diff --git a/.github/workflows/actions-cpu-e2e-test.yaml b/.github/workflows/actions-cpu-e2e-test.yaml index 79a69924..26b55023 100644 --- a/.github/workflows/actions-cpu-e2e-test.yaml +++ b/.github/workflows/actions-cpu-e2e-test.yaml @@ -21,7 +21,7 @@ jobs: (contains(matrix.runner, 'linux-arm64') && 'us-docker.pkg.dev/ml-oss-artifacts-published/ml-public-container/ml-build-arm64:latest') || (contains(matrix.runner, 'windows-x86') && null) }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - name: Simulate running a job on ${{ matrix.runner }} diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 05d1a340..f2854026 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -9,7 +9,7 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - name: Check workflow files diff --git a/.github/workflows/benchmarking-tests.yaml b/.github/workflows/benchmarking-tests.yaml index 5be7aaf2..c2a43383 100644 --- a/.github/workflows/benchmarking-tests.yaml +++ b/.github/workflows/benchmarking-tests.yaml @@ -28,7 +28,7 @@ jobs: image: us-docker.pkg.dev/ml-oss-artifacts-published/ml-public-container/ml-build:latest@sha256:e1461af32bf27640ddbcde7c3e7a10f194142779e9ed3bba962040812e626a1c # ratchet:us-docker.pkg.dev/ml-oss-artifacts-published/ml-public-container/ml-build:latest steps: - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v5 with: persist-credentials: false - name: Run benchmarking Bazel tests diff --git a/.github/workflows/check-clang-format-on-error.yaml b/.github/workflows/check-clang-format-on-error.yaml index ec1836bc..6e1af073 100644 --- a/.github/workflows/check-clang-format-on-error.yaml +++ b/.github/workflows/check-clang-format-on-error.yaml @@ -29,7 +29,7 @@ jobs: container: "us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build:latest" timeout-minutes: 10 steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run clang-format on error action" diff --git a/.github/workflows/check-clang-format.yaml b/.github/workflows/check-clang-format.yaml index b18a7927..1f8fb26c 100644 --- a/.github/workflows/check-clang-format.yaml +++ b/.github/workflows/check-clang-format.yaml @@ -29,7 +29,7 @@ jobs: container: "us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build:latest" timeout-minutes: 10 steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run clang-format action" diff --git a/.github/workflows/generate-dashboard-data.yaml b/.github/workflows/generate-dashboard-data.yaml index 5c35578f..92a7ee97 100644 --- a/.github/workflows/generate-dashboard-data.yaml +++ b/.github/workflows/generate-dashboard-data.yaml @@ -15,10 +15,10 @@ jobs: generate-json: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: 1.24.0 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false # Get values for cache paths t∏o be used in later steps @@ -27,7 +27,7 @@ jobs: echo "go-cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" echo "go-mod-cache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" - name: Cache go modules - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ${{ steps.cache-paths.outputs.go-cache }} @@ -46,10 +46,10 @@ jobs: generate-angular: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # ratchet:actions/setup-node@v6.4.0 with: node-version: 20 cache: 'npm' @@ -69,7 +69,7 @@ jobs: mv dist/ci-dashboard/3rdpartylicenses.txt dist/ci-dashboard/browser ls -la dist/ci-dashboard - name: Upload Pages - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # ratchet:actions/upload-artifact@v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # ratchet:actions/upload-artifact@v4 with: id: deployment path: ci_dashboard/frontend/dist/ci-dashboard/browser @@ -89,7 +89,7 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # ratchet:actions/deploy-pages@v4 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # ratchet:actions/deploy-pages@v5.0.0 diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 97df8ba1..76ba2082 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -16,17 +16,17 @@ jobs: name: Ruff Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - - uses: