From 66eb9e3dabf4d4668aed6271a66ecc31c8d1f1a1 Mon Sep 17 00:00:00 2001 From: Roger Barreto <19890735+RogerBarreto@users.noreply.github.com> Date: Wed, 20 May 2026 12:13:06 +0100 Subject: [PATCH] ci: pin third-party GitHub Actions to commit SHAs Replaces every floating tag in our workflow and composite action files with an immutable 40-character commit SHA, keeping the original `# vX` comment so Dependabot can still propose version bumps. 186 occurrences across 25 workflows and 2 composite actions. Also widens the github-actions Dependabot entry to use the plural `directories` key with `/.github/actions/*` so composite actions under `.github/actions//action.yml` are kept up to date. Previously Dependabot only scanned `.github/workflows` and the repo-root `action.yml`, leaving our `python-setup` and `sample-validation-setup` composite actions unmaintained. --- .github/actions/python-setup/action.yml | 2 +- .../sample-validation-setup/action.yml | 4 +- .github/dependabot.yml | 12 ++- .github/workflows/codeql-analysis.yml | 8 +- .github/workflows/devflow-pr-review.yml | 10 +-- .github/workflows/dotnet-build-and-test.yml | 48 ++++++------ .github/workflows/dotnet-format.yml | 4 +- .../workflows/dotnet-integration-tests.yml | 6 +- .github/workflows/dotnet-verify-samples.yml | 8 +- .github/workflows/issue-triage.yml | 14 ++-- .github/workflows/label-issues.yml | 2 +- .github/workflows/label-pr.yml | 2 +- .github/workflows/label-title-prefix.yml | 2 +- .github/workflows/markdown-link-check.yml | 4 +- .github/workflows/merge-gatekeeper.yml | 2 +- .github/workflows/python-code-quality.yml | 12 +-- .../python-dependency-range-validation.yml | 6 +- .../python-dev-dependency-upgrade.yml | 2 +- .github/workflows/python-docs.yml | 4 +- .../workflows/python-integration-tests.yml | 54 +++++++------- .github/workflows/python-lab-tests.yml | 8 +- .github/workflows/python-merge-tests.yml | 74 +++++++++---------- .github/workflows/python-release.yml | 4 +- .../workflows/python-sample-validation.yml | 74 +++++++++---------- .../workflows/python-test-coverage-report.yml | 6 +- .github/workflows/python-test-coverage.yml | 4 +- .github/workflows/python-tests.yml | 4 +- .github/workflows/stale-issue-pr-ping.yml | 4 +- 28 files changed, 195 insertions(+), 189 deletions(-) diff --git a/.github/actions/python-setup/action.yml b/.github/actions/python-setup/action.yml index ed595ee87a..6cbe1cb833 100644 --- a/.github/actions/python-setup/action.yml +++ b/.github/actions/python-setup/action.yml @@ -17,7 +17,7 @@ runs: using: "composite" steps: - name: Set up uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: version-file: "python/pyproject.toml" enable-cache: true diff --git a/.github/actions/sample-validation-setup/action.yml b/.github/actions/sample-validation-setup/action.yml index 14c92694ff..c9d2d2d6ac 100644 --- a/.github/actions/sample-validation-setup/action.yml +++ b/.github/actions/sample-validation-setup/action.yml @@ -24,7 +24,7 @@ runs: using: "composite" steps: - name: Set up Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 @@ -37,7 +37,7 @@ runs: run: copilot --version && copilot -p "What can you do in one sentence?" - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ inputs.azure-client-id }} tenant-id: ${{ inputs.azure-tenant-id }} diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 90b127a829..22db68fc60 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -44,9 +44,15 @@ updates: # Maintain dependencies for github-actions - package-ecosystem: "github-actions" - # Workflow files stored in the - # default location of `.github/workflows` - directory: "/" + # Cover both the standard workflow location and our composite actions. + # With `directory: "/"` Dependabot only scans `.github/workflows/*.{yml,yaml}` + # plus a root-level `action.yml/action.yaml`. It does NOT recurse into + # `.github/actions/*/action.yml`, so the glob below is required to keep the + # composite actions in `.github/actions//` up to date as well. + # Ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory-- + directories: + - "/" + - "/.github/actions/*" schedule: interval: "weekly" day: "sunday" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 21d3aa2ed0..361b591e76 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -32,13 +32,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -51,7 +51,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -64,6 +64,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/devflow-pr-review.yml b/.github/workflows/devflow-pr-review.yml index 5ce9592a51..ca6a20ddb2 100644 --- a/.github/workflows/devflow-pr-review.yml +++ b/.github/workflows/devflow-pr-review.yml @@ -66,7 +66,7 @@ jobs: - name: Check PR author team membership id: check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: TEAM_NAME: ${{ secrets.DEVELOPER_TEAM }} PR_NUMBER: ${{ steps.pr.outputs.pr_number }} @@ -116,7 +116,7 @@ jobs: steps: # Safe checkout: base repo only, not the untrusted PR head. - name: Checkout target repo base - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.sha || github.sha }} fetch-depth: 0 @@ -125,7 +125,7 @@ jobs: # Private DevFlow checkout: the PAT/token grants access to this repo's code. - name: Checkout DevFlow - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ env.DEVFLOW_REPOSITORY }} ref: ${{ env.DEVFLOW_REF }} @@ -135,12 +135,12 @@ jobs: path: devflow - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.13" - name: Set up uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version: "0.11.x" enable-cache: true diff --git a/.github/workflows/dotnet-build-and-test.yml b/.github/workflows/dotnet-build-and-test.yml index c639da53d5..8fe1fbf176 100644 --- a/.github/workflows/dotnet-build-and-test.yml +++ b/.github/workflows/dotnet-build-and-test.yml @@ -41,8 +41,8 @@ jobs: functionsChanged: ${{ steps.filter.outputs.functions }} coreChanged: ${{ steps.filter.outputs.core }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -111,7 +111,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -122,7 +122,7 @@ jobs: declarative-agents - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json - name: Build dotnet solutions @@ -181,7 +181,7 @@ jobs: runs-on: ${{ matrix.os }} environment: ${{ matrix.environment }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -202,7 +202,7 @@ jobs: echo "COSMOSDB_EMULATOR_AVAILABLE=true" >> $env:GITHUB_ENV - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json @@ -271,7 +271,7 @@ jobs: - name: Azure CLI Login if: github.event_name != 'pull_request' && matrix.integration-tests - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -318,7 +318,7 @@ jobs: # Generate test reports and check coverage - name: Generate test reports if: matrix.targetFramework == env.COVERAGE_FRAMEWORK - uses: danielpalme/ReportGenerator-GitHub-Action@5.5.3 + uses: danielpalme/ReportGenerator-GitHub-Action@2a82782178b2816d9d6960a7345fdd164791b323 # 5.5.3 with: reports: "./TestResults/Coverage/**/*.cobertura.xml" targetdir: "./TestResults/Reports" @@ -326,7 +326,7 @@ jobs: - name: Upload coverage report artifact if: matrix.targetFramework == env.COVERAGE_FRAMEWORK - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: CoverageReport-${{ matrix.os }}-${{ matrix.targetFramework }}-${{ matrix.configuration }} # Artifact name path: ./TestResults/Reports # Directory containing files to upload @@ -338,7 +338,7 @@ jobs: - name: Upload integration test results if: always() && github.event_name != 'pull_request' && matrix.integration-tests - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: dotnet-test-results-${{ matrix.targetFramework }}-${{ matrix.os }} path: IntegrationTestResults/**/*.junit @@ -356,7 +356,7 @@ jobs: env: configuration: Release steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -366,7 +366,7 @@ jobs: python - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json @@ -381,7 +381,7 @@ jobs: run: dotnet build dotnet/tests/Foundry.Hosting.IntegrationTests/Foundry.Hosting.IntegrationTests.csproj -c "$configuration" --warnaserror - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -442,7 +442,7 @@ jobs: runs-on: ubuntu-latest environment: integration steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -453,7 +453,7 @@ jobs: declarative-agents - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json @@ -465,7 +465,7 @@ jobs: dotnet build ./tests/Microsoft.Agents.AI.Hosting.AzureFunctions.IntegrationTests -c Release -f net10.0 --warnaserror - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -522,7 +522,7 @@ jobs: - name: Upload functions test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: dotnet-test-results-functions-net10.0-ubuntu-latest path: IntegrationTestResults/**/*.junit @@ -560,14 +560,14 @@ jobs: - name: Fail workflow if tests failed id: check_tests_failed if: contains(join(needs.*.result, ','), 'failure') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Failed!') - name: Fail workflow if tests cancelled id: check_tests_cancelled if: contains(join(needs.*.result, ','), 'cancelled') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Cancelled!') @@ -585,7 +585,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -597,12 +597,12 @@ jobs: python-version: "3.13" os: ${{ runner.os }} - name: Download all test results from current run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: dotnet-test-results-* path: dotnet-test-results/ - name: Restore report history cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/dotnet-integration-report-history.json key: dotnet-integration-report-history-${{ github.run_id }} @@ -619,13 +619,13 @@ jobs: run: cat dotnet-integration-test-report.md >> $GITHUB_STEP_SUMMARY - name: Save report history cache if: always() - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/dotnet-integration-report-history.json key: dotnet-integration-report-history-${{ github.run_id }} - name: Upload trend report if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: dotnet-integration-test-report path: | diff --git a/.github/workflows/dotnet-format.yml b/.github/workflows/dotnet-format.yml index 8bdaeba8a3..b9672967ef 100644 --- a/.github/workflows/dotnet-format.yml +++ b/.github/workflows/dotnet-format.