diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6945426981e5..33039f9e6a96 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-patch"] + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" @@ -19,6 +21,8 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-patch"] + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -44,6 +48,8 @@ updates: - dependency-name: "jmespath" - dependency-name: "urllib3" - dependency-name: "wheel" + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -61,6 +67,8 @@ updates: - dependency-name: "pyyaml" - dependency-name: "wheel" - dependency-name: "rsa" + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -79,3 +87,5 @@ updates: - dependency-name: "sphinx-lint" - dependency-name: "sphinx-copybutton" - dependency-name: "sphinx-inline-tabs" + cooldown: + default-days: 7 diff --git a/.github/workflows/closed-issue-update.yml b/.github/workflows/closed-issue-update.yml index d282858932b0..5fd2f4d46076 100644 --- a/.github/workflows/closed-issue-update.yml +++ b/.github/workflows/closed-issue-update.yml @@ -3,15 +3,16 @@ name: Closed Issue Update on: issues: types: [closed] -permissions: - issues: write +permissions: {} jobs: unlabel: runs-on: ubuntu-latest + permissions: + issues: write if: contains(toJson(github.event.issue.labels), 'needs-triage') steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | github.rest.issues.removeLabel({ @@ -22,8 +23,10 @@ jobs: }) auto_comment: runs-on: ubuntu-latest + permissions: + issues: write steps: - - uses: aws-actions/closed-issue-message@v2 + - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/doc-pr-cherry-pick.yml b/.github/workflows/doc-pr-cherry-pick.yml index 6093bd994eea..a5961e19109f 100644 --- a/.github/workflows/doc-pr-cherry-pick.yml +++ b/.github/workflows/doc-pr-cherry-pick.yml @@ -20,6 +20,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Configure Git run: | diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index c842e1174a83..a1fbb2e842f9 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -14,7 +14,7 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@v1 + uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 # v1 with: # This will close stale-discussions as outdated instead of answered close-stale-as-answered: false diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml index fc66cb86afb6..fc2bc6dbaca6 100644 --- a/.github/workflows/issue-regression-labeler.yml +++ b/.github/workflows/issue-regression-labeler.yml @@ -25,8 +25,9 @@ jobs: - name: Manage regression label env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION: ${{ steps.check_regression.outputs.is_regression }} run: | - if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then + if [ "${STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION}" == "true" ]; then gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }} else gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }} diff --git a/.github/workflows/run-bundle-test.yml b/.github/workflows/run-bundle-test.yml index 4cf47408ade8..6d8212fee8cd 100644 --- a/.github/workflows/run-bundle-test.yml +++ b/.github/workflows/run-bundle-test.yml @@ -20,9 +20,11 @@ jobs: python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] os: [ubuntu-latest, macOS-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/run-dep-tests.yml b/.github/workflows/run-dep-tests.yml index 54a1b6c0d156..97914594c2d1 100644 --- a/.github/workflows/run-dep-tests.yml +++ b/.github/workflows/run-dep-tests.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c with: diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 5999c6d71e95..2e12f41eed13 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -19,9 +19,11 @@ jobs: os: [ubuntu-latest, macOS-latest, windows-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -33,6 +35,6 @@ jobs: - name: Run checks run: python scripts/ci/run-check - name: codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: directory: tests diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml index 6ffeb62a29d6..93b037a0ef76 100644 --- a/.github/workflows/stale_community_prs.yml +++ b/.github/workflows/stale_community_prs.yml @@ -1,12 +1,13 @@ name: 'Check stale community PRs.' on: workflow_dispatch -permissions: - pull-requests: write +permissions: {} jobs: stale-implementation-stage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: @@ -27,6 +28,8 @@ jobs: close-pr-label: closed-for-staleness stale-review-stage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: @@ -61,4 +64,4 @@ jobs: days-before-issue-stale: -1 only-pr-labels: community,review,response-requested,stale close-pr-label: DONTUSE - ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing. \ No newline at end of file + ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing. diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index f4df9766a0aa..66e31f68e84e 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest name: Stale issue job steps: - - uses: aws-actions/stale-issue-cleanup@v6 + - uses: aws-actions/stale-issue-cleanup@7de35968489e4142233d2a6812519a82e68b5c38 # v6 with: issue-types: issues stale-issue-message: Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one. diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml index 337f753ffab4..d5c9d51b3451 100644 --- a/.github/workflows/update-lockfiles.yml +++ b/.github/workflows/update-lockfiles.yml @@ -34,11 +34,12 @@ jobs: os: [macOS-latest, windows-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ github.event.inputs.ref }} + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} @@ -78,11 +79,12 @@ jobs: echo "PLATFORMS=macOS and Linux" >> $GITHUB_ENV - name: git commit and push updated lock files if: github.event.inputs.dry-run == 'no' && env.CHANGES + shell: bash run: | git config --global user.name "Github Actions" git config --global user.email "<>" git fetch git add requirements - git commit -m "Regenerate lock files for ${{ env.PLATFORMS }}" + git commit -m "Regenerate lock files for ${PLATFORMS}" git pull --rebase git push diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..adba84a1c713 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["develop"] + pull_request: + branches: ["develop"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2