From 8a0791f808587c89ec69cbfdb0d668ccf021638a Mon Sep 17 00:00:00 2001 From: Bugra Eskici <40719402+bugraesk@users.noreply.github.com> Date: Thu, 2 Jul 2026 21:35:23 +0300 Subject: [PATCH] sec(actions): pin GitHub Actions to commit SHAs --- .github/workflows/container.yml | 18 +++++++++--------- .github/workflows/create-release.yaml | 6 +++--- .github/workflows/docs.yaml | 6 +++--- .github/workflows/fal-e2e-tests.yml | 4 ++-- .github/workflows/fal-integration-tests.yml | 4 ++-- .github/workflows/fal-unit-tests.yml | 4 ++-- .github/workflows/lint.yml | 6 +++--- .github/workflows/regen-grpc.yml | 8 ++++---- .github/workflows/release.yaml | 10 +++++----- .github/workflows/tests-fal-client.yml | 4 ++-- .github/workflows/tests-isolate-proto.yml | 4 ++-- 11 files changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index b8717129c..335e6b357 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -20,13 +20,13 @@ jobs: container: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 - name: Build container - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . @@ -36,13 +36,13 @@ jobs: - container runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -52,7 +52,7 @@ jobs: run: echo "::set-output name=version::$(git describe --always --tags --dirty)" - name: Build and push id: push - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . push: true diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index 538989f21..1fc8c93c2 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -29,19 +29,19 @@ jobs: steps: - name: Mint GitHub App token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: app-id: ${{ secrets.REGEN_APP_ID }} private-key: ${{ secrets.REGEN_APP_PRIVATE_KEY }} owner: fal-ai repositories: fal - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 token: ${{ steps.app_token.outputs.token }} - - uses: actions/setup-python@v2 + - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: "3.9" diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index d36bd48aa..8bbd3b800 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -9,10 +9,10 @@ jobs: pages: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: '3.11' @@ -27,7 +27,7 @@ jobs: - name: Deploy to GitHub Pages if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: docs/_build/html diff --git a/.github/workflows/fal-e2e-tests.yml b/.github/workflows/fal-e2e-tests.yml index 51a260c94..de2840307 100644 --- a/.github/workflows/fal-e2e-tests.yml +++ b/.github/workflows/fal-e2e-tests.yml @@ -58,11 +58,11 @@ jobs: deps: "pydantic==2.13.3" python: "3.12" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python }} cache: pip diff --git a/.github/workflows/fal-integration-tests.yml b/.github/workflows/fal-integration-tests.yml index 81cea2118..03c74854d 100644 --- a/.github/workflows/fal-integration-tests.yml +++ b/.github/workflows/fal-integration-tests.yml @@ -56,11 +56,11 @@ jobs: deps: "pydantic==2.13.3" python: "3.12" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python }} cache: pip diff --git a/.github/workflows/fal-unit-tests.yml b/.github/workflows/fal-unit-tests.yml index 4c58c40f2..0f2d4c15e 100644 --- a/.github/workflows/fal-unit-tests.yml +++ b/.github/workflows/fal-unit-tests.yml @@ -56,11 +56,11 @@ jobs: deps: "pydantic==2.13.3" python: "3.12" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python }} cache: pip diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 41f5f2a31..55211e0da 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,8 +9,8 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4 with: python-version: "3.11" - - uses: pre-commit/action@v3.0.0 + - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0 diff --git a/.github/workflows/regen-grpc.yml b/.github/workflows/regen-grpc.yml index 8320a03f1..0bff481fe 100644 --- a/.github/workflows/regen-grpc.yml +++ b/.github/workflows/regen-grpc.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Mint GitHub App token id: app_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: app-id: ${{ secrets.REGEN_APP_ID }} private-key: ${{ secrets.REGEN_APP_PRIVATE_KEY }} @@ -43,7 +43,7 @@ jobs: isolate - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.pull_request.head.ref || github.ref }} repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} @@ -72,14 +72,14 @@ jobs: echo "Using isolate version: ${version}" - name: Checkout fal-ai/isolate - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: fal-ai/isolate ref: v${{ steps.isolate_version.outputs.version }} token: ${{ steps.app_token.outputs.token }} path: _isolate - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" cache: pip diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ccf71167c..d2d6118a8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,11 +19,11 @@ jobs: version: ${{ steps.parse.outputs.version }} name: ${{ steps.parse.outputs.name }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - - uses: actions/setup-python@v2 + - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: "3.9" @@ -48,7 +48,7 @@ jobs: run: python -m build - name: Upload dist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dist path: projects/${{ steps.parse.outputs.name }}/dist @@ -64,13 +64,13 @@ jobs: id-token: write steps: - name: Download dist - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 release-container: if: ${{ needs.build.outputs.name == 'fal' }} diff --git a/.github/workflows/tests-fal-client.yml b/.github/workflows/tests-fal-client.yml index 382a7a346..79ae4b6cd 100644 --- a/.github/workflows/tests-fal-client.yml +++ b/.github/workflows/tests-fal-client.yml @@ -24,10 +24,10 @@ jobs: matrix: python: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ matrix.python }} - name: Install dependencies diff --git a/.github/workflows/tests-isolate-proto.yml b/.github/workflows/tests-isolate-proto.yml index 66c7e0a9c..010fe551c 100644 --- a/.github/workflows/tests-isolate-proto.yml +++ b/.github/workflows/tests-isolate-proto.yml @@ -26,11 +26,11 @@ jobs: python: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python }} cache: pip