From 1507d006e0bb67288918003552a141fb59f411cc Mon Sep 17 00:00:00 2001 From: Cristian Le Date: Thu, 7 May 2026 13:45:06 +0200 Subject: [PATCH] Move mutable tags to "more immutable" ones Signed-off-by: Cristian Le --- .github/workflows/build-and-publish-renovate.yml | 6 +++--- .github/workflows/ci.yml | 2 +- .github/workflows/publish-images.yml | 10 +++++----- .github/workflows/release.yml | 6 +++--- .github/workflows/renovate.yml | 4 ++-- .github/workflows/step-build-wheel.yml | 4 ++-- .github/workflows/step-doc-tests.yml | 8 ++++---- .github/workflows/step-pre-commit.yml | 4 ++-- .github/workflows/step-shellcheck.yml | 10 +++++----- 9 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/build-and-publish-renovate.yml b/.github/workflows/build-and-publish-renovate.yml index 02607ede89..2968d91b6f 100644 --- a/.github/workflows/build-and-publish-renovate.yml +++ b/.github/workflows/build-and-publish-renovate.yml @@ -18,14 +18,14 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: ref: ${{ inputs.ref }} - - uses: redhat-actions/buildah-build@v2 + - uses: redhat-actions/buildah-build@v2.12 with: image: renovate-tmt containerfiles: ./containers/Containerfile.renovate - - uses: redhat-actions/push-to-registry@v2 + - uses: redhat-actions/push-to-registry@v2.8 with: image: renovate-tmt tags: latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 048f4f62bf..be284ab7fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,6 +51,6 @@ jobs: needs: [ pre-commit, build-wheel, shellcheck, doc-tests ] runs-on: ubuntu-slim steps: - - uses: re-actors/alls-green@release/v1 + - uses: re-actors/alls-green@v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/publish-images.yml b/.github/workflows/publish-images.yml index 8e83729cc0..da810f4d69 100644 --- a/.github/workflows/publish-images.yml +++ b/.github/workflows/publish-images.yml @@ -8,22 +8,22 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 - name: Build - tmt - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@v2.12 id: build-image-tmt with: image: tmt containerfiles: ./containers/Containerfile.mini - name: Build - tmt-all - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@v2.12 id: build-image-tmt-all with: image: tmt-all containerfiles: ./containers/Containerfile.full - name: Push To quay.io - tmt id: push-to-quay-tmt - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@v2.8 with: image: ${{ steps.build-image-tmt.outputs.image }} tags: ${{ steps.build-image-tmt.outputs.tags }} @@ -32,7 +32,7 @@ jobs: password: ${{ secrets.QUAY_TEEMTEE_SECRET }} - name: Push To quay.io - tmt-all id: push-to-quay-tmt-all - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@v2.8 with: image: ${{ steps.build-image-tmt-all.outputs.image }} tags: ${{ steps.build-image-tmt-all.outputs.tags }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 59a89a9b66..78bd7c29e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,15 +30,15 @@ jobs: attestations: write steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@v8.0.1 with: name: Packages path: dist - name: Generate artifact attestation for sdist and wheel - uses: actions/attest-build-provenance@v4 + uses: actions/attest-build-provenance@v4.1.0 with: subject-path: "dist/*" - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@v1.14.0 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index b45d84e785..b302a9e68c 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -20,10 +20,10 @@ jobs: environment: renovate runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 - name: Get GitHub App token id: token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@v3.1.1 with: client-id: ${{ secrets.RENOVATE_BOT_CLIENT_ID }} private-key: ${{ secrets.RENOVATE_BOT_PRIVATE_KEY }} diff --git a/.github/workflows/step-build-wheel.yml b/.github/workflows/step-build-wheel.yml index 1ca76e1833..5737afdece 100644 --- a/.github/workflows/step-build-wheel.yml +++ b/.github/workflows/step-build-wheel.yml @@ -13,8 +13,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: ref: ${{ inputs.ref }} persist-credentials: false - - uses: hynek/build-and-inspect-python-package@v2 + - uses: hynek/build-and-inspect-python-package@v2.17.0 diff --git a/.github/workflows/step-doc-tests.yml b/.github/workflows/step-doc-tests.yml index 6e68b53870..408439953a 100644 --- a/.github/workflows/step-doc-tests.yml +++ b/.github/workflows/step-doc-tests.yml @@ -26,14 +26,14 @@ jobs: sphinx_builder: html steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: persist-credentials: false ref: ${{ inputs.ref }} - - uses: actions/setup-python@v6 + - uses: actions/setup-python@v6.2.0 with: python-version: 3.x - - uses: astral-sh/setup-uv@v7 + - uses: astral-sh/setup-uv@v7.6.0 with: activate-environment: true - name: Install tmt[docs] @@ -45,7 +45,7 @@ jobs: if: ${{ matrix.builder == 'lint' }} - name: Cache linkcheck results - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: docs/_build/linkcheck_cache.json key: linkcheck diff --git a/.github/workflows/step-pre-commit.yml b/.github/workflows/step-pre-commit.yml index 1a226b7526..7f1991cce5 100644 --- a/.github/workflows/step-pre-commit.yml +++ b/.github/workflows/step-pre-commit.yml @@ -19,11 +19,11 @@ jobs: - run: | wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 chmod +x /usr/local/bin/hadolint - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: persist-credentials: false ref: ${{ inputs.ref }} - - uses: actions/setup-python@v6 + - uses: actions/setup-python@v6.2.0 with: # Python 3.9 is for mypy testing the lowest python version # Python 3.13 is for ansible-lint hard-coding the python requirement diff --git a/.github/workflows/step-shellcheck.yml b/.github/workflows/step-shellcheck.yml index 1f2238527a..29cdbb9cc2 100644 --- a/.github/workflows/step-shellcheck.yml +++ b/.github/workflows/step-shellcheck.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Repository checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: fetch-depth: 0 persist-credentials: false @@ -27,7 +27,7 @@ jobs: - id: ShellCheck name: Differential ShellCheck - uses: redhat-plumbers-in-action/differential-shellcheck@v5 + uses: redhat-plumbers-in-action/differential-shellcheck@v5.5.6 # Note: we do not use token here to have more control of when to upload the sarif. # It might be incorrect to upload them for PRs. # https://github.com/github/codeql-action/issues/3578 @@ -41,7 +41,7 @@ jobs: - if: ${{ always() }} name: Upload artifact with ShellCheck defects in SARIF format - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@v7.0.1 with: name: Differential ShellCheck SARIF path: ${{ steps.ShellCheck.outputs.sarif }} @@ -53,10 +53,10 @@ jobs: permissions: security-events: write steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@v8.0.1 with: name: Differential ShellCheck SARIF - - uses: github/codeql-action/upload-sarif@v4 + - uses: github/codeql-action/upload-sarif@v4.35.3 with: sarif_file: ${{ needs.lint.outputs.sarif }} if: ${{ inputs.upload_sarif }}