Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CI: Update build and release dependencies to be referenced by SHA (#9177
) * ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * ci: create hash-pinned requirements files for build and publish processes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: change ci files to install build and publish dependencies using hashes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: fix path to requirements files Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: rebuild the requirement.txt files using `--allow-unsafe` The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](jazzband/pip-tools#806) and from [pip](pypa/pip#6459). Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build requirements files to a separated folder Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflow): requirements download was erasing work from previous steps Using the actions/checkout to download the requirements.txt was erasing some necessary files that came from previous steps. Thus, this commit changes moves the checkout action to the beginnig of the jobs. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove reference to inexistent input in pypi-publish.yml * docs(workflows): remove comment related to a line already delated from code Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): use a workflow-level env var to define path to build requirements file Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * fix(workflows): refer to env vars using ${{ }} sintax Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(workflows): move build and publish requirements files Moved from .github/workflows/requirements/ to .github/requirements/ Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(workflows): add comments on requirements files explaining their relation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci(workflows): update build dependencies to match exactly the ones at pyproject.toml Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * ci: remove unnecessary parameter When calling actions/checkout , we were passing the `ref` parameter as `github.ref`, but it will likely be always main, or the vary same value as the default for this parameter. * Update dependabot config to cover build/publish dependencies --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
- Loading branch information