diff options
| author | Roberto Bertó <463349+robertoberto@users.noreply.github.com> | 2026-05-19 06:14:08 +0000 |
|---|---|---|
| committer | Roberto Bertó <463349+robertoberto@users.noreply.github.com> | 2026-05-19 06:14:08 +0000 |
| commit | 6071528289e4a8b11a772433c33851136d30f133 (patch) | |
| tree | 25e03a160fb1dc05a27a9118a7a6f573f0ffd123 | |
| parent | 4080faf81dcfe248394643cfce14112f3346b62f (diff) | |
| download | pyvyos-release/v0.4.0-cleanup.tar.gz pyvyos-release/v0.4.0-cleanup.zip | |
ci: pin actions by full commit SHArelease/v0.4.0-cleanup
Per OpenSSF Scorecard 'Pinned-Dependencies' guidance, third-party
GitHub Actions should be referenced by full commit SHA, not by tag.
Tags are mutable; a SHA is not.
Each pin keeps a '# vX.Y.Z' trailing comment so Dependabot can read
the current version and propose updates while still pinning by SHA.
- actions/checkout de0fac2 # v6.0.2
- actions/setup-python a309ff8 # v6.2.0
- astral-sh/setup-uv 0880764 # v8.1.0
- pypa/gh-action-pypi-publish cef2210 # v1.14.0
This commit does not change pyvyos HTTP payloads, request handling, or
response parsing.
| -rw-r--r-- | .github/workflows/python-pr-validation.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/python-publish.yml | 6 | ||||
| -rw-r--r-- | CHANGELOG.md | 13 |
3 files changed, 14 insertions, 11 deletions
diff --git a/.github/workflows/python-pr-validation.yml b/.github/workflows/python-pr-validation.yml index d4e55de..5defe21 100644 --- a/.github/workflows/python-pr-validation.yml +++ b/.github/workflows/python-pr-validation.yml @@ -16,15 +16,15 @@ jobs: python-version: ["3.11", "3.12", "3.13"] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true cache-dependency-glob: "pyproject.toml" diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 2ebf94e..9ab4867 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -19,10 +19,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" @@ -35,7 +35,7 @@ jobs: run: uv build - name: Publish package - uses: pypa/gh-action-pypi-publish@v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index e0a915d..28c5e82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,11 +51,14 @@ behavior**. - removed duplicated dependency blocks, - dropped the unused `validation` extra, - raised the pytest floor for Python 3.13. -- PR validation workflow upgraded to `actions/checkout@v6`, - `actions/setup-python@v6`, and `astral-sh/setup-uv@v8.1.0`. Publish - workflow upgraded to `actions/checkout@v6`, `actions/setup-python@v6`, - and `pypa/gh-action-pypi-publish@v1.14.0`. Pre-commit hooks bumped to - `pre-commit/pre-commit-hooks@v6.0.0`. All move off Node.js 20. +- GitHub Actions bumped off Node.js 20 and pinned by full commit SHA + (per [OpenSSF Scorecard guidance][1]) with a `# vX.Y.Z` comment so + Dependabot can keep them current: + `actions/checkout@v6.0.2`, `actions/setup-python@v6.2.0`, + `astral-sh/setup-uv@v8.1.0`, `pypa/gh-action-pypi-publish@v1.14.0`. + Pre-commit hooks bumped to `pre-commit/pre-commit-hooks@v6.0.0`. + +[1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - `.env.example` default flipped to `VYDEVICE_VERIFY_SSL=true`; commented with field descriptions. |
