-boundaries.yml index 88fa2b26..4d4575f0 100644 --- a/.github/workflows/architecture-boundaries.yml +++ b/.github/workflows/architecture-boundaries.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -26,12 +26,12 @@ jobs: fetch-depth: 0 - name: Install pnpm (pinned) - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: '22' cache: 'pnpm' @@ -51,7 +51,7 @@ jobs: --output-type archi packages/ > architecture.svg - name: Upload architecture diagram - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a if: always() with: name: architecture-diagram @@ -178,7 +178,7 @@ jobs: EOF - name: Upload boundary report - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a if: always() with: name: boundary-report diff --git a/.github/workflows/browser-smoke.yml b/.github/workflows/browser-smoke.yml index 48844473..4bde6b03 100644 --- a/.github/workflows/browser-smoke.yml +++ b/.github/workflows/browser-smoke.yml @@ -25,19 +25,19 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - name: Setup Node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 cache: 'pnpm' @@ -52,7 +52,7 @@ jobs: run: pnpm run -s preflight - name: Cache Playwright browsers - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} @@ -93,7 +93,7 @@ jobs: - name: Upload host-contracts JSON artifact if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: browser-host-contracts path: ${{ runner.temp }}/host-contracts.json diff --git a/.github/workflows/cert-shipme.yml b/.github/workflows/cert-shipme.yml index 26c12843..08488e2f 100644 --- a/.github/workflows/cert-shipme.yml +++ b/.github/workflows/cert-shipme.yml @@ -26,12 +26,12 @@ jobs: pull-requests: write steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: { node-version: 22, cache: 'pnpm' } - run: pnpm install --no-frozen-lockfile @@ -62,7 +62,7 @@ jobs: run: node packages/wesley-host-node/bin/wesley.mjs cert-verify --in SHIPME.md --pub pub.pem - name: Upload SHIPME - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: SHIPME path: SHIPME.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afda9fe8..d7513064 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,18 +10,18 @@ jobs: timeout-minutes: 20 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - name: Verify pnpm version run: | echo "pnpm: $(pnpm --version)" node -v - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: { node-version: 22, cache: 'pnpm' } - run: pnpm install --frozen-lockfile - name: Verify lockfile unchanged diff --git a/.github/workflows/cli-quick.yml b/.github/workflows/cli-quick.yml index cead08b0..bdb3924d 100644 --- a/.github/workflows/cli-quick.yml +++ b/.github/workflows/cli-quick.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -48,7 +48,7 @@ jobs: - name: Setup pnpm if: steps.changes.outputs.cli == 'true' - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - name: Verify pnpm version run: | @@ -57,7 +57,7 @@ jobs: - name: Setup Node.js (LTS) if: steps.changes.outputs.cli == 'true' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/cli-tests.yml b/.github/workflows/cli-tests.yml index e9286566..be36e8ad 100644 --- a/.github/workflows/cli-tests.yml +++ b/.github/workflows/cli-tests.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -43,7 +43,7 @@ jobs: submodules: recursive # For Bats plugins - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - name: Verify pnpm version run: | @@ -51,7 +51,7 @@ jobs: node -v - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: ${{ matrix.node-version }} cache: 'pnpm' @@ -103,7 +103,7 @@ jobs: pnpm test:tap > cli-test-results.tap - name: Upload TAP test results - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a if: always() with: name: cli-test-results-${{ matrix.os }}-node${{ matrix.node-version }} @@ -129,7 +129,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 44ed4b87..03d8d287 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -35,13 +35,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba with: languages: ${{ matrix.language }} build-mode: none queries: security-and-quality - name: Analyze with CodeQL - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba with: category: /language:${{ matrix.language }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 86d23644..9bda6dde 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -25,6 +25,6 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Review dependencies - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 with: fail-on-severity: high diff --git a/.github/workflows/docs-link-check.yml b/.github/workflows/docs-link-check.yml index 78015eb5..6065cb4b 100644 --- a/.github/workflows/docs-link-check.yml +++ b/.github/workflows/docs-link-check.yml @@ -20,11 +20,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Check markdown links (relative only) diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 5df44ba9..7489144f 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -27,14 +27,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/install-bats.yml b/.github/workflows/install-bats.yml index d7e027c9..bf20cd31 100644 --- a/.github/workflows/install-bats.yml +++ b/.github/workflows/install-bats.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - name: Install bats and jq diff --git a/.github/workflows/pkg-cli.yml b/.github/workflows/pkg-cli.yml index a917eedd..6b6c0077 100644 --- a/.github/workflows/pkg-cli.yml +++ b/.github/workflows/pkg-cli.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 15 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/pkg-core.yml b/.github/workflows/pkg-core.yml index 02adab31..82eda638 100644 --- a/.github/workflows/pkg-core.yml +++ b/.github/workflows/pkg-core.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) @@ -39,7 +39,7 @@ jobs: # Quote the command: '@' can confuse YAML if unquoted run: "pnpm --filter @wesley/core test:coverage || pnpm --filter @wesley/core test" - name: Upload core coverage (if present) - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: core-coverage path: packages/wesley-core/coverage/** diff --git a/.github/workflows/pkg-generator-js.yml b/.github/workflows/pkg-generator-js.yml index 55597126..c634123f 100644 --- a/.github/workflows/pkg-generator-js.yml +++ b/.github/workflows/pkg-generator-js.