diff --git a/.github/workflows/auto-merge-sync.yml b/.github/workflows/auto-merge-sync.yml index 8a1c6c0a1..423941d31 100644 --- a/.github/workflows/auto-merge-sync.yml +++ b/.github/workflows/auto-merge-sync.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Wait for all required checks to pass - uses: lewagon/wait-on-check-action@v1.4.1 + uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1 with: ref: ${{ github.event.pull_request.head.sha }} repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 8f89f1efd..ec2245387 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -16,9 +16,10 @@ jobs: new_version: ${{ steps.check.outputs.new_version }} previous_version: ${{ steps.check.outputs.previous_version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 2 + persist-credentials: false - name: Check if version changed id: check run: | @@ -51,9 +52,10 @@ jobs: contents: write steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Generate release notes id: release_notes run: | @@ -84,7 +86,7 @@ jobs: echo "Release notes generated" cat release_notes.md - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 with: tag_name: v${{ needs.check-version-change.outputs.new_version }} name: Release v${{ needs.check-version-change.outputs.new_version }} diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml index 351c6e4fe..33ceb2441 100644 --- a/.github/workflows/build-docker-image.yml +++ b/.github/workflows/build-docker-image.yml @@ -22,28 +22,30 @@ jobs: needs: [run-ci] steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR Public id: login-ecr-public - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 with: registry-type: public - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Build, tag, and push backend image to Amazon Public ECR and Docker Hub id: build-image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 env: ECR_REGISTRY: ${{ steps.login-ecr-public.outputs.registry }} with: @@ -63,7 +65,7 @@ jobs: ${{ env.DOCKERHUB_USERNAME }}/${{ env.ECR_BACKEND_REPOSITORY }}:latest - name: Build, tag, and push ui image to Amazon Public ECR and Docker Hub id: build-ui-image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 env: ECR_REGISTRY: ${{ steps.login-ecr-public.outputs.registry }} with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5c5179f4f..81d4d313e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,10 +29,12 @@ jobs: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false # If you wanted to use multiple Python versions, you'd have specify a matrix in the job and # reference the matrixe python version here. - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" # Install uv (fast, single-file binary) @@ -42,14 +44,14 @@ jobs: echo "$HOME/.local/bin" >> $GITHUB_PATH # Cache uv's download/resolve cache to speed up CI (optional but nice) - name: Cache uv global cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/uv key: uv-cache-${{ runner.os }}-${{ hashFiles('**/pyproject.toml', '**/uv.lock') }} # Cache the project virtualenv (keyed by Python version + lockfile) - name: Cache venv id: cache-venv - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .venv key: venv-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version || '3.11' }}-${{ hashFiles('**/uv.lock') }} @@ -65,7 +67,7 @@ jobs: run: | uv sync --group dev - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .nvmrc cache: npm @@ -113,9 +115,11 @@ jobs: working-directory: ./skyvern-frontend steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .nvmrc - name: Install Node.js dependencies diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 42ed76a6d..ef4b7ce80 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -18,12 +18,13 @@ jobs: id-token: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 + persist-credentials: false - name: Run Claude Code Review id: claude-review - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@0ee1beea589a67d33340072691a5d42abec7ae6b # v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index f97d6f820..7db32a7b1 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -32,12 +32,13 @@ jobs: actions: read # Required for Claude to read CI results on PRs steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 + persist-credentials: false - name: Run Claude Code id: claude - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@0ee1beea589a67d33340072691a5d42abec7ae6b # v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # This is an optional setting that allows Claude to read CI results on PRs diff --git a/.github/workflows/inactive-issues-and-prs.yml b/.github/workflows/inactive-issues-and-prs.yml index 1951b1d18..7514e8754 100644 --- a/.github/workflows/inactive-issues-and-prs.yml +++ b/.github/workflows/inactive-issues-and-prs.yml @@ -8,7 +8,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v5 + - uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5 with: days-before-issue-stale: 30 days-before-issue-close: 14 diff --git a/.github/workflows/preview-fern-docs b/.github/workflows/preview-fern-docs index 3dcc00d67..fd98e22f8 100644 --- a/.github/workflows/preview-fern-docs +++ b/.github/workflows/preview-fern-docs @@ -9,7 +9,9 @@ jobs: permissions: write-all steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Fern