diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9fc0d6d0..d300818f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,10 +20,10 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -38,7 +38,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} @@ -57,7 +57,7 @@ jobs: - name: Deploy to Canary Worker id: deploy_canary - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} @@ -94,7 +94,7 @@ jobs: - name: Deploy to Production Worker id: deploy_production if: steps.canary_smoke_tests.outcome == 'success' - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} @@ -130,7 +130,7 @@ jobs: # === ROLLBACK IF PRODUCTION SMOKE TESTS FAIL === - name: Rollback Production on Smoke Test Failure if: steps.production_smoke_tests.outcome == 'failure' - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 78a14e4c..295bc8b8 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -24,10 +24,10 @@ jobs: checks: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -42,7 +42,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} @@ -63,7 +63,7 @@ jobs: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Create eval status check - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 # Skip for fork PRs (no write permissions) but still run for pushes, workflow_dispatch, and same-repo PRs if: ${{ !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} continue-on-error: true # Don't fail workflow if check creation fails diff --git a/.github/workflows/merge-jobs.yml b/.github/workflows/merge-jobs.yml index 19afd1de..5066656c 100644 --- a/.github/workflows/merge-jobs.yml +++ b/.github/workflows/merge-jobs.yml @@ -11,13 +11,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: 'package.json' cache: 'pnpm' @@ -39,7 +39,7 @@ jobs: run: pnpm pack --pack-destination dist - name: Archive artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ github.sha }} path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 807f1417..be08e195 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,13 +31,13 @@ jobs: private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -56,7 +56,7 @@ jobs: echo "version=$NEW" >> "$GITHUB_OUTPUT" - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index 35c79436..a568dbe7 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -33,7 +33,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9f05ccf9..e75fe126 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,10 +9,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -27,7 +27,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} diff --git a/.github/workflows/token-cost.yml b/.github/workflows/token-cost.yml index 46053b2c..e7bed972 100644 --- a/.github/workflows/token-cost.yml +++ b/.github/workflows/token-cost.yml @@ -14,10 +14,10 @@ jobs: measure-tokens: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20" @@ -32,7 +32,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} @@ -100,7 +100,7 @@ jobs: - name: Download main branch token stats if: github.event_name == 'pull_request' - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 continue-on-error: true with: workflow: token-cost.yml @@ -162,7 +162,7 @@ jobs: cat token-report.md >> $GITHUB_STEP_SUMMARY - name: Create check run - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 # Skip for fork PRs (no write permissions) but still run for pushes and same-repo PRs if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} continue-on-error: true # Don't fail workflow if check creation fails @@ -219,7 +219,7 @@ jobs: }); - name: Comment on PR if token count changed - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 # Skip for fork PRs (no write permissions) if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && steps.compare.outputs.has_comparison == 'true' && steps.compare.outputs.delta != '0' continue-on-error: true # Don't fail workflow if comment creation fails @@ -258,7 +258,7 @@ jobs: } - name: Upload token stats artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: token-stats-${{ github.sha }} diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml index a21741b9..edaa2055 100644 --- a/.github/workflows/warden.yml +++ b/.github/workflows/warden.yml @@ -15,14 +15,14 @@ jobs: WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }} WARDEN_SENTRY_DSN: ${{ secrets.WARDEN_SENTRY_DSN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 id: app-token with: app-id: ${{ secrets.WARDEN_APP_ID }} private-key: ${{ secrets.WARDEN_PRIVATE_KEY }} - - uses: getsentry/warden@v0 + - uses: getsentry/warden@34257abaeda3b030eb45a0971060d509ce0fea51 # v0 with: github-token: ${{ steps.app-token.outputs.token }}