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/pkg-holmes.yml b/.github/workflows/pkg-holmes.yml index 8d67cb84..8c829ecf 100644 --- a/.github/workflows/pkg-holmes.yml +++ b/.github/workflows/pkg-holmes.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/pkg-host-bun.yml b/.github/workflows/pkg-host-bun.yml index f51f3018..a7f1c544 100644 --- a/.github/workflows/pkg-host-bun.yml +++ b/.github/workflows/pkg-host-bun.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/pkg-host-deno.yml b/.github/workflows/pkg-host-deno.yml index 22a49d0e..dc532feb 100644 --- a/.github/workflows/pkg-host-deno.yml +++ b/.github/workflows/pkg-host-deno.yml @@ -23,14 +23,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: '9.15.9' - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/pkg-host-node.yml b/.github/workflows/pkg-host-node.yml index 3f6c5570..bcf61e3c 100644 --- a/.github/workflows/pkg-host-node.yml +++ b/.github/workflows/pkg-host-node.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/pkg-tasks.yml b/.github/workflows/pkg-tasks.yml index 1a5bb0ff..48708590 100644 --- a/.github/workflows/pkg-tasks.yml +++ b/.github/workflows/pkg-tasks.yml @@ -21,14 +21,14 @@ jobs: timeout-minutes: 10 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) diff --git a/.github/workflows/preflight.yml b/.github/workflows/preflight.yml index 790a72ec..4d1e6008 100644 --- a/.github/workflows/preflight.yml +++ b/.github/workflows/preflight.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - name: Verify pnpm version run: | echo "pnpm: $(pnpm --version)" diff --git a/.github/workflows/progress.yml b/.github/workflows/progress.yml index 08ce60f2..e8af7a44 100644 --- a/.github/workflows/progress.yml +++ b/.github/workflows/progress.yml @@ -24,16 +24,16 @@ jobs: PROGRESS_PR_TOKEN: ${{ secrets.PROGRESS_PR_TOKEN }} steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: token: ${{ secrets.GITHUB_TOKEN }} - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 - name: Enable corepack (pnpm) @@ -48,7 +48,7 @@ jobs: run: node scripts/compute-progress.mjs - name: Create progress PR if: ${{ env.PROGRESS_PR_TOKEN != '' }} - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 with: token: ${{ env.PROGRESS_PR_TOKEN }} commit-message: 'docs(progress): update package matrix and progress.json' diff --git a/.github/workflows/release-crates.yml b/.github/workflows/release-crates.yml index fec24b4e..5f01883f 100644 --- a/.github/workflows/release-crates.yml +++ b/.github/workflows/release-crates.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit @@ -108,7 +108,7 @@ jobs: issues: read steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit diff --git a/.github/workflows/runtime-smokes.yml b/.github/workflows/runtime-smokes.yml index 6963ef04..7e86c28f 100644 --- a/.github/workflows/runtime-smokes.yml +++ b/.github/workflows/runtime-smokes.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -47,7 +47,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -72,15 +72,15 @@ jobs: timeout-minutes: 5 steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with: version: 9.15.9 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 cache: 'pnpm' diff --git a/.github/workflows/rust-native.yml b/.github/workflows/rust-native.yml index e79caf61..0c693cf5 100644 --- a/.github/workflows/rust-native.yml +++ b/.github/workflows/rust-native.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 90bb4460..89f71a67 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,7 +22,7 @@ jobs: security-events: write steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - name: Checkout repository @@ -39,12 +39,12 @@ jobs: publish_results: true - name: Upload Results to GitHub Security tab - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba with: sarif_file: results.sarif - name: Upload Scorecard Artifact - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: scorecard-results path: results.sarif diff --git a/.github/workflows/wesley-holmes.yml b/.github/workflows/wesley-holmes.yml index bb2696bb..60956939 100644 --- a/.github/workflows/wesley-holmes.yml +++ b/.github/workflows/wesley-holmes.yml @@ -27,7 +27,7 @@ jobs: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: @@ -83,7 +83,7 @@ jobs: fi - name: "📤 Upload Dashboard Template" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: dashboard-template path: docs/holmes-dashboard @@ -95,7 +95,7 @@ jobs: test -f "${{ steps.detect.outputs.bundle_dir }}/bundle.json" - name: "💾 Upload Bundle" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: ${{ env.HOLMES_ARTIFACT }} path: | @@ -113,7 +113,7 @@ jobs: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: @@ -139,7 +139,7 @@ jobs: bundle-dir: ${{ needs.wesley-generate.outputs.bundle_dir }} - name: "💾 Save Report" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: holmes-report path: reports/holmes @@ -154,7 +154,7 @@ jobs: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: @@ -180,7 +180,7 @@ jobs: bundle-dir: ${{ needs.wesley-generate.outputs.bundle_dir }} - name: "💾 Save Report" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: watson-report path: reports/watson @@ -195,7 +195,7 @@ jobs: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: @@ -342,7 +342,7 @@ jobs: MORIARTY_ACTIVITY_RELEVANT_PER_DAY: "4" - name: "💾 Save Report" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: moriarty-report path: reports/moriarty @@ -365,7 +365,7 @@ jobs: steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: @@ -412,7 +412,7 @@ jobs: fi - name: "📤 Upload Dashboard" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: holmes-dashboard path: dashboard diff --git a/.github/workflows/wesley-website.yml b/.github/workflows/wesley-website.yml index b251d017..942fb445 100644 --- a/.github/workflows/wesley-website.yml +++ b/.github/workflows/wesley-website.yml @@ -26,16 +26,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - name: Verify pnpm version run: | echo "pnpm: $(pnpm --version)" node -v - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: node-version: 22 cache: 'pnpm' @@ -52,7 +52,7 @@ jobs: run: pnpm --filter wesley-website run build - name: Upload Pages artifact - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 with: path: wesley-website/dist @@ -65,7 +65,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Harden runner - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 with: egress-policy: audit - id: deployment