diff --git a/.github/workflows/anneal-release.yml b/.github/workflows/anneal-release.yml index 3dc652f436..0349df17e3 100644 --- a/.github/workflows/anneal-release.yml +++ b/.github/workflows/anneal-release.yml @@ -275,7 +275,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "Release Anneal ${{ github.event.inputs.version }}" author: Google PR Creation Bot diff --git a/.github/workflows/anneal.yml b/.github/workflows/anneal.yml index 5ca215628b..9009c97824 100644 --- a/.github/workflows/anneal.yml +++ b/.github/workflows/anneal.yml @@ -44,7 +44,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -70,7 +70,7 @@ jobs: - name: Build Docker image (Dry Run) id: build_dry - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: anneal file: anneal/Dockerfile @@ -138,7 +138,7 @@ jobs: # dry-run build above. - name: Build and push Docker image if: steps.check_remote.outputs.match != 'true' - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 # NOTE: All arguments here must match the dry-run step above exactly # in order to ensure we hit the cache for the local build! with: @@ -177,7 +177,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -246,7 +246,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -390,7 +390,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml index 23aae08b26..03a1d7136d 100644 --- a/.github/workflows/backport-pr.yml +++ b/.github/workflows/backport-pr.yml @@ -62,7 +62,7 @@ jobs: echo "AUTHOR=$AUTHOR" >> $GITHUB_ENV - name: Submit PR - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: author: "${{ env.AUTHOR }}" committer: "${{ env.AUTHOR }}" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f502cd0e41..0c2d30a7ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -307,7 +307,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -322,7 +322,7 @@ jobs: echo "tag=${REF_NAME//\//-}" >> "$GITHUB_OUTPUT" - name: Load image from cache - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: .github/workflows/Dockerfile @@ -989,7 +989,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: # Only scan the .github directory to avoid scanning vendored dependencies inputs: .github @@ -1015,7 +1015,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to the Container registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -1030,7 +1030,7 @@ jobs: echo "tag=${REF_NAME//\//-}" >> "$GITHUB_OUTPUT" - name: Build and cache layers - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: .github/workflows/Dockerfile diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 96a9863754..f94f9975c7 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -31,7 +31,7 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index a178b7aefe..4e2e9f843d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -93,7 +93,7 @@ jobs: fi - name: Upload Cargo doc output to GitHub Pages - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: target/doc deploy: diff --git a/.github/workflows/release-crate-version.yml b/.github/workflows/release-crate-version.yml index 1c04f28fdf..0e04b3f9f1 100644 --- a/.github/workflows/release-crate-version.yml +++ b/.github/workflows/release-crate-version.yml @@ -44,7 +44,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "Release ${{ github.event.inputs.version }}" author: Google PR Creation Bot diff --git a/.github/workflows/roll-pinned-toolchain-versions.yml b/.github/workflows/roll-pinned-toolchain-versions.yml index c99d94821e..2c39331049 100644 --- a/.github/workflows/roll-pinned-toolchain-versions.yml +++ b/.github/workflows/roll-pinned-toolchain-versions.yml @@ -118,7 +118,7 @@ jobs: - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "[ci] Roll pinned ${{ matrix.toolchain }} toolchain" author: Google PR Creation Bot @@ -164,7 +164,7 @@ jobs: sed -i -E -e "s/^( *kani-version:)( [0-9]+\.[0-9]+\.[0-9]+)/\1 $KANI_LATEST/" .github/workflows/ci.yml - name: Submit PR id: submit-pr - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 # zizmor: ignore[superfluous-actions] + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.0 # zizmor: ignore[superfluous-actions] with: commit-message: "[ci] Roll pinned Kani version" author: Google PR Creation Bot diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 25180c752a..3c2187fd09 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: results.sarif