From f40b284146c2d97c011b7fafa705f5a3766eda3d Mon Sep 17 00:00:00 2001 From: Allen Date: Fri, 27 Mar 2026 14:15:38 +0000 Subject: [PATCH] mesh-2834: pin actions to commit shas --- .github/dependabot.yml | 6 ++++- .github/workflows/merge-develop.yml | 8 +++---- .github/workflows/merge-release.yml | 8 +++---- .github/workflows/pull-request.yml | 24 +++++++++---------- .../scheduled-combine-dependabot-prs.yaml | 2 +- 5 files changed, 26 insertions(+), 22 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bc9a294..a2dc6e6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,8 @@ updates: open-pull-requests-limit: 2 schedule: interval: "monthly" + cooldown: + default-days: 7 commit-message: prefix: "github actions " include: scope @@ -18,4 +20,6 @@ updates: - package-ecosystem: "pip" directory: "/" # Location of package manifests schedule: - interval: "monthly" \ No newline at end of file + interval: "monthly" + cooldown: + default-days: 7 \ No newline at end of file diff --git a/.github/workflows/merge-develop.yml b/.github/workflows/merge-develop.yml index ac7f4c2..b89f550 100644 --- a/.github/workflows/merge-develop.yml +++ b/.github/workflows/merge-develop.yml @@ -11,12 +11,12 @@ jobs: if: github.repository == 'NHSDigital/mesh-client' && !contains(github.event.head_commit.message, 'tag release version:') steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -30,7 +30,7 @@ jobs: poetry self add "poetry-dynamic-versioning[plugin]" - name: cache virtualenv - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | .venv @@ -58,7 +58,7 @@ jobs: - name: setup java if: github.actor != 'dependabot[bot]' && (success() || failure()) - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: "17" diff --git a/.github/workflows/merge-release.yml b/.github/workflows/merge-release.yml index 0a3762d..53563b3 100644 --- a/.github/workflows/merge-release.yml +++ b/.github/workflows/merge-release.yml @@ -11,7 +11,7 @@ jobs: if: github.repository == 'NHSDigital/mesh-client' && github.actor != 'dependabot[bot]' steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -21,7 +21,7 @@ jobs: find . -type f | xargs chmod g+w - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -48,7 +48,7 @@ jobs: - name: create release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1 continue-on-error: false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -57,7 +57,7 @@ jobs: release_name: ${{ env.RELEASE_VERSION }} - name: pypi publish - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: password: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 625750c..c01344c 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -15,7 +15,7 @@ jobs: if: github.repository == 'NHSDigital/mesh-client' steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -41,7 +41,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} @@ -64,7 +64,7 @@ jobs: if: github.repository == 'NHSDigital/mesh-client' steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -93,7 +93,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -107,7 +107,7 @@ jobs: poetry self add "poetry-dynamic-versioning[plugin]" - name: cache virtualenv - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | .venv @@ -138,7 +138,7 @@ jobs: - name: setup java if: github.actor != 'dependabot[bot]' && (success() || failure()) - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: "17" @@ -169,7 +169,7 @@ jobs: - name: archive reports if: github.actor != 'dependabot[bot]' && (success() || failure()) - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: reports path: reports/**/* @@ -190,7 +190,7 @@ jobs: if: github.repository == 'NHSDigital/mesh-client' steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -211,7 +211,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -225,7 +225,7 @@ jobs: poetry self add "poetry-dynamic-versioning[plugin]" - name: cache virtualenv - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | .venv @@ -270,7 +270,7 @@ jobs: - tox steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -296,7 +296,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' diff --git a/.github/workflows/scheduled-combine-dependabot-prs.yaml b/.github/workflows/scheduled-combine-dependabot-prs.yaml index 48c7474..651c2c1 100644 --- a/.github/workflows/scheduled-combine-dependabot-prs.yaml +++ b/.github/workflows/scheduled-combine-dependabot-prs.yaml @@ -25,7 +25,7 @@ jobs: steps: - name: combine-prs id: combine-prs - uses: github/combine-prs@v5.2.0 + uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0 with: ci_required: ${{ inputs.ci_required == 'YES' }} labels: dependencies