From 0fa4615de0659f54b7d82c66775a038477d99609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20Str=C3=BCbe?= Date: Fri, 20 Mar 2026 15:32:10 +0100 Subject: [PATCH] ci: update and pin actions and remove expansion in run block --- .github/dependabot.yml | 8 +++++-- .github/workflows/build-documentation.yml | 22 +++++++++++++------- .github/workflows/check-pr-formatting.yml | 14 +++++++++---- .github/workflows/code-check.yml | 4 ++-- .github/workflows/integration-tests-core.yml | 14 ++++++------- .github/workflows/integration-tests-v1.yml | 12 +++++------ .github/workflows/integration-tests-v2.yml | 10 ++++----- .github/workflows/integration-tests.yml | 2 +- .github/workflows/nightly-v1.yml | 8 +++---- .github/workflows/nightly-v2.yml | 8 +++---- .github/workflows/release.yml | 4 ++-- .github/workflows/security-scan.yml | 6 +++--- .github/workflows/unit-tests.yml | 16 +++++++------- 13 files changed, 72 insertions(+), 56 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 16c35942329..d00d030d9b6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,7 +10,9 @@ updates: schedule: interval: "weekly" commit-message: - prefix: "build(NoTicket)" + prefix: "chore(deps):" + cooldown: + default-days: 7 # Keep GitHub Actions up to date - package-ecosystem: "github-actions" @@ -22,4 +24,6 @@ updates: timezone: "UTC" open-pull-requests-limit: 5 commit-message: - prefix: "build(NoTicket)" + prefix: "chore(deps):" + cooldown: + default-days: 7 diff --git a/.github/workflows/build-documentation.yml b/.github/workflows/build-documentation.yml index c2f44fb96b1..7d20620dab8 100644 --- a/.github/workflows/build-documentation.yml +++ b/.github/workflows/build-documentation.yml @@ -14,16 +14,18 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.x - - uses: actions/cache@v4 + - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }} @@ -44,21 +46,25 @@ jobs: - name: Resolve url path id: resolve_url_path shell: bash + env: + CUSTOM_PATH: ${{ github.event.inputs.custom-path }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -n "${{ github.event.inputs.custom-path }}" ]]; then - echo "path=${{ github.event.inputs.custom-path }}" >> $GITHUB_OUTPUT + if [[ -n "${CUSTOM_PATH}" ]]; then + echo "path=${CUSTOM_PATH}" >> $GITHUB_OUTPUT # 0.x releases deploy to 0.x path, all other releases deploy to latest path - elif [[ "${{ github.event_name }}" == "release" && "${{ github.event.release.tag_name }}" == 0.* ]]; then + elif [[ "${{ github.event_name }}" == "release" && "${GITHUB_RELEASE_TAG_NAME}" == 0.* ]]; then echo "path=0.x" >> $GITHUB_OUTPUT # for manual builds deploy to the branch name path elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo "path=${{ github.ref_name }}" >> $GITHUB_OUTPUT + echo "path=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT else echo "path=latest" >> $GITHUB_OUTPUT fi - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs_compiled diff --git a/.github/workflows/check-pr-formatting.yml b/.github/workflows/check-pr-formatting.yml index 396ecb45719..5bed55edf02 100644 --- a/.github/workflows/check-pr-formatting.yml +++ b/.github/workflows/check-pr-formatting.yml @@ -7,9 +7,15 @@ on: jobs: pr-formatting: - runs-on: ubuntu-latest + runs-on: ubuntu-slim + permissions: + pull-requests: read steps: - - name: Formatting conventions - uses: firebolt-db/action-pr-checks@main + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: ${{ !startsWith(github.head_ref, 'dependabot') }} with: - github-key: ${{ secrets.GITHUB_TOKEN }} + # Ensures the subject doesn't start with an uppercase character. + subjectPattern: ^(?![A-Z]).