diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index cf6961ebad..f0156f3f0e 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -18,6 +18,7 @@ jobs: if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: + uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3 + with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index ed785ac7b8..ae1dbf8c2d 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -15,7 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b50ef95b39..6f6c8a0bfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,24 +12,28 @@ permissions: jobs: test: runs-on: ubuntu-latest - + strategy: matrix: go-version: ['1.21', '1.22'] - + steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main mkdir -p pkg/llmproxy/registry/models git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json - name: Setup Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version: ${{ matrix.go-version }} - name: Cache Go modules - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -45,10 +49,6 @@ jobs: run: go test ./... -v -race -coverprofile=coverage.out - name: Upload coverage - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3with: + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 + with: files: ./coverage.out - - - phenotype-validate: - runs-on: ubuntu-latest - uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 64704c9d27..a2f4ca1a76 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,18 +19,23 @@ jobs: language: [go] steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build run: go build ./... - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + + analyze-skip-for-migrated-router-fix: name: Analyze (Go) if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} runs-on: ubuntu-latest diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 376840ff6e..d70b3706f3 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -15,7 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Re-request CodeRabbit when backlog is high and check is stale - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + with: script: | const owner = context.repo.owner; const repo = context.repo.repo; diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 4e118ad0dc..9cce9bb934 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -15,13 +15,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -30,7 +33,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (amd64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/amd64 push: true @@ -46,13 +50,16 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -61,7 +68,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (arm64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/arm64 push: true @@ -80,9 +88,12 @@ jobs: - docker_arm64 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b05492eccf..faa02e7345 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,14 +19,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Node + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Setup Bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with: + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + with: bun-version: latest - name: Install OXC dependencies @@ -50,7 +53,8 @@ jobs: run: test -f docs/.vitepress/dist/index.html - name: Upload pages artifact - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: docs/.vitepress/dist/ build-skip-branch-ci-unblock: @@ -71,6 +75,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Configure Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Deploy id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index af9012880c..69126ba79c 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -11,8 +11,10 @@ jobs: generate-python-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Setup Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: python-version: '3.14' - name: Install OpenAPI Generator @@ -29,7 +31,8 @@ jobs: --additional-properties=pythonVersion==3.12,generateSourceCodeOnly=true - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + with: commit-message: 'chore: generate Python SDK' title: 'chore: generate Python SDK' body: | @@ -40,8 +43,10 @@ jobs: generate-typescript-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: node-version: '20' - name: Install OpenAPI Generator @@ -57,7 +62,8 @@ jobs: --additional-properties=typescriptVersion=5.0,npmName=@cliproxy/api - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + with: commit-message: 'chore: generate TypeScript SDK' title: 'chore: generate TypeScript SDK' body: | diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index c26f5838da..d35ab03570 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # --------------------------------------------------------------------- # 1. Install runtime dependencies diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 27f8d9f68f..0e49697ae4 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -12,4 +12,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + # The previous step was corrupted: a double `@sha@sha` checkout pin mashed + # onto a `KooshaPari/phenotypeActions/actions/lint-test` reference (a + # reusable-actions repo that does not exist). Replaced with real inline Go + # lint+test, matching ci.yml's setup. Trigger left as workflow_dispatch to + # preserve the existing behavior. + - name: Setup Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version: "1.22" + + - name: go vet + run: go vet ./... + + - name: go test + run: go test ./... diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index b1f69e17ea..e3f2730e28 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -12,7 +12,10 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + with: path: '.' - id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index fe8fc69368..3bbf0f6e86 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -7,5 +7,6 @@ jobs: enforce: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Enforce engineering policies + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Enforce engineering policies run: ./scripts/policy-gate.sh diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 4da1648f16..2ec7343638 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -11,11 +11,13 @@ jobs: name: ensure-no-translator-changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Detect pkg/llmproxy/translator changes id: changed-files - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45with: + uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45 + with: files: | pkg/llmproxy/translator/** - name: Fail when restricted paths change diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 12c512a895..53a52b03fc 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -13,12 +13,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build @@ -39,8 +41,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run full tests with baseline @@ -54,7 +58,8 @@ jobs: exit "${test_exit}" - name: Upload baseline artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: go-test-baseline path: target/test-baseline.json if-no-files-found: warn @@ -64,8 +69,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -79,7 +86,8 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run CI quality gates @@ -93,8 +101,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -103,7 +113,8 @@ jobs: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Check staged/diff files in PR range @@ -116,12 +127,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Verify