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 persist-credentials: false @@ -42,7 +42,7 @@ jobs: - name: Get changed files id: changed-files if: github.event_name == 'pull_request' - uses: jitterbit/get-changed-files@v1 + uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1 continue-on-error: true - name: No C# files changed diff --git a/.github/workflows/dotnet-integration-tests.yml b/.github/workflows/dotnet-integration-tests.yml index 3aedbacd1a..5b08752abb 100644 --- a/.github/workflows/dotnet-integration-tests.yml +++ b/.github/workflows/dotnet-integration-tests.yml @@ -29,7 +29,7 @@ jobs: environment: integration timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -50,7 +50,7 @@ jobs: echo "COSMOS_EMULATOR_AVAILABLE=true" >> $env:GITHUB_ENV - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json @@ -63,7 +63,7 @@ jobs: done - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/dotnet-verify-samples.yml b/.github/workflows/dotnet-verify-samples.yml index 7cb0b9636f..3552e1e3af 100644 --- a/.github/workflows/dotnet-verify-samples.yml +++ b/.github/workflows/dotnet-verify-samples.yml @@ -41,7 +41,7 @@ jobs: environment: 'integration' timeout-minutes: 90 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false sparse-checkout: | @@ -52,13 +52,13 @@ jobs: declarative-agents - name: Setup dotnet - uses: actions/setup-dotnet@v5.2.0 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: ${{ github.workspace }}/dotnet/global.json - name: Azure CLI Login if: github.event_name != 'pull_request' - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -123,7 +123,7 @@ jobs: - name: Upload results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: verify-samples-results path: | diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index ecab04d7e5..a7d0ab647d 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -53,7 +53,7 @@ jobs: echo "repo=${GITHUB_REPOSITORY}" >> "$GITHUB_OUTPUT" - name: Checkout scripts - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: .github/scripts fetch-depth: 1 @@ -61,7 +61,7 @@ jobs: - name: Check issue author team membership id: check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: TEAM_NAME: ${{ secrets.DEVELOPER_TEAM }} ISSUE_NUMBER: ${{ steps.issue.outputs.issue_number }} @@ -93,7 +93,7 @@ jobs: steps: # Safe checkout: base repo only. - name: Checkout target repo base - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 persist-credentials: false @@ -101,7 +101,7 @@ jobs: # Private DevFlow (maf-dashboard) checkout. - name: Checkout DevFlow - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ env.DEVFLOW_REPOSITORY }} ref: ${{ env.DEVFLOW_REF }} @@ -111,12 +111,12 @@ jobs: path: devflow - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.13" - name: Set up uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version: "0.11.x" enable-cache: true @@ -126,7 +126,7 @@ jobs: run: uv sync --frozen - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/label-issues.yml b/.github/workflows/label-issues.yml index 111c63ef13..31409df630 100644 --- a/.github/workflows/label-issues.yml +++ b/.github/workflows/label-issues.yml @@ -13,7 +13,7 @@ jobs: permissions: issues: write steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GH_ACTIONS_PR_WRITE }} script: | diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 4aea432e31..7d0282b916 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -16,6 +16,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6 with: repo-token: "${{ secrets.GH_ACTIONS_PR_WRITE }}" diff --git a/.github/workflows/label-title-prefix.yml b/.github/workflows/label-title-prefix.yml index b8d5b762a7..8457e8e428 100644 --- a/.github/workflows/label-title-prefix.yml +++ b/.github/workflows/label-title-prefix.yml @@ -15,7 +15,7 @@ jobs: pull-requests: write steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 name: "Issue/PR: update title" with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 5c984c5796..0e59e4254f 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -19,13 +19,13 @@ jobs: runs-on: ubuntu-22.04 # check out the latest version of the code steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false # Checks the status of hyperlinks in all files - name: Run linkspector - uses: umbrelladocs/action-linkspector@v1 + uses: umbrelladocs/action-linkspector@963b6264d7de32c904942a70b488d3407453049e # v1 with: reporter: local filter_mode: nofilter diff --git a/.github/workflows/merge-gatekeeper.yml b/.github/workflows/merge-gatekeeper.yml index a9429326ed..52adbcb8e4 100644 --- a/.github/workflows/merge-gatekeeper.yml +++ b/.github/workflows/merge-gatekeeper.