From 62aa8b885e45ad9cd8f8ce5d2a48b4aeff82e502 Mon Sep 17 00:00:00 2001 From: Roberto Bertó <463349+robertoberto@users.noreply.github.com> Date: Tue, 19 May 2026 06:08:52 +0000 Subject: ci: bump actions off Node.js 20 GitHub deprecation notice: Node.js 20 will be removed from runners in September 2026 and forced to Node 24 in June 2026. Pin to current majors that already run on Node 24. - actions/checkout@v4 -> v6 - actions/setup-python@v5 -> v6 - astral-sh/setup-uv@v3 -> v8 - pypa/gh-action-pypi-publish@v1.13.0 -> v1.14.0 - pre-commit/pre-commit-hooks@v5.0.0 -> v6.0.0 This commit does not change pyvyos HTTP payloads, request handling, or response parsing. --- .github/workflows/python-publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to '.github/workflows/python-publish.yml') diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 57189af..2ebf94e 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -19,10 +19,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.1 + - uses: actions/checkout@v6 - name: Set up Python 3.13 - uses: actions/setup-python@v5.0.0 + uses: actions/setup-python@v6 with: python-version: "3.13" @@ -35,7 +35,7 @@ jobs: run: uv build - name: Publish package - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@v1.14.0 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} -- cgit v1.2.3 From 6071528289e4a8b11a772433c33851136d30f133 Mon Sep 17 00:00:00 2001 From: Roberto Bertó <463349+robertoberto@users.noreply.github.com> Date: Tue, 19 May 2026 06:14:08 +0000 Subject: ci: pin actions by full commit SHA Per OpenSSF Scorecard 'Pinned-Dependencies' guidance, third-party GitHub Actions should be referenced by full commit SHA, not by tag. Tags are mutable; a SHA is not. Each pin keeps a '# vX.Y.Z' trailing comment so Dependabot can read the current version and propose updates while still pinning by SHA. - actions/checkout de0fac2 # v6.0.2 - actions/setup-python a309ff8 # v6.2.0 - astral-sh/setup-uv 0880764 # v8.1.0 - pypa/gh-action-pypi-publish cef2210 # v1.14.0 This commit does not change pyvyos HTTP payloads, request handling, or response parsing. --- .github/workflows/python-pr-validation.yml | 6 +++--- .github/workflows/python-publish.yml | 6 +++--- CHANGELOG.md | 13 ++++++++----- 3 files changed, 14 insertions(+), 11 deletions(-) (limited to '.github/workflows/python-publish.yml') diff --git a/.github/workflows/python-pr-validation.yml b/.github/workflows/python-pr-validation.yml index d4e55de..5defe21 100644 --- a/.github/workflows/python-pr-validation.yml +++ b/.github/workflows/python-pr-validation.yml @@ -16,15 +16,15 @@ jobs: python-version: ["3.11", "3.12", "3.13"] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true cache-dependency-glob: "pyproject.toml" diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 2ebf94e..9ab4867 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -19,10 +19,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python 3.13 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" @@ -35,7 +35,7 @@ jobs: run: uv build - name: Publish package - uses: pypa/gh-action-pypi-publish@v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index e0a915d..28c5e82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,11 +51,14 @@ behavior**. - removed duplicated dependency blocks, - dropped the unused `validation` extra, - raised the pytest floor for Python 3.13. -- PR validation workflow upgraded to `actions/checkout@v6`, - `actions/setup-python@v6`, and `astral-sh/setup-uv@v8.1.0`. Publish - workflow upgraded to `actions/checkout@v6`, `actions/setup-python@v6`, - and `pypa/gh-action-pypi-publish@v1.14.0`. Pre-commit hooks bumped to - `pre-commit/pre-commit-hooks@v6.0.0`. All move off Node.js 20. +- GitHub Actions bumped off Node.js 20 and pinned by full commit SHA + (per [OpenSSF Scorecard guidance][1]) with a `# vX.Y.Z` comment so + Dependabot can keep them current: + `actions/checkout@v6.0.2`, `actions/setup-python@v6.2.0`, + `astral-sh/setup-uv@v8.1.0`, `pypa/gh-action-pypi-publish@v1.14.0`. + Pre-commit hooks bumped to `pre-commit/pre-commit-hooks@v6.0.0`. + +[1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - `.env.example` default flipped to `VYDEVICE_VERIFY_SSL=true`; commented with field descriptions. -- cgit v1.2.3