run: npm install -g fern-api @@ -26,6 +28,6 @@ jobs: echo "🌿 Preview your docs: $URL" > preview_url.txt - name: Comment URL in PR - uses: thollander/actions-comment-pull-request@v2.4.3 + uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308 # v2.4.3 with: filePath: preview_url.txt diff --git a/.github/workflows/publish-fern-docs.yml b/.github/workflows/publish-fern-docs.yml index 2ede16a36..0b24aeb07 100644 --- a/.github/workflows/publish-fern-docs.yml +++ b/.github/workflows/publish-fern-docs.yml @@ -9,7 +9,9 @@ jobs: if: ${{ github.event_name == 'push' }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Fern run: npm install -g fern-api - name: Publish Docs diff --git a/.github/workflows/sdk-release.yml b/.github/workflows/sdk-release.yml index 726566094..02c140250 100644 --- a/.github/workflows/sdk-release.yml +++ b/.github/workflows/sdk-release.yml @@ -12,9 +12,10 @@ jobs: outputs: version_changed: ${{ steps.check.outputs.version_changed }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 2 + persist-credentials: false - name: Check if version changed id: check run: | @@ -42,12 +43,14 @@ jobs: if: needs.check-version-change.outputs.version_changed == 'true' steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false # If you wanted to use multiple Python versions, you'd have specify a matrix in the job and # reference the matrixe python version here. - name: Setup Python id: setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" # Cache the installation of `uv` itself, e.g. the next step. This prevents the workflow @@ -58,14 +61,14 @@ jobs: echo "$HOME/.local/bin" >> $GITHUB_PATH # Cache uv's global cache (resolver/downloads) for speed - name: Cache uv cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/uv key: uv-cache-${{ runner.os }}-${{ hashFiles('**/pyproject.toml', '**/uv.lock') }} # Cache the project venv (keyed by lockfile + Python) - name: Cache venv id: cache-venv - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .venv key: venv-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version || '3.11' }}-${{ hashFiles('**/uv.lock') }} diff --git a/.github/workflows/sync-skyvern-cloud.yml b/.github/workflows/sync-skyvern-cloud.yml index ff0c49ea5..9ae355b01 100644 --- a/.github/workflows/sync-skyvern-cloud.yml +++ b/.github/workflows/sync-skyvern-cloud.yml @@ -23,7 +23,9 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Determine Git credentials id: git-creds run: | @@ -123,7 +125,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run GitHub File Sync id: file-sync - uses: Skyvern-AI/repo-file-sync-action@main + uses: Skyvern-AI/repo-file-sync-action@590c4ddbe1d7b5c4ca1e4b4edc85c7f919b6c26a # main with: GH_PAT: ${{ steps.git-creds.outputs.GH_PAT }} GIT_EMAIL: ${{ steps.git-creds.outputs.GIT_EMAIL }} @@ -139,7 +141,7 @@ jobs: if: > steps.check-migrations.outputs.has_migrations == 'true' && steps.file-sync.outputs.pull_request_urls - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 env: PR_URLS_RAW: ${{ steps.file-sync.outputs.pull_request_urls }} SOURCE_PR_URL: ${{ steps.pr_details.outputs.PR_URL }} diff --git a/.github/workflows/ts-sdk-release.yml b/.github/workflows/ts-sdk-release.yml index 600c3bdbb..1d49ac185 100644 --- a/.github/workflows/ts-sdk-release.yml +++ b/.github/workflows/ts-sdk-release.yml @@ -13,9 +13,10 @@ jobs: version_changed: ${{ steps.check.outputs.version_changed }} current_version: ${{ steps.check.outputs.current_version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 2 + persist-credentials: false - name: Check if version changed id: check run: | @@ -48,9 +49,11 @@ jobs: working-directory: ./skyvern-ts/client steps: - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/update-openapi.yml b/.github/workflows/update-openapi.yml index a334d4b98..a9d8a5b96 100644 --- a/.github/workflows/update-openapi.yml +++ b/.github/workflows/update-openapi.yml @@ -10,11 +10,11 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.SKYVERN_OSS_GITHUB_TOKEN }} - name: Update OpenAPI Spec - uses: fern-api/sync-openapi@v2 + uses: fern-api/sync-openapi@8e936a4bac8ad11d698d7114f3074fa3397398ea # v2 with: token: ${{ secrets.SKYVERN_OSS_GITHUB_TOKEN }} branch: 'update-openapi-spec' diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 1db5a5cc9..ee82f9058 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -9,7 +9,9 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Extract version from release id: get_version run: | @@ -20,7 +22,7 @@ jobs: sed -i "s/version = \".*\"/version = \"${{ steps.get_version.outputs.version }}\"/" pyproject.toml - name: Create Pull Request id: create-pr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: commit-message: "chore: bump version to ${{ steps.get_version.outputs.version }}" title: "chore: bump version to ${{ steps.get_version.outputs.version }}" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..14d450607 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,27 @@ +name: zizmor +on: + push: + branches: [main] + paths: + - '.github/workflows/**' + pull_request: + branches: [main] + paths: + - '.github/workflows/**' +jobs: + zizmor: + name: Audit GitHub Actions + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + token: ${{ secrets.GITHUB_TOKEN }}