formatting @@ -132,8 +146,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -150,8 +166,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run route lifecycle tests @@ -169,8 +187,10 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -202,8 +222,10 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -228,12 +250,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run startup and control-plane smoke tests @@ -244,12 +269,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Validate config compatibility path @@ -261,8 +289,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version-file: go.mod cache: true - name: Run targeted critical-path checks @@ -273,7 +303,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Detect change scopes run: | @@ -314,7 +345,8 @@ jobs: echo "scope=${scope}" >> "$GITHUB_ENV" echo "scope=${scope}" > target/changelog-scope.txt - name: Upload changelog scope artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: changelog-scope path: target/changelog-scope.txt @@ -323,8 +355,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Setup Node + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 76484b963c..0ead1628c8 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -7,5 +7,6 @@ jobs: verify: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Run quality checks + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Run quality checks run: ./scripts/quality-gate.sh verify diff --git a/.github/workflows/release-batch.yaml b/.github/workflows/release-batch.yaml index 67b65bd463..a6daa64fe5 100644 --- a/.github/workflows/release-batch.yaml +++ b/.github/workflows/release-batch.yaml @@ -14,10 +14,12 @@ jobs: release-batch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 - run: git fetch --force --tags - - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: go-version: ">=1.26.0" cache: true - name: Configure git diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9892c91949..dd03966438 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -9,5 +9,6 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6env: + - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6 + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 56227dede8..e269226b1f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,14 +10,16 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - run: git fetch --force --tags - - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4with: + - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 + with: go-version: '>=1.26.0' cache: true - name: Generate Build Metadata @@ -25,7 +27,8 @@ jobs: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_ENV echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4with: + - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4 + with: distribution: goreleaser version: latest args: release --clean --skip=validate @@ -40,7 +43,8 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: fetch-depth: 0 - name: Build in Termux Container run: | @@ -62,7 +66,8 @@ jobs: tar -czf cli-proxy-api-termux-aarch64.tar.gz cli-proxy-api LICENSE README.md README_CN.md config.example.yaml " - name: Upload to Release - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 + if: startsWith(github.ref, 'refs/tags/') with: files: cli-proxy-api-termux-aarch64.tar.gz env: diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index fe56573f89..d19ca00885 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -12,7 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Verify required check names exist + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Verify required check names exist run: | set -euo pipefail manifest=".github/required-checks.txt" diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index a00e2a128d..bdf371d2e0 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -18,23 +18,30 @@ jobs: matrix: language: [go, javascript] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + + trivy-repo: name: Trivy Repository Scan runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: scan-type: fs scan-ref: . format: sarif output: trivy-results.sarif - name: Upload Trivy SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: trivy-results.sarif category: trivy @@ -44,7 +51,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -61,7 +70,8 @@ jobs: . - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: semgrep.sarif category: semgrep-full @@ -71,9 +81,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2with: + - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 + with: path: ./ extra_args: --only-verified diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index 3e7df455c4..2d5035999e 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -17,9 +17,11 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -29,7 +31,8 @@ jobs: run: | semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: semgrep.sarif @@ -41,14 +44,17 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Analyze licenses - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Analyze licenses + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4 + continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses run: | # Check for problematic licenses grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true - name: Check license compliance - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4 + continue-on-error: true # Secret Scanning - Tier 2: Important (runs in parallel) secrets: @@ -56,10 +62,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env: + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: args: --verbose --redact @@ -72,6 +80,7 @@ jobs: output: trivy-results.sarif continue-on-error: true - name: Upload Trivy results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ccd2add8b9..d1b3f97670 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -24,18 +24,22 @@ jobs: actions: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: persist-credentials: false - - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2with: + - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3with: + - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3 + with: sarif_file: results.sarif diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 8b6cdaafee..89addc6055 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -11,7 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: fetch-depth: 0 - name: Wire Git hook path and verify guard hook diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index 98cf804b23..149a03f192 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -8,5 +8,6 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Create release tag + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Create release tag run: echo "Creating release for ${{ github.ref_name }}" diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 2b440b2f78..fc6a1e93b0 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -11,7 +11,10 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - - uses: trufflehog/actions/setup@main - - run: trufflehog github --only-verified --no-update - env: - GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} + # Canonical TruffleHog action (the previous `trufflehog/actions/setup` + # reference pointed at a repo that does not exist, and the GH_TOKEN + # interpolation was escaped as `\${{ ... }}` so it never expanded). + - name: TruffleHog secret scan + uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified