diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 315fc28a7..7d358a8b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 @@ -53,7 +53,7 @@ jobs: # `uv run --python ` and fails loudly if uv is missing # (see internal/eval_harness/python.go). Must match ci.yml. - name: Set up uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Get dependencies run: go mod download diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1d020e1e..3a572455f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 with: # SonarCloud needs full history to attribute blame and compute # "new code" metrics correctly. Shallow clones break both. @@ -36,7 +36,7 @@ jobs: # Python is installed. Update PinnedPythonVersion in # internal/eval_harness/python.go if the target moves. - name: Set up uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Install dependencies run: make deps @@ -155,7 +155,7 @@ jobs: # continue-on-error keeps CI green if the secret is missing or the scan # service has a hiccup — Sonar is a reporting layer, not a gate. - name: SonarCloud scan - uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v7 + uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v7 continue-on-error: true env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} @@ -191,7 +191,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 with: # Avoid CRLF rewrites on test fixtures and golden files. # PowerShell + git autocrlf can otherwise mutate bytes between @@ -209,7 +209,7 @@ jobs: cache: true - name: Set up uv (provides Python for eval-harness Python runner tests) - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Install ailang to PATH (mirrors `make install`) shell: pwsh @@ -256,7 +256,7 @@ jobs: needs: test steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6 @@ -278,7 +278,7 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/dev' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Sync prompts/ to docs/prompts/ run: ./docs/scripts/sync-prompts.sh @@ -300,7 +300,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6 @@ -326,7 +326,7 @@ jobs: # allowlist entry past its expires date — forces re-review rather # than letting suppressions float forever. steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6 @@ -355,7 +355,7 @@ jobs: if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b7b185208..1bb399fc3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/dashboard-ui-build.yml b/.github/workflows/dashboard-ui-build.yml index 2c8375d87..3268770b9 100644 --- a/.github/workflows/dashboard-ui-build.yml +++ b/.github/workflows/dashboard-ui-build.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Build ui-builder stage - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . file: docker/Dockerfile.dashboard diff --git a/.github/workflows/docusaurus-deploy.yml b/.github/workflows/docusaurus-deploy.yml index d639f5654..b2b0e8e6d 100644 --- a/.github/workflows/docusaurus-deploy.yml +++ b/.github/workflows/docusaurus-deploy.yml @@ -61,7 +61,7 @@ jobs: if: ${{ !contains(github.event.head_commit.message, '[skip ci]') || github.actor == 'github-actions[bot]' }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v7 with: fetch-depth: 0 # Fetch all history and tags for version generation diff --git a/.github/workflows/eval-weekly.yml b/.github/workflows/eval-weekly.yml index 99cba2104..032b9a39b 100644 --- a/.github/workflows/eval-weekly.yml +++ b/.github/workflows/eval-weekly.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6 @@ -37,7 +37,7 @@ jobs: # rather than a system `python3`. Update PinnedPythonVersion in # internal/eval_harness/python.go if the target moves. - name: Set up uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Install dependencies run: make deps diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8f194609..5da2c2b42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 @@ -106,7 +106,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 @@ -130,7 +130,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Create examples.zip run: | @@ -178,7 +178,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 @@ -232,7 +232,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Setup Go uses: actions/setup-go@v6 @@ -272,7 +272,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Download all artifacts uses: actions/download-artifact@v8 @@ -397,7 +397,7 @@ jobs: # with "Cannot upload assets to an immutable release". The # finalize-release job below flips draft=false after provenance # uploads its attestation. - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3 with: name: AILANG ${{ steps.get_version.outputs.VERSION }} body_path: changelog.md diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1d7e7e705..c36a46c91 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v7 with: persist-credentials: false diff --git a/.github/workflows/test-game-codegen.yml b/.github/workflows/test-game-codegen.yml index 8d0b982a8..5b31f5339 100644 --- a/.github/workflows/test-game-codegen.yml +++ b/.github/workflows/test-game-codegen.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v7 - name: Set up Go uses: actions/setup-go@v6