diff options
| author | StepSecurity Bot <bot@stepsecurity.io> | 2023-03-05 18:34:24 +0000 |
|---|---|---|
| committer | StepSecurity Bot <bot@stepsecurity.io> | 2023-03-05 18:34:24 +0000 |
| commit | a0dd10309d14a56d786985bccdbb39654df8953d (patch) | |
| tree | 6c927cb3f9cbcb195a79cb649c17eed0f4c80ced /.github | |
| parent | ab49883b328ee17e415a70390cc6e42d6621fcfc (diff) | |
| download | numpy-a0dd10309d14a56d786985bccdbb39654df8953d.tar.gz | |
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Diffstat (limited to '.github')
| -rw-r--r-- | .github/dependabot.yml | 11 | ||||
| -rw-r--r-- | .github/workflows/build_test.yml | 72 | ||||
| -rw-r--r-- | .github/workflows/circleci.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/codeql.yml | 73 | ||||
| -rw-r--r-- | .github/workflows/cygwin.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/dependency-review.yml | 20 | ||||
| -rw-r--r-- | .github/workflows/docker.yml | 12 | ||||
| -rw-r--r-- | .github/workflows/emscripten.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/gitpod.yml | 12 | ||||
| -rw-r--r-- | .github/workflows/labeler.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/linux_meson.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/wheels.yml | 20 | ||||
| -rw-r--r-- | .github/workflows/windows_meson.yml | 4 |
13 files changed, 176 insertions, 72 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..6bcbdbfcb --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: /tools/gitpod + schedule: + interval: daily diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index ff74cdf61..eb5ca0d16 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -27,11 +27,11 @@ jobs: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install linter requirements @@ -47,11 +47,11 @@ jobs: env: WITHOUT_SIMD: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -65,11 +65,11 @@ jobs: env: EXPECT_CPU_FEATURES: "SSE SSE2 SSE3 SSSE3 SSE41 POPCNT SSE42 AVX F16C FMA3 AVX2 AVX512F AVX512CD AVX512_KNL AVX512_KNM AVX512_SKX AVX512_CLX AVX512_CNL AVX512_ICL" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ matrix.python-version }} - uses: ./.github/actions @@ -79,7 +79,7 @@ jobs: # provides GCC 7, 8 runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 @@ -117,11 +117,11 @@ jobs: env: WITHOUT_OPTIMIZATIONS: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -132,11 +132,11 @@ jobs: env: CPU_DISPATCH: "none" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -147,11 +147,11 @@ jobs: env: CPU_DISPATCH: "max -xop -fma4 -avx512f -avx512cd -avx512_knl -avx512_knm -avx512_skx -avx512_clx -avx512_cnl -avx512_icl" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -162,11 +162,11 @@ jobs: env: CPU_DISPATCH: "SSSE3 SSE41 POPCNT SSE42 AVX F16C" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -177,11 +177,11 @@ jobs: env: USE_DEBUG: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -192,11 +192,11 @@ jobs: env: NPY_USE_BLAS_ILP64: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -210,11 +210,11 @@ jobs: RUN_COVERAGE: 1 INSTALL_PICKLE5: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -231,11 +231,11 @@ jobs: NPY_LAPACK_ORDER: MKL,OPENBLAS,ATLAS,LAPACK USE_ASV: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -248,11 +248,11 @@ jobs: NPY_USE_BLAS_ILP64: 1 NPY_RELAXED_STRIDES_DEBUG: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -263,11 +263,11 @@ jobs: env: USE_WHEEL: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -284,11 +284,11 @@ jobs: # currently unfortunately NPY_PROMOTION_STATE: legacy steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -302,11 +302,11 @@ jobs: ATLAS: None DOWNLOAD_OPENBLAS: '' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -317,11 +317,11 @@ jobs: env: USE_SDIST: 1 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - uses: ./.github/actions @@ -331,7 +331,7 @@ jobs: # make sure this matches the base docker image below runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 @@ -386,11 +386,11 @@ jobs: needs: [smoke_test] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install Intel SDE diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index c43dc4fdb..b38f9a352 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -18,7 +18,7 @@ jobs: statuses: write steps: - name: GitHub Action step - uses: larsoner/circleci-artifacts-redirector-action@master + uses: larsoner/circleci-artifacts-redirector-action@590e7142d7dc855dabe2e9225fa4a5694b76b7cb # master with: repo-token: ${{ secrets.GITHUB_TOKEN }} artifact-path: 0/doc/build/html/index.html diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..090d1b844 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,73 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + + # âšī¸ Command-line programs to run using the OS shell. + # đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml index 1345883ff..73c607d29 100644 --- a/.github/workflows/cygwin.yml +++ b/.github/workflows/cygwin.yml @@ -20,12 +20,12 @@ jobs: runs-on: windows-latest if: "github.repository == 'numpy/numpy'" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - name: Install Cygwin - uses: cygwin/cygwin-install-action@v2 + uses: cygwin/cygwin-install-action@49f298a7ebb00d4b3ddf58000c3e78eff5fbd6b9 # v2 with: platform: x86_64 install-dir: 'C:\tools\cygwin' @@ -36,7 +36,7 @@ jobs: python39-hypothesis liblapack-devel gcc-fortran gcc-g++ git dash - name: Set Windows PATH - uses: egor-tensin/cleanup-path@v1 + uses: egor-tensin/cleanup-path@39324b3c13fae7f8237b32d446b474ba9f135531 # v1 with: dirs: 'C:\tools\cygwin\bin;C:\tools\cygwin\lib\lapack' - name: Verify that bash is Cygwin bash @@ -66,7 +66,7 @@ jobs: run: | /usr/bin/python3.9 runtests.py -n - name: Upload wheel if tests fail - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: failure() with: name: numpy-cygwin-wheel diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..9ea7ef9c7 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 94f8e84ef..211778784 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -18,9 +18,9 @@ jobs: if: "github.repository_owner == 'numpy'" steps: - name: Clone repository - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Lint Docker - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: ./tools/gitpod/Dockerfile ignore: DL3059 @@ -33,21 +33,21 @@ jobs: echo "sha8=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_OUTPUT id: getrefs - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 - name: Cache Docker layers - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} restore-keys: ${{ runner.os }}-buildx- - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push id: docker_build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: context: "." file: "./tools/gitpod/Dockerfile" diff --git a/.github/workflows/emscripten.yml b/.github/workflows/emscripten.yml index b60a77f1b..bb67bf52a 100644 --- a/.github/workflows/emscripten.yml +++ b/.github/workflows/emscripten.yml @@ -31,7 +31,7 @@ jobs: NODE_VERSION: 18 steps: - name: Checkout numpy - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: true # versioneer.py requires the latest tag to be reachable. Here we @@ -42,11 +42,11 @@ jobs: - name: set up python id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - - uses: mymindstorm/setup-emsdk@v12 + - uses: mymindstorm/setup-emsdk@ab889da2abbcbb280f91ec4c215d3bb4f3a8f775 # v12 with: version: ${{ env.EMSCRIPTEN_VERSION }} actions-cache-folder: emsdk-cache @@ -58,7 +58,7 @@ jobs: run: CFLAGS=-g2 LDFLAGS=-g2 pyodide build - name: set up node - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.github/workflows/gitpod.yml b/.github/workflows/gitpod.yml index f20a37675..305403e1f 100644 --- a/.github/workflows/gitpod.yml +++ b/.github/workflows/gitpod.yml @@ -16,11 +16,11 @@ jobs: if: "github.repository_owner == 'numpy'" steps: - name: Clone repository - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: fetch-depth: 0 - name: Lint Docker - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: ./tools/gitpod/gitpod.Dockerfile ignore: DL3059 @@ -33,21 +33,21 @@ jobs: echo "sha8=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_OUTPUT id: getrefs - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 - name: Cache Docker layers - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} restore-keys: ${{ runner.os }}-buildx- - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push id: docker_build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: context: "." file: "./tools/gitpod/gitpod.Dockerfile" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index e2d47a0df..9ceafebb7 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,7 +12,7 @@ jobs: pull-requests: write # to add labels steps: - name: Label the PR - uses: gerrymanoim/pr-prefix-labeler@v3 + uses: gerrymanoim/pr-prefix-labeler@c8062327f6de59a9ae1c19f7f07cacd0b976b6fa # v3 continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/linux_meson.yml b/.github/workflows/linux_meson.yml index b03144a12..a92298e26 100644 --- a/.github/workflows/linux_meson.yml +++ b/.github/workflows/linux_meson.yml @@ -25,11 +25,11 @@ jobs: if: "github.repository == 'numpy/numpy'" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install dependencies diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 681981e8e..b25192f02 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -43,7 +43,7 @@ jobs: message: ${{ steps.commit_message.outputs.message }} steps: - name: Checkout numpy - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 # Gets the correct commit message for pull request with: ref: ${{ github.event.pull_request.head.sha }} @@ -92,7 +92,7 @@ jobs: IS_SCHEDULE_DISPATCH: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} steps: - name: Checkout numpy - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: true # versioneer.py requires the latest tag to be reachable. Here we @@ -102,7 +102,7 @@ jobs: fetch-depth: 0 # Used to push the built wheels - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: "3.x" @@ -114,16 +114,16 @@ jobs: if: ${{ matrix.buildplat[1] == 'win32' }} - name: Build wheels - uses: pypa/cibuildwheel@v2.12.0 + uses: pypa/cibuildwheel@a808017c3962f4d678fe685239668aad8c150932 # v2.12.0 env: CIBW_BUILD: ${{ matrix.python }}-${{ matrix.buildplat[1] }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: ${{ matrix.python }}-${{ startsWith(matrix.buildplat[1], 'macosx') && 'macosx' || matrix.buildplat[1] }} path: ./wheelhouse/*.whl - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@3b0f2504dd76ef23b6d31f291f4913fb60ab5ff3 # v2.2.0 with: # for installation of anaconda-client, required for upload to # anaconda.org @@ -171,7 +171,7 @@ jobs: # IS_SCHEDULE_DISPATCH: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} steps: - name: Checkout numpy - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: true # versioneer.py requires the latest tag to be reachable. Here we @@ -180,7 +180,7 @@ jobs: # https://github.com/actions/checkout/issues/338 fetch-depth: 0 # Used to push the built wheels - - uses: actions/setup-python@v4 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: # Build sdist on lowest supported Python python-version: "3.9" @@ -201,12 +201,12 @@ jobs: python -mpip install twine twine check dist/* - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: sdist path: ./dist/* - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@3b0f2504dd76ef23b6d31f291f4913fb60ab5ff3 # v2.2.0 with: # for installation of anaconda-client, required for upload to # anaconda.org diff --git a/.github/workflows/windows_meson.yml b/.github/workflows/windows_meson.yml index 9e82d8fce..e33271b0f 100644 --- a/.github/workflows/windows_meson.yml +++ b/.github/workflows/windows_meson.yml @@ -23,12 +23,12 @@ jobs: # if: "github.repository == 'numpy/numpy'" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: submodules: recursive fetch-depth: 0 - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 with: python-version: ${{ env.PYTHON_VERSION }} |