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Wait for required checks if: github.event_name == 'pull_request' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: TIMEOUT_SECONDS: "3600" INTERVAL_SECONDS: "30" diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml index ef75293f0c..6527a89cd8 100644 --- a/.github/workflows/python-code-quality.yml +++ b/.github/workflows/python-code-quality.yml @@ -27,7 +27,7 @@ jobs: env: UV_PYTHON: ${{ matrix.python-version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up python and install the project @@ -38,11 +38,11 @@ jobs: os: ${{ runner.os }} env: UV_CACHE_DIR: /tmp/.uv-cache - - uses: actions/cache@v5 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/prek key: prek|${{ matrix.python-version }}|${{ hashFiles('python/.pre-commit-config.yaml') }} - - uses: j178/prek-action@v1 + - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1 name: Run Pre-commit Hooks (excluding poe-check) env: SKIP: poe-check @@ -64,7 +64,7 @@ jobs: env: UV_PYTHON: ${{ matrix.python-version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up python and install the project @@ -93,7 +93,7 @@ jobs: env: UV_PYTHON: ${{ matrix.python-version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up python and install the project @@ -124,7 +124,7 @@ jobs: env: UV_PYTHON: ${{ matrix.python-version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up python and install the project diff --git a/.github/workflows/python-dependency-range-validation.yml b/.github/workflows/python-dependency-range-validation.yml index 692c94101e..67c8d92bc8 100644 --- a/.github/workflows/python-dependency-range-validation.yml +++ b/.github/workflows/python-dependency-range-validation.yml @@ -22,7 +22,7 @@ jobs: UV_PYTHON: "3.13" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -44,7 +44,7 @@ jobs: - name: Upload dependency range report # Always publish the report so failures are inspectable even when validation fails. if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: dependency-range-results path: python/scripts/dependencies/dependency-range-results.json @@ -53,7 +53,7 @@ jobs: - name: Create issues for failed dependency candidates # Always process the report so failed candidates create actionable tracking issues. if: always() - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const fs = require("fs") diff --git a/.github/workflows/python-dev-dependency-upgrade.yml b/.github/workflows/python-dev-dependency-upgrade.yml index 0dcd138b25..dc55da9227 100644 --- a/.github/workflows/python-dev-dependency-upgrade.yml +++ b/.github/workflows/python-dev-dependency-upgrade.yml @@ -18,7 +18,7 @@ jobs: UV_PYTHON: "3.13" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 diff --git a/.github/workflows/python-docs.yml b/.github/workflows/python-docs.yml index f962ec318f..6ea3443f55 100644 --- a/.github/workflows/python-docs.yml +++ b/.github/workflows/python-docs.yml @@ -24,9 +24,9 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version-file: "python/pyproject.toml" enable-cache: true diff --git a/.github/workflows/python-integration-tests.yml b/.github/workflows/python-integration-tests.yml index 0d8ae36b8f..3073a71636 100644 --- a/.github/workflows/python-integration-tests.yml +++ b/.github/workflows/python-integration-tests.yml @@ -36,7 +36,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -69,7 +69,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -90,7 +90,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-openai path: ./python/pytest.xml @@ -112,7 +112,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -123,7 +123,7 @@ jobs: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -141,7 +141,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-azure-openai path: ./python/pytest.xml @@ -163,7 +163,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -177,7 +177,7 @@ jobs: run: curl -fsSL https://ollama.com/install.sh | sh working-directory: . - name: Cache Ollama models - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.ollama/models key: ollama-models-qwen2.5-1.5b-nomic-embed-text-v1 @@ -231,7 +231,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-misc path: ./python/pytest.xml @@ -283,7 +283,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -294,7 +294,7 @@ jobs: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -315,7 +315,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-functions path: ./python/pytest.xml @@ -341,7 +341,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -352,7 +352,7 @@ jobs: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -369,7 +369,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-foundry path: ./python/pytest.xml @@ -388,7 +388,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -399,7 +399,7 @@ jobs: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Azure CLI Login - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -416,7 +416,7 @@ jobs: --junitxml=pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-foundry-hosting path: ./python/pytest.xml @@ -443,7 +443,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -468,7 +468,7 @@ jobs: run: uv run --directory packages/azure-cosmos poe integration-tests -n logical --dist worksteal --timeout=120 --session-timeout=900 --timeout_method thread --retries 2 --retry-delay 5 --junitxml=${{ github.workspace }}/python/pytest.xml - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-cosmos path: ./python/pytest.xml @@ -496,7 +496,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.checkout-ref }} persist-credentials: false @@ -506,12 +506,12 @@ jobs: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Download all test results from current run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: test-results-* path: test-results/ - name: Restore report history cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/integration-report-history.json key: integration-report-history-integration-${{ github.run_id }} @@ -528,13 +528,13 @@ jobs: run: cat integration-test-report.md >> $GITHUB_STEP_SUMMARY - name: Save report history cache if: always() - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/integration-report-history.json key: integration-report-history-integration-${{ github.run_id }} - name: Upload unified trend report if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: integration-test-report path: | @@ -558,12 +558,12 @@ jobs: steps: - name: Fail workflow if tests failed if: contains(join(needs.*.result, ','), 'failure') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Failed!') - name: Fail workflow if tests cancelled if: contains(join(needs.*.result, ','), 'cancelled') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Cancelled!') diff --git a/.github/workflows/python-lab-tests.yml b/.github/workflows/python-lab-tests.yml index 0c11cf1a58..3f959f85c2 100644 --- a/.github/workflows/python-lab-tests.yml +++ b/.github/workflows/python-lab-tests.yml @@ -24,8 +24,8 @@ jobs: outputs: pythonChanges: ${{ steps.filter.outputs.python}} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -59,7 +59,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup @@ -94,7 +94,7 @@ jobs: # Surface failing tests - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/packages/lab/**.xml summary: true diff --git a/.github/workflows/python-merge-tests.yml b/.github/workflows/python-merge-tests.yml index ea20ad06e8..919c320c08 100644 --- a/.github/workflows/python-merge-tests.yml +++ b/.github/workflows/python-merge-tests.yml @@ -41,8 +41,8 @@ jobs: foundryHostingChanged: ${{ steps.filter.outputs.foundry_hosting }} cosmosChanged: ${{ steps.filter.outputs.cosmos }} steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -106,7 +106,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -123,7 +123,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -153,7 +153,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -177,7 +177,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -186,7 +186,7 @@ jobs: title: OpenAI integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-openai path: ./python/pytest.xml @@ -214,7 +214,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -223,7 +223,7 @@ jobs: os: ${{ runner.os }} - name: Azure CLI Login if: github.event_name != 'pull_request' - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -247,7 +247,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -256,7 +256,7 @@ jobs: title: Azure OpenAI integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-azure-openai path: ./python/pytest.xml @@ -284,7 +284,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -295,7 +295,7 @@ jobs: run: curl -fsSL https://ollama.com/install.sh | sh working-directory: . - name: Cache Ollama models - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.ollama/models key: ollama-models-qwen2.5-1.5b-nomic-embed-text-v1 @@ -370,7 +370,7 @@ jobs: kill -KILL -- "-$server_pid" 2>/dev/null || kill -KILL "$server_pid" 2>/dev/null || true - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -379,7 +379,7 @@ jobs: title: Misc integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-misc path: ./python/pytest.xml @@ -417,7 +417,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -426,7 +426,7 @@ jobs: os: ${{ runner.os }} - name: Azure CLI Login if: github.event_name != 'pull_request' - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -448,7 +448,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -457,7 +457,7 @@ jobs: title: Functions integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-functions path: ./python/pytest.xml @@ -488,7 +488,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -497,7 +497,7 @@ jobs: os: ${{ runner.os }} - name: Azure CLI Login if: github.event_name != 'pull_request' - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -515,7 +515,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -524,7 +524,7 @@ jobs: title: Test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-foundry path: ./python/pytest.xml @@ -549,7 +549,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -558,7 +558,7 @@ jobs: os: ${{ runner.os }} - name: Azure CLI Login if: github.event_name != 'pull_request' - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -576,7 +576,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -585,7 +585,7 @@ jobs: title: Foundry Hosting integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-foundry-hosting