+$ + requireScope: false diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml index a784fad1141..df45e5f9fe9 100644 --- a/.github/workflows/code-check.yml +++ b/.github/workflows/code-check.yml @@ -15,12 +15,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.branch }} - name: Set up Python 3.9 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 diff --git a/.github/workflows/integration-tests-core.yml b/.github/workflows/integration-tests-core.yml index fa26a7faa35..a2fdff277e2 100644 --- a/.github/workflows/integration-tests-core.yml +++ b/.github/workflows/integration-tests-core.yml @@ -46,18 +46,18 @@ jobs: runs-on: ${{ inputs.os_name }} steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: 'firebolt-db/firebolt-python-sdk' - name: Setup Firebolt Core id: setup-core - uses: firebolt-db/action-setup-core@main + uses: firebolt-db/action-setup-core@eabcd701de0be41793fda0655d29d46c70c847c2 # main with: tag_version: ${{ inputs.tag_version || vars.DEFAULT_CORE_IMAGE_TAG }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python_version }} @@ -94,7 +94,7 @@ jobs: # Need to pull the pages branch in order to fetch the previous runs - name: Get Allure history - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: always() continue-on-error: true with: @@ -102,7 +102,7 @@ jobs: path: gh-pages - name: Allure Report - uses: firebolt-db/action-allure-report@v1 + uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1 if: always() continue-on-error: true with: @@ -113,7 +113,7 @@ jobs: repository-name: python-sdk - name: Allure Report HTTPS - uses: firebolt-db/action-allure-report@v1 + uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1 if: always() continue-on-error: true with: @@ -121,4 +121,4 @@ jobs: test-type: core_https allure-dir: allure-results-https pages-branch: gh-pages - repository-name: python-sdk \ No newline at end of file + repository-name: python-sdk diff --git a/.github/workflows/integration-tests-v1.yml b/.github/workflows/integration-tests-v1.yml index a638d737d3d..b96cdc8ccb3 100644 --- a/.github/workflows/integration-tests-v1.yml +++ b/.github/workflows/integration-tests-v1.yml @@ -16,10 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python 3.9 - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 @@ -30,7 +30,7 @@ jobs: - name: Setup database and engine id: setup - uses: firebolt-db/integration-testing-setup@v1 + uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2 with: firebolt-username: ${{ secrets.FIREBOLT_STG_USERNAME }} firebolt-password: ${{ secrets.FIREBOLT_STG_PASSWORD }} @@ -39,7 +39,7 @@ jobs: - name: Restore cached failed tests id: cache-tests-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | .pytest_cache/v/cache/lastfailed @@ -64,9 +64,9 @@ jobs: - name: Save failed tests id: cache-tests-save - uses: actions/cache/save@v4 + uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 if: failure() with: path: | .pytest_cache/v/cache/lastfailed - key: ${{ steps.cache-tests-restore.outputs.cache-primary-key }} \ No newline at end of file + key: ${{ steps.cache-tests-restore.outputs.cache-primary-key }} diff --git a/.github/workflows/integration-tests-v2.yml b/.github/workflows/integration-tests-v2.yml index 9238242894d..e1d6304369a 100644 --- a/.github/workflows/integration-tests-v2.yml +++ b/.github/workflows/integration-tests-v2.yml @@ -23,12 +23,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: 'firebolt-db/firebolt-python-sdk' - name: Set up Python 3.9 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 @@ -39,7 +39,7 @@ jobs: - name: Setup database and engine id: setup - uses: firebolt-db/integration-testing-setup@v2 + uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2 with: firebolt-client-id: ${{ secrets.FIREBOLT_CLIENT_ID_STG_NEW_IDN }} firebolt-client-secret: ${{ secrets.FIREBOLT_CLIENT_SECRET_STG_NEW_IDN }} @@ -62,7 +62,7 @@ jobs: # Need to pull the pages branch in order to fetch the previous runs - name: Get Allure history - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: always() continue-on-error: true with: @@ -70,7 +70,7 @@ jobs: path: gh-pages - name: Allure Report - uses: firebolt-db/action-allure-report@v1 + uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1 if: always() with: github-key: ${{ inputs.token || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 839d112deec..0bbf948943a 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Decorate commit - uses: Sibz/github-status-action@v1 + uses: Sibz/github-status-action@650dd1a882a76dbbbc4576fb5974b8d22f29847f # v1.1.6 with: authToken: ${{secrets.GITHUB_TOKEN}} context: 'Integration tests' diff --git a/.github/workflows/nightly-v1.yml b/.github/workflows/nightly-v1.yml index ada5e5c1a8b..e05703a314b 100644 --- a/.github/workflows/nightly-v1.yml +++ b/.github/workflows/nightly-v1.yml @@ -39,10 +39,10 @@ jobs: python-version: ['3.9', '3.10', '3.11'] steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} @@ -57,7 +57,7 @@ jobs: - name: Setup database and engine id: setup - uses: firebolt-db/integration-testing-setup@v1 + uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2 with: firebolt-username: ${{ secrets.FIREBOLT_STG_USERNAME }} firebolt-password: ${{ secrets.FIREBOLT_STG_PASSWORD }} @@ -85,7 +85,7 @@ jobs: - name: Slack Notify of failure if: failure() id: slack - uses: firebolt-db/action-slack-nightly-notify@v1 + uses: firebolt-db/action-slack-nightly-notify@1bdd915837fbe0986aeacd2ee63a648ae2dcc6db # v1.0.0 with: os: ${{ matrix.os }} programming-language: Python diff --git a/.github/workflows/nightly-v2.yml b/.github/workflows/nightly-v2.yml index a971ca7c4dd..3a04772a1de 100644 --- a/.github/workflows/nightly-v2.yml +++ b/.github/workflows/nightly-v2.yml @@ -39,10 +39,10 @@ jobs: python-version: ['3.9', '3.10', '3.11'] steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} @@ -57,7 +57,7 @@ jobs: - name: Setup database and engine id: setup - uses: firebolt-db/integration-testing-setup@v2 + uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2 with: firebolt-client-id: ${{ secrets.FIREBOLT_CLIENT_ID_STG_NEW_IDN }} firebolt-client-secret: ${{ secrets.FIREBOLT_CLIENT_SECRET_STG_NEW_IDN }} @@ -81,7 +81,7 @@ jobs: - name: Slack Notify of failure if: failure() id: slack - uses: firebolt-db/action-slack-nightly-notify@v1 + uses: firebolt-db/action-slack-nightly-notify@1bdd915837fbe0986aeacd2ee63a648ae2dcc6db # v1.0.0 with: os: ${{ matrix.os }} programming-language: Python diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 46f197f14d4..44186b7c165 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,13 +22,13 @@ jobs: needs: integration-tests steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.RELEASE_PAT }} - name: 'Publish action' - uses: firebolt-db/action-python-release@main + uses: firebolt-db/action-python-release@0cb5692fd39a782bce366e9120055d999bc8824b # main with: pre-release-tag: ${{ inputs.pre-release-tag }} major-release: ${{ inputs.major-release }} diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index d12956ccf62..4d12a99ee44 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -19,17 +19,17 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout Code" - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.branch }} - name: "Download coverage report" - uses: actions/download-artifact@v6.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: pytest-coverage-report - name: "Security Scan" - uses: firebolt-db/action-security-scan@main + uses: firebolt-db/action-security-scan@83d65487985b5e0e967362900c665ced1e8d0dbf # main with: github-key: ${{ secrets.GITHUB_TOKEN }} fossa-key: ${{ secrets.FOSSA_TOKEN }} diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index bdcbe182e4a..9def0df3568 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -18,17 +18,17 @@ on: jobs: unit-tests: - runs-on: ubuntu-latest - + permissions: + contents: write steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.branch }} - name: Set up Python 3.9 - uses: actions/setup-python@v2 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 @@ -42,7 +42,7 @@ jobs: pytest --cov=src/ tests/unit --cov-report=xml --alluredir=allure-results - name: Get Allure history - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: always() continue-on-error: true with: @@ -50,14 +50,14 @@ jobs: path: gh-pages - name: Allure Report - uses: firebolt-db/action-allure-report@v1 + uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1 if: always() continue-on-error: true with: github-key: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage report - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 continue-on-error: true with: name: pytest-coverage-report @@ -76,7 +76,7 @@ jobs: echo "covered=$percentage_whole" >> $GITHUB_OUTPUT - name: Create Coverage Badge - uses: schneegans/dynamic-badges-action@v1.7.0 + uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0 if: github.event_name == 'push' continue-on-error: true with: