summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoberto Bertó <463349+robertoberto@users.noreply.github.com>2026-05-19 06:14:08 +0000
committerRoberto Bertó <463349+robertoberto@users.noreply.github.com>2026-05-19 06:14:08 +0000
commit6071528289e4a8b11a772433c33851136d30f133 (patch)
tree25e03a160fb1dc05a27a9118a7a6f573f0ffd123
parent4080faf81dcfe248394643cfce14112f3346b62f (diff)
downloadpyvyos-release/v0.4.0-cleanup.tar.gz
pyvyos-release/v0.4.0-cleanup.zip
ci: pin actions by full commit SHArelease/v0.4.0-cleanup
Per OpenSSF Scorecard 'Pinned-Dependencies' guidance, third-party GitHub Actions should be referenced by full commit SHA, not by tag. Tags are mutable; a SHA is not. Each pin keeps a '# vX.Y.Z' trailing comment so Dependabot can read the current version and propose updates while still pinning by SHA. - actions/checkout de0fac2 # v6.0.2 - actions/setup-python a309ff8 # v6.2.0 - astral-sh/setup-uv 0880764 # v8.1.0 - pypa/gh-action-pypi-publish cef2210 # v1.14.0 This commit does not change pyvyos HTTP payloads, request handling, or response parsing.
-rw-r--r--.github/workflows/python-pr-validation.yml6
-rw-r--r--.github/workflows/python-publish.yml6
-rw-r--r--CHANGELOG.md13
3 files changed, 14 insertions, 11 deletions
diff --git a/.github/workflows/python-pr-validation.yml b/.github/workflows/python-pr-validation.yml
index d4e55de..5defe21 100644
--- a/.github/workflows/python-pr-validation.yml
+++ b/.github/workflows/python-pr-validation.yml
@@ -16,15 +16,15 @@ jobs:
python-version: ["3.11", "3.12", "3.13"]
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Install uv
- uses: astral-sh/setup-uv@v8.1.0
+ uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
enable-cache: true
cache-dependency-glob: "pyproject.toml"
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 2ebf94e..9ab4867 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -19,10 +19,10 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Python 3.13
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.13"
@@ -35,7 +35,7 @@ jobs:
run: uv build
- name: Publish package
- uses: pypa/gh-action-pypi-publish@v1.14.0
+ uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e0a915d..28c5e82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -51,11 +51,14 @@ behavior**.
- removed duplicated dependency blocks,
- dropped the unused `validation` extra,
- raised the pytest floor for Python 3.13.
-- PR validation workflow upgraded to `actions/checkout@v6`,
- `actions/setup-python@v6`, and `astral-sh/setup-uv@v8.1.0`. Publish
- workflow upgraded to `actions/checkout@v6`, `actions/setup-python@v6`,
- and `pypa/gh-action-pypi-publish@v1.14.0`. Pre-commit hooks bumped to
- `pre-commit/pre-commit-hooks@v6.0.0`. All move off Node.js 20.
+- GitHub Actions bumped off Node.js 20 and pinned by full commit SHA
+ (per [OpenSSF Scorecard guidance][1]) with a `# vX.Y.Z` comment so
+ Dependabot can keep them current:
+ `actions/checkout@v6.0.2`, `actions/setup-python@v6.2.0`,
+ `astral-sh/setup-uv@v8.1.0`, `pypa/gh-action-pypi-publish@v1.14.0`.
+ Pre-commit hooks bumped to `pre-commit/pre-commit-hooks@v6.0.0`.
+
+[1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- `.env.example` default flipped to `VYDEVICE_VERIFY_SSL=true`; commented
with field descriptions.