path: ./python/pytest.xml @@ -620,7 +620,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -643,7 +643,7 @@ jobs: working-directory: ./python - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true @@ -652,7 +652,7 @@ jobs: title: Cosmos integration test results - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-cosmos path: ./python/pytest.xml @@ -680,19 +680,19 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project uses: ./.github/actions/python-setup with: python-version: ${{ env.UV_PYTHON }} os: ${{ runner.os }} - name: Download all test results from current run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: test-results-* path: test-results/ - name: Restore report history cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/integration-report-history.json key: integration-report-history-merge-${{ github.run_id }} @@ -709,13 +709,13 @@ jobs: run: cat integration-test-report.md >> $GITHUB_STEP_SUMMARY - name: Save report history cache if: always() - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: python/integration-report-history.json key: integration-report-history-merge-${{ github.run_id }} - name: Upload unified trend report if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: integration-test-report path: | @@ -740,13 +740,13 @@ jobs: - name: Fail workflow if tests failed id: check_tests_failed if: contains(join(needs.*.result, ','), 'failure') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Failed!') - name: Fail workflow if tests cancelled id: check_tests_cancelled if: contains(join(needs.*.result, ','), 'cancelled') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: core.setFailed('Integration Tests Cancelled!') diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml index ba6e3689b0..b618dce246 100644 --- a/.github/workflows/python-release.yml +++ b/.github/workflows/python-release.yml @@ -23,7 +23,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -56,7 +56,7 @@ jobs: - name: Build the package run: uv run poe --directory packages/${{ env.PACKAGE }} build - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 with: files: | python/dist/* diff --git a/.github/workflows/python-sample-validation.yml b/.github/workflows/python-sample-validation.yml index 8b72df3b74..bd76eb12d2 100644 --- a/.github/workflows/python-sample-validation.yml +++ b/.github/workflows/python-sample-validation.yml @@ -29,7 +29,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -49,7 +49,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 01-get-started --save-report --report-name 01-get-started - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-01-get-started @@ -82,7 +82,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -111,7 +111,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents --exclude providers --save-report --report-name 02-agents - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents @@ -130,7 +130,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -152,7 +152,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/openai --save-report --report-name 02-agents-openai - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-openai @@ -170,7 +170,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -191,7 +191,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/azure --save-report --report-name 02-agents-azure - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-azure @@ -208,7 +208,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -228,7 +228,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/anthropic --save-report --report-name 02-agents-anthropic - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-anthropic @@ -242,7 +242,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -257,7 +257,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/github_copilot --save-report --report-name 02-agents-github-copilot - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-github-copilot @@ -274,7 +274,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -289,7 +289,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/amazon --save-report --report-name 02-agents-amazon - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-amazon @@ -306,7 +306,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -321,7 +321,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/ollama --save-report --report-name 02-agents-ollama - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-ollama @@ -341,7 +341,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -363,7 +363,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/foundry --save-report --report-name 02-agents-foundry - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-foundry @@ -383,7 +383,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -405,7 +405,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/copilotstudio --save-report --report-name 02-agents-copilotstudio - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-copilotstudio @@ -419,7 +419,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -434,7 +434,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 02-agents/providers/custom --save-report --report-name 02-agents-custom - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-02-agents-custom @@ -451,7 +451,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -471,7 +471,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 03-workflows --save-report --report-name 03-workflows - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-03-workflows @@ -491,7 +491,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -506,7 +506,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 04-hosting --save-report --report-name 04-hosting - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-04-hosting @@ -534,7 +534,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -549,7 +549,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir 05-end-to-end --save-report --report-name 05-end-to-end - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-05-end-to-end @@ -574,7 +574,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -599,7 +599,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir autogen-migration --save-report --report-name autogen-migration - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-autogen-migration @@ -633,7 +633,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup environment uses: ./.github/actions/sample-validation-setup @@ -662,7 +662,7 @@ jobs: cd scripts && uv run python -m sample_validation --subdir semantic-kernel-migration --save-report --report-name semantic-kernel-migration - name: Upload validation report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-report-semantic-kernel-migration @@ -690,10 +690,10 @@ jobs: - validate-autogen-migration - validate-semantic-kernel-migration steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download all validation reports - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: pattern: validation-report-* path: reports/ @@ -701,7 +701,7 @@ jobs: - name: Restore validation history id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: validation-history/ key: validation-history-${{ github.run_id }} @@ -719,13 +719,13 @@ jobs: run: cat trend-report.md >> "$GITHUB_STEP_SUMMARY" - name: Save validation history - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: validation-history/ key: validation-history-${{ github.run_id }} - name: Upload trend report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: validation-trend-report diff --git a/.github/workflows/python-test-coverage-report.yml b/.github/workflows/python-test-coverage-report.yml index dbe5b9e9c0..f03967e72a 100644 --- a/.github/workflows/python-test-coverage-report.yml +++ b/.github/workflows/python-test-coverage-report.yml @@ -19,9 +19,9 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download coverage report - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: github-token: ${{ secrets.GH_ACTIONS_PR_WRITE }} run-id: ${{ github.event.workflow_run.id }} @@ -46,7 +46,7 @@ jobs: echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV" - name: Pytest coverage comment id: coverageComment - uses: MishaKav/pytest-coverage-comment@v1.6.0 + uses: MishaKav/pytest-coverage-comment@26f986d2599c288bb62f623d29c2da98609e9cd4 # v1.6.0 with: github-token: ${{ secrets.GH_ACTIONS_PR_WRITE }} issue-number: ${{ env.PR_NUMBER }} diff --git a/.github/workflows/python-test-coverage.yml b/.github/workflows/python-test-coverage.yml index e14bcb30b8..16867fce09 100644 --- a/.github/workflows/python-test-coverage.yml +++ b/.github/workflows/python-test-coverage.yml @@ -22,7 +22,7 @@ jobs: env: UV_PYTHON: "3.11" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Save the PR number to a file since the workflow_run event # in the coverage report workflow does not have access to it - name: Save PR number @@ -42,7 +42,7 @@ jobs: - name: Check coverage threshold run: python ${{ github.workspace }}/.github/workflows/python-check-coverage.py python-coverage.xml ${{ env.COVERAGE_THRESHOLD }} - name: Upload coverage report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: | python/python-coverage.xml diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml index 5530be9ffa..955fc9054d 100644 --- a/.github/workflows/python-tests.yml +++ b/.github/workflows/python-tests.yml @@ -27,7 +27,7 @@ jobs: run: working-directory: python steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up python and install the project id: python-setup uses: ./.github/actions/python-setup @@ -46,7 +46,7 @@ jobs: # Surface failing tests - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.7.2 + uses: pmeier/pytest-results-action@20b595761ba9bf89e115e875f8bc863f913bc8ad # v0.7.2 with: path: ./python/pytest.xml summary: true diff --git a/.github/workflows/stale-issue-pr-ping.yml b/.github/workflows/stale-issue-pr-ping.yml index 483706fc76..8992c5928c 100644 --- a/.github/workflows/stale-issue-pr-ping.yml +++ b/.github/workflows/stale-issue-pr-ping.yml @@ -31,9 +31,9 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.13'