astral-sh/ruff-action@84f83ecf9e1e15d26b7984c7ec9cf73d39ffc946 # ratchet:astral-sh/ruff-action@v3.3.1 + - uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b # ratchet:astral-sh/ruff-action@v4.0.0 format: name: Ruff Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - - uses: astral-sh/ruff-action@84f83ecf9e1e15d26b7984c7ec9cf73d39ffc946 # ratchet:astral-sh/ruff-action@v3.3.1 + - uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b # ratchet:astral-sh/ruff-action@v4.0.0 with: args: "format --check --diff" diff --git a/.github/workflows/run-benchmarks.yaml b/.github/workflows/run-benchmarks.yaml index 7cba3402..faebc4e5 100644 --- a/.github/workflows/run-benchmarks.yaml +++ b/.github/workflows/run-benchmarks.yaml @@ -115,7 +115,7 @@ jobs: job_id: ${{ steps.gen_job_id.outputs.job_id }} steps: - name: Check out user repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: ${{ github.repository }} ref: ${{ github.sha }} @@ -189,7 +189,7 @@ jobs: echo "::endgroup::" - name: Check out ML actions repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: "google-ml-infra/actions" ref: ${{ steps.resolve_refs.outputs.ml_actions_ref }} @@ -247,7 +247,7 @@ jobs: echo "::endgroup::" - name: Upload matrix JSON artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1 with: name: shard-matrix-${{ steps.gen_job_id.outputs.job_id }} path: ${{ steps.generate.outputs.matrix_json_path }} @@ -275,7 +275,7 @@ jobs: steps: - name: Check out user repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: ${{ github.repository }} # For A/B mode, use the checkout ref. Otherwise fall back to SHA. @@ -298,7 +298,7 @@ jobs: echo "::endgroup::" - name: Check out ML actions repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: "google-ml-infra/actions" ref: ${{ needs.generate_matrix.outputs.ml_actions_ref }} @@ -335,7 +335,7 @@ jobs: - name: Upload workload artifacts if: always() # Uploads even if the workload fails - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1 with: # Format: shard-workload-artifacts-{CONFIG}[-{AB_MODE}]-{JOB_ID}.json name: shard-workload-artifacts-${{ matrix.config_id }}${{ matrix.ab_test_group && format('-{0}', matrix.ab_test_group) || '' }}-${{ needs.generate_matrix.outputs.job_id }} @@ -390,7 +390,7 @@ jobs: echo "::endgroup::" - name: Upload benchmark result - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1 with: # Format: shard-benchmark-result-{CONFIG}[-{AB_MODE}]-{JOB_ID} name: shard-benchmark-result-${{ matrix.config_id }}${{ matrix.ab_test_group && format('-{0}', matrix.ab_test_group) || '' }}-${{ needs.generate_matrix.outputs.job_id }} @@ -454,7 +454,7 @@ jobs: if: inputs.ab_mode == true && !cancelled() steps: - name: Check out ML actions repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: "google-ml-infra/actions" ref: ${{ needs.generate_matrix.outputs.ml_actions_ref }} @@ -462,7 +462,7 @@ jobs: persist-credentials: false - name: Download benchmark results - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8.0.1 with: # Only download artifacts created in this specific job pattern: shard-benchmark-result-*-${{ needs.generate_matrix.outputs.job_id }} @@ -505,7 +505,7 @@ jobs: echo "::endgroup::" - name: Upload A/B report - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1 with: name: shard-ab-report-${{ needs.generate_matrix.outputs.job_id }} path: ${{ github.workspace }}/ab_report.md @@ -513,7 +513,7 @@ jobs: - name: Post PR comment if: inputs.post_pr_comment == true && github.event_name == 'pull_request' && !cancelled() - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # ratchet:actions/github-script@v7 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # ratchet:actions/github-script@v9.0.0 with: script: | const scriptPath = require('path').resolve('./ml_actions/benchmarking/post_pr_comment/post_pr_comment.js'); @@ -545,7 +545,7 @@ jobs: steps: - name: Check out ML actions repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6.0.2 with: repository: "google-ml-infra/actions" ref: ${{ needs.generate_matrix.outputs.ml_actions_ref }} @@ -553,7 +553,7 @@ jobs: persist-credentials: false - name: Download all job artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8.0.1 with: pattern: shard-*-${{ needs.generate_matrix.outputs.job_id }} path: raw_artifacts @@ -583,13 +583,13 @@ jobs: echo "::endgroup::" - name: Upload bundled artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7.0.1 with: name: artifacts-${{ needs.generate_matrix.outputs.job_id }} path: final_artifacts/ - name: Delete temporary artifacts - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # ratchet:geekyeggo/delete-artifact@v5 + uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # ratchet:geekyeggo/delete-artifact@v6.0.0 with: name: shard-*-${{ needs.generate_matrix.outputs.job_id }} useGlob: true diff --git a/.github/workflows/setup-uv-python-test.yaml b/.github/workflows/setup-uv-python-test.yaml index 88bd179c..0c0677fd 100644 --- a/.github/workflows/setup-uv-python-test.yaml +++ b/.github/workflows/setup-uv-python-test.yaml @@ -95,7 +95,7 @@ jobs: runs-on: ${{ matrix.scenario.runner }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v5 with: persist-credentials: false @@ -170,7 +170,7 @@ jobs: FIRST_PYTHON_VERSION: '3.13' SECOND_PYTHON_VERSION: '3.14' steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v5 with: persist-credentials: false diff --git a/.github/workflows/test-ci-buildifier-on-error.yaml b/.github/workflows/test-ci-buildifier-on-error.yaml index 8e0cd290..fe810af3 100644 --- a/.github/workflows/test-ci-buildifier-on-error.yaml +++ b/.github/workflows/test-ci-buildifier-on-error.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-ci-buildifier.yaml b/.github/workflows/test-ci-buildifier.yaml index 864f3d22..c7058160 100644 --- a/.github/workflows/test-ci-buildifier.yaml +++ b/.github/workflows/test-ci-buildifier.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/wait-for-connection-no-python.yaml b/.github/workflows/wait-for-connection-no-python.yaml index b98c98bb..d1ccfab3 100644 --- a/.github/workflows/wait-for-connection-no-python.yaml +++ b/.github/workflows/wait-for-connection-no-python.yaml @@ -30,7 +30,7 @@ jobs: container: image: ${{ startsWith(matrix.runner, 'linux') && 'us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build@sha256:cec01011e627c0fd101c521a8af7c09ce4557ab6dcc9f8678aeb67a3182ed821' || (startsWith(matrix.runner, 'windows') && null) }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - name: Echo diff --git a/.github/workflows/wait-for-connection-on-error-test.yaml b/.github/workflows/wait-for-connection-on-error-test.yaml index 32d225dd..4cad30c9 100644 --- a/.github/workflows/wait-for-connection-on-error-test.yaml +++ b/.github/workflows/wait-for-connection-on-error-test.yaml @@ -24,7 +24,7 @@ jobs: container: image: us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build:latest@sha256:ca6fff944073ad89676de696f503c1a758bed96c3ce1a258e1d6e545cad37afb # ratchet:us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build:latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - name: Fail on purpose diff --git a/.github/workflows/wait-for-connection-test.yaml b/.github/workflows/wait-for-connection-test.yaml index d3d0404c..beb04d27 100644 --- a/.github/workflows/wait-for-connection-test.yaml +++ b/.github/workflows/wait-for-connection-test.yaml @@ -38,7 +38,7 @@ jobs: container: image: ${{ startsWith(matrix.runner, 'linux') && 'us-central1-docker.pkg.dev/tensorflow-sigs/tensorflow/ml-build@sha256:cec01011e627c0fd101c521a8af7c09ce4557ab6dcc9f8678aeb67a3182ed821' || (startsWith(matrix.runner, 'windows') && null) }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v4 with: persist-credentials: false - name: Echo diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 4e50eafb..d87f8a45 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -14,17 +14,17 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Run zizmor run: uvx zizmor --format=sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: results.sarif category: zizmor