From 040da67d920c24e9206a9162c36dcda4032f4424 Mon Sep 17 00:00:00 2001 From: jonathan343 Date: Tue, 7 Apr 2026 23:25:53 -0400 Subject: [PATCH 1/3] Address auto-fixes and pin to SHAs --- .github/dependabot.yml | 10 ++++++++++ .github/workflows/closed-issue-update.yml | 4 ++-- .github/workflows/doc-pr-cherry-pick.yml | 1 + .github/workflows/handle-stale-discussions.yml | 2 +- .github/workflows/issue-regression-labeler.yml | 3 ++- .github/workflows/run-bundle-test.yml | 6 ++++-- .github/workflows/run-dep-tests.yml | 2 ++ .github/workflows/run-tests.yml | 8 +++++--- .github/workflows/stale_community_prs.yml | 2 +- .github/workflows/stale_issue.yml | 2 +- .github/workflows/update-lockfiles.yml | 5 +++-- 11 files changed, 32 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6945426981e5..33039f9e6a96 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-patch"] + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" @@ -19,6 +21,8 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-patch"] + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -44,6 +48,8 @@ updates: - dependency-name: "jmespath" - dependency-name: "urllib3" - dependency-name: "wheel" + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -61,6 +67,8 @@ updates: - dependency-name: "pyyaml" - dependency-name: "wheel" - dependency-name: "rsa" + cooldown: + default-days: 7 - package-ecosystem: "pip" directory: "/" @@ -79,3 +87,5 @@ updates: - dependency-name: "sphinx-lint" - dependency-name: "sphinx-copybutton" - dependency-name: "sphinx-inline-tabs" + cooldown: + default-days: 7 diff --git a/.github/workflows/closed-issue-update.yml b/.github/workflows/closed-issue-update.yml index d282858932b0..6817b3b41b95 100644 --- a/.github/workflows/closed-issue-update.yml +++ b/.github/workflows/closed-issue-update.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest if: contains(toJson(github.event.issue.labels), 'needs-triage') steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | github.rest.issues.removeLabel({ @@ -23,7 +23,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v2 + - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/doc-pr-cherry-pick.yml b/.github/workflows/doc-pr-cherry-pick.yml index 6093bd994eea..a5961e19109f 100644 --- a/.github/workflows/doc-pr-cherry-pick.yml +++ b/.github/workflows/doc-pr-cherry-pick.yml @@ -20,6 +20,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Configure Git run: | diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index c842e1174a83..a1fbb2e842f9 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -14,7 +14,7 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@v1 + uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 # v1 with: # This will close stale-discussions as outdated instead of answered close-stale-as-answered: false diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml index fc66cb86afb6..fc2bc6dbaca6 100644 --- a/.github/workflows/issue-regression-labeler.yml +++ b/.github/workflows/issue-regression-labeler.yml @@ -25,8 +25,9 @@ jobs: - name: Manage regression label env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION: ${{ steps.check_regression.outputs.is_regression }} run: | - if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then + if [ "${STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION}" == "true" ]; then gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }} else gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }} diff --git a/.github/workflows/run-bundle-test.yml b/.github/workflows/run-bundle-test.yml index 4cf47408ade8..6d8212fee8cd 100644 --- a/.github/workflows/run-bundle-test.yml +++ b/.github/workflows/run-bundle-test.yml @@ -20,9 +20,11 @@ jobs: python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] os: [ubuntu-latest, macOS-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/run-dep-tests.yml b/.github/workflows/run-dep-tests.yml index 54a1b6c0d156..97914594c2d1 100644 --- a/.github/workflows/run-dep-tests.yml +++ b/.github/workflows/run-dep-tests.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c with: diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 5999c6d71e95..2e12f41eed13 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -19,9 +19,11 @@ jobs: os: [ubuntu-latest, macOS-latest, windows-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -33,6 +35,6 @@ jobs: - name: Run checks run: python scripts/ci/run-check - name: codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: directory: tests diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml index 6ffeb62a29d6..8c1fe1bbe2d5 100644 --- a/.github/workflows/stale_community_prs.yml +++ b/.github/workflows/stale_community_prs.yml @@ -61,4 +61,4 @@ jobs: days-before-issue-stale: -1 only-pr-labels: community,review,response-requested,stale close-pr-label: DONTUSE - ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing. \ No newline at end of file + ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing. diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index f4df9766a0aa..66e31f68e84e 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest name: Stale issue job steps: - - uses: aws-actions/stale-issue-cleanup@v6 + - uses: aws-actions/stale-issue-cleanup@7de35968489e4142233d2a6812519a82e68b5c38 # v6 with: issue-types: issues stale-issue-message: Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one. diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml index 337f753ffab4..1630213341a7 100644 --- a/.github/workflows/update-lockfiles.yml +++ b/.github/workflows/update-lockfiles.yml @@ -34,11 +34,12 @@ jobs: os: [macOS-latest, windows-latest] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ github.event.inputs.ref }} + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} From 675c191adc69c52c0470b9a26765b8ab396d8c72 Mon Sep 17 00:00:00 2001 From: jonathan343 Date: Tue, 7 Apr 2026 23:55:39 -0400 Subject: [PATCH 2/3] Manual fixes --- .github/workflows/closed-issue-update.yml | 7 +++++-- .github/workflows/stale_community_prs.yml | 7 +++++-- .github/workflows/update-lockfiles.yml | 3 ++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/closed-issue-update.yml b/.github/workflows/closed-issue-update.yml index 6817b3b41b95..5fd2f4d46076 100644 --- a/.github/workflows/closed-issue-update.yml +++ b/.github/workflows/closed-issue-update.yml @@ -3,12 +3,13 @@ name: Closed Issue Update on: issues: types: [closed] -permissions: - issues: write +permissions: {} jobs: unlabel: runs-on: ubuntu-latest + permissions: + issues: write if: contains(toJson(github.event.issue.labels), 'needs-triage') steps: - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -22,6 +23,8 @@ jobs: }) auto_comment: runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2 with: diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml index 8c1fe1bbe2d5..93b037a0ef76 100644 --- a/.github/workflows/stale_community_prs.yml +++ b/.github/workflows/stale_community_prs.yml @@ -1,12 +1,13 @@ name: 'Check stale community PRs.' on: workflow_dispatch -permissions: - pull-requests: write +permissions: {} jobs: stale-implementation-stage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: @@ -27,6 +28,8 @@ jobs: close-pr-label: closed-for-staleness stale-review-stage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml index 1630213341a7..d5c9d51b3451 100644 --- a/.github/workflows/update-lockfiles.yml +++ b/.github/workflows/update-lockfiles.yml @@ -79,11 +79,12 @@ jobs: echo "PLATFORMS=macOS and Linux" >> $GITHUB_ENV - name: git commit and push updated lock files if: github.event.inputs.dry-run == 'no' && env.CHANGES + shell: bash run: | git config --global user.name "Github Actions" git config --global user.email "<>" git fetch git add requirements - git commit -m "Regenerate lock files for ${{ env.PLATFORMS }}" + git commit -m "Regenerate lock files for ${PLATFORMS}" git pull --rebase git push From 7f31632762de769bc74f8591ec109a95b4d9b222 Mon Sep 17 00:00:00 2001 From: jonathan343 Date: Wed, 8 Apr 2026 17:07:20 -0400 Subject: [PATCH 3/3] Add zizmor action --- .github/workflows/zizmor.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..adba84a1c713 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["develop"] + pull_request: + branches: ["develop"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2