From 333cf99759b5b013bcbb263d7d0449606ce653aa Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Mon, 13 Oct 2025 10:28:02 +0200 Subject: [PATCH] Pin SHA hashes of all actions via `gha-tools` command ```bash uvx gha-tools autoupdate ./.github/workflows/ --pin=all --version-strategy=specific --write ``` --- .github/workflows/copilot-setup-steps.yml | 4 +-- .github/workflows/mypy.yml | 4 +-- .github/workflows/pypi.yml | 42 +++++++++++------------ .github/workflows/slow-tests-issue.yml | 4 +-- .github/workflows/test.yml | 32 ++++++++--------- .github/workflows/zizmor.yml | 4 +-- 6 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index c71e3a74cf..84bdc1ba3f 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -26,10 +26,10 @@ jobs: # If you do not check out your code, Copilot will do this for you. steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "Set up Micromamba" - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-name: pytensor-test micromamba-version: "1.5.10-0" diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 3383d1b7dc..1bac99641f 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -12,10 +12,10 @@ jobs: run: shell: bash -leo pipefail {0} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: micromamba-version: "1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved environment-file: environment.yml diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 5f826fc820..e6de70624e 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -23,7 +23,7 @@ jobs: outputs: should_run: ${{ steps.set_should_run.outputs.should_run }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -65,7 +65,7 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 submodules: true @@ -75,13 +75,13 @@ jobs: run: pipx run build --sdist - name: Attest GitHub build provenance - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 # Don't attest from forks if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: subject-path: dist/*.tar.gz - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sdist path: dist/*.tar.gz @@ -97,11 +97,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0 build_wheels: name: Build wheels for ${{ matrix.platform }} @@ -121,22 +121,22 @@ jobs: - windows-latest - ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Build wheels - uses: pypa/cibuildwheel@7c619efba910c04005a835b110b057fc28fd6e93 # v3.2.0 + uses: pypa/cibuildwheel@9c00cb4f6b517705a3794b22395aedc36257242c # v3.2.1 - name: Attest GitHub build provenance - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 # Don't attest from forks if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: subject-path: ./wheelhouse/*.whl - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: wheels-${{ matrix.platform }} path: ./wheelhouse/*.whl @@ -153,13 +153,13 @@ jobs: id-token: write attestations: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.11' @@ -171,13 +171,13 @@ jobs: PYODIDE=1 python setup.py bdist_wheel --universal - name: Attest GitHub build provenance - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 # Don't attest from forks if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: subject-path: dist/*.whl - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: universal_wheel path: dist/*.whl @@ -187,19 +187,19 @@ jobs: needs: [check_changes, make_sdist, build_wheels] runs-on: ubuntu-22.04 steps: - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: sdist path: dist - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: wheels-* path: dist merge-multiple: true - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.11' @@ -229,21 +229,21 @@ jobs: # Don't publish from forks if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published' steps: - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: sdist path: dist - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: wheels-* path: dist merge-multiple: true - - uses: actions/download-artifact@v5 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: universal_wheel path: dist - - uses: pypa/gh-action-pypi-publish@v1.12.4 + - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 # Implicitly attests that the packages were uploaded in the context of this workflow. diff --git a/.github/workflows/slow-tests-issue.yml b/.github/workflows/slow-tests-issue.yml index e47991dc0f..acd42b90ba 100644 --- a/.github/workflows/slow-tests-issue.yml +++ b/.github/workflows/slow-tests-issue.yml @@ -18,9 +18,9 @@ jobs: - name: Install ZSH run: sudo apt-get update && sudo apt-get install -y zsh - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.11" - name: Trigger the script diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ee65de56ff..285ada069b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,11 +22,11 @@ jobs: outputs: changes: ${{ steps.changes.outputs.src }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -56,13 +56,13 @@ jobs: matrix: python-version: ["3.11", "3.13"] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ matrix.python-version }} - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 test: name: "${{ matrix.os }} test py${{ matrix.python-version }} : fast-compile ${{ matrix.fast-compile }} : float32 ${{ matrix.float32 }} : ${{ matrix.part }}" @@ -170,12 +170,12 @@ jobs: part: "tests/tensor/test_blas.py tests/tensor/test_elemwise.py tests/tensor/test_math_scipy.py" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-name: pytensor-test micromamba-version: "1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved @@ -242,7 +242,7 @@ jobs: FLOAT32: ${{ matrix.float32 }} - name: Upload coverage file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-${{ steps.matrix-id.outputs.id }} path: coverage/coverage-${{ steps.matrix-id.outputs.id }}.xml @@ -257,12 +257,12 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Python 3.11 - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-name: pytensor-test micromamba-version: "1.5.10-0" # until https://github.com/mamba-org/setup-micromamba/issues/225 is resolved @@ -279,7 +279,7 @@ jobs: env: PYTHON_VERSION: 3.11 - name: Download previous benchmark data - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ./cache key: ${{ runner.os }}-benchmark @@ -289,7 +289,7 @@ jobs: export PYTENSOR_FLAGS=mode=FAST_COMPILE,warn__ignore_bug_before=all,on_opt_error=raise,on_shape_error=raise,gcc__cxxflags=-pipe python -m pytest --runslow --benchmark-only --benchmark-json output.json - name: Store benchmark result - uses: benchmark-action/github-action-benchmark@v1 + uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7 with: name: Python Benchmark with pytest-benchmark tool: "pytest" @@ -317,12 +317,12 @@ jobs: needs: [changes, all-checks] if: ${{ needs.changes.outputs.changes == 'true' && needs.all-checks.result == 'success' }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -331,14 +331,14 @@ jobs: python -m pip install -U coverage>=5.1 coveralls - name: Download coverage file - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: coverage-* path: coverage merge-multiple: true - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: directory: ./coverage/ fail_ci_if_error: true diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index c528673759..68965bdf6d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -15,11 +15,11 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif