diff --git a/.github/workflows/backport-fixes.yml b/.github/workflows/backport-fixes.yml index d5b4c62..66f89ee 100644 --- a/.github/workflows/backport-fixes.yml +++ b/.github/workflows/backport-fixes.yml @@ -53,7 +53,7 @@ jobs: echo "to=$to" >> "$GITHUB_OUTPUT" - name: Check out repo with full history - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e5d1adf..1946863 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: - mark3labs steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # AuthPlane/conformance is the public sibling repo carrying the shared # oauth-sdk-conformance-catalog.yaml. Cloned to $RUNNER_TEMP — outside @@ -44,7 +44,7 @@ jobs: "$RUNNER_TEMP/conformance" - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: # v6 reads both the `go` and `toolchain` directives from the file; # if `toolchain` is present, that version is installed. @@ -63,7 +63,7 @@ jobs: # repo-root .golangci.yml is picked up automatically via config # walk-up from each module directory. - name: Lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: version: v2.11.4 working-directory: ${{ matrix.module }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 460807a..feb451e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,16 +40,16 @@ jobs: actions: read steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.25.x" check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: go # This repo is a Go workspace of four independent modules; the @@ -70,6 +70,6 @@ jobs: done - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:go" diff --git a/.github/workflows/cut-release.yml b/.github/workflows/cut-release.yml index 36e8a63..e9f611f 100644 --- a/.github/workflows/cut-release.yml +++ b/.github/workflows/cut-release.yml @@ -94,7 +94,7 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Check out default branch with full history and tags - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ github.event.repository.default_branch }} fetch-depth: 0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f1a7a42..690163d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,10 +15,10 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Dependency review continue-on-error: true - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: license-check: true # MPL-2.0 is safe only as a transitive dependency — do not vendor or diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c9721bf..6cd8a7c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -95,21 +95,21 @@ jobs: private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} - name: Check out repo with full history and all tags - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 ref: ${{ github.ref }} token: ${{ steps.app_token.outputs.token }} - name: Check out shared conformance catalog - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: AuthPlane/conformance path: conformance fetch-depth: 1 - name: Set up Go 1.25 - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: '1.25' @@ -191,7 +191,7 @@ jobs: # state-mutating steps. A linting failure here leaves the workspace # clean (no partial go.mod edits to roll back). - name: Install golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: version: v2.11.4 install-only: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6298d35..333a1dc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -53,6 +53,6 @@ jobs: retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 8b93675..1163b13 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -42,10 +42,10 @@ jobs: - mark3labs steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: "1.25.x" # Force fetching the latest patch matching 1.25.x even when an older diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 30baf78..589c0a9 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Mark stale issues and PRs - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: days-before-issue-stale: 60 days-before-issue-close: 30 diff --git a/.github/workflows/workflows-lint.yml b/.github/workflows/workflows-lint.yml index dfadf36..8c7fbcd 100644 --- a/.github/workflows/workflows-lint.yml +++ b/.github/workflows/workflows-lint.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Pulls the matching actionlint binary release from GitHub Releases # via the upstream download script. The script is fetched by commit