feat: pin all actions

artyom-morozov · artyom-morozov · commit 42824333bf46 · 2025-12-02T16:36:01.000-05:00
diff --git a/.github/actions/hatch-lint-test/action.yml b/.github/actions/hatch-lint-test/action.yml
@@ -55,21 +55,21 @@ runs:
         hatch test --python ${{ inputs.max-python-version }}  --cover --parallel --junitxml=junit-${{ inputs.max-python-version }}.xml
 
     - name: Status Check - Unit Tests on default python version
-      uses: mikepenz/action-junit-report@v5
+      uses: mikepenz/action-junit-report@3585e9575db828022551b4231f165eb59a0e74e3 # v5.6.2
       if: hashFiles('junit-default.xml') != ''
       with:
         check_name: Unit Tests on default python version
         report_paths: junit-default.xml
 
     - name: Status Check - Unit Tests on Python ${{ inputs.min-python-version }}
-      uses: mikepenz/action-junit-report@v5
+      uses: mikepenz/action-junit-report@3585e9575db828022551b4231f165eb59a0e74e3 # v5.6.2
       if: hashFiles('junit-${{ inputs.min-python-version }}.xml') != ''
       with:
         check_name: Unit Tests on Python ${{ inputs.min-python-version }}
         report_paths: junit-${{ inputs.min-python-version }}.xml
 
     - name: Status Check - Unit Tests on Python ${{ inputs.max-python-version }}
-      uses: mikepenz/action-junit-report@v5
+      uses: mikepenz/action-junit-report@3585e9575db828022551b4231f165eb59a0e74e3 # v5.6.2
       if: hashFiles('junit-${{ inputs.max-python-version }}.xml') != ''
       with:
         check_name: Unit Tests on Python ${{ inputs.max-python-version }}
diff --git a/.github/actions/hatch-release-pypi/action.yml b/.github/actions/hatch-release-pypi/action.yml
@@ -101,12 +101,43 @@ runs:
       shell: bash
       run: hatch build
 
-    # Publish using Trusted Publishing - no password required
+    # Publish using Trusted Publishing - manual approach for composite action compatibility
     # See: https://docs.pypi.org/trusted-publishers/using-a-publisher/
+    - name: Mint PyPI API token via OIDC
+      id: mint-token
+      shell: bash
+      run: |
+        # Retrieve the ambient OIDC token
+        resp=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+        oidc_token=$(jq -r '.value' <<< "${resp}")
+
+        if [ -z "$oidc_token" ] || [ "$oidc_token" = "null" ]; then
+          echo "::error::Failed to retrieve OIDC token"
+          exit 1
+        fi
+
+        # Exchange the OIDC token for a PyPI API token
+        resp=$(curl -sS -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+        api_token=$(jq -r '.token' <<< "${resp}")
+
+        if [ -z "$api_token" ] || [ "$api_token" = "null" ]; then
+          echo "::error::Failed to mint PyPI API token. Response: $resp"
+          exit 1
+        fi
+
+        # Mask the token to prevent leaking
+        echo "::add-mask::${api_token}"
+        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
+
     - name: Publish package distributions to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        verbose: true
+      shell: bash
+      env:
+        TWINE_USERNAME: __token__
+        TWINE_PASSWORD: ${{ steps.mint-token.outputs.api-token }}
+      run: |
+        pip install --quiet twine
+        twine upload --verbose dist/*
 
     - name: Push version bump commit to main
       if: ${{ env.SKIP_BUMP == '0' }}
@@ -115,7 +146,7 @@ runs:
         git push
 
     - name: Create Release
-      uses: ncipollo/release-action@v1
+      uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
       env:
         NEW_VERSION: ${{ env.NEW_VERSION }}
         GITHUB_TOKEN: ${{ inputs.github_token }}
diff --git a/.github/actions/hatch-setup/action.yml b/.github/actions/hatch-setup/action.yml
@@ -59,7 +59,7 @@ runs:
         echo "matrix-present=$MATRIX_PRESENT" >> $GITHUB_OUTPUT
 
     - name: Restore Hatch Directory
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       id: cache
       with:
         path: |
@@ -70,7 +70,7 @@ runs:
     - name: Install Python Versions for Hatch Test Matrix
       id: setup-python
       if: steps.test-matrix-present.outputs.matrix-present == 'true'
-      uses: actions/setup-python@v5.5.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: |
           ${{ inputs.min-python-version }}
@@ -81,7 +81,7 @@ runs:
     - name: Install Python Version from pyproject.toml
       id: setup-python-default
       if: steps.test-matrix-present.outputs.matrix-present == 'false'
-      uses: actions/setup-python@v5.5.0
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version-file: "pyproject.toml"
         cache: "pip"
diff --git a/.github/actions/validate-dependency-conflicts/action.yml b/.github/actions/validate-dependency-conflicts/action.yml
@@ -89,7 +89,7 @@ runs:
 
     - name: Comment on PR with Conflicts
       if: steps.validate.outputs.conflicts-found == 'true' && github.event_name == 'pull_request'
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       with:
         script: |
           const fs = require('fs');
@@ -147,7 +147,7 @@ runs:
 
     - name: Upload Conflict Report
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: dependency-conflict-report
         path: dependency_conflicts.txt
diff --git a/.github/workflows/hatch_ci.yml b/.github/workflows/hatch_ci.yml
@@ -137,12 +137,12 @@ jobs:
           path: workflows-repo
 
       - name: Setup Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5.5.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
         with:
           enable-cache: true
 
@@ -188,7 +188,7 @@ jobs:
         shell: bash
 
       - name: Upload Coverage and Test Results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: coverage-${{ matrix.python-version }}
           path: |
@@ -230,12 +230,12 @@ jobs:
           npm run build
 
       - name: Setup Python for Build
-        uses: actions/setup-python@v5.5.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ inputs.max-python-version }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
         with:
           enable-cache: true
 
@@ -285,7 +285,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           pattern: coverage-${{ inputs.max-python-version }}
           path: coverage-data-${{ inputs.max-python-version }}
@@ -353,7 +353,7 @@ jobs:
           path: workflows-repo
 
       - name: Setup Python for Whitesource Scan
-        uses: actions/setup-python@v5.5.0
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ inputs.max-python-version }}
           cache: "pip"
diff --git a/.github/workflows/hatch_release_pypi.yml b/.github/workflows/hatch_release_pypi.yml
@@ -117,7 +117,7 @@ jobs:
       commit_hash: ${{ steps.set_commit_hash.outputs.commit_hash }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
           ssh-key: ${{ secrets.COMMIT_KEY }}
@@ -218,7 +218,7 @@ jobs:
 
       - name: Setup Node.js
         if: inputs.npm_package_path != ''
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ inputs.node_version }}
           cache: "npm"
@@ -293,7 +293,7 @@ jobs:
         run: hatch build
 
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.13.0
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           verbose: true
           password: ${{ secrets.PYPI_TOKEN }}
@@ -304,7 +304,7 @@ jobs:
           git push
 
       - name: Create Release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         env:
           NEW_VERSION: ${{ env.NEW_VERSION }}
         with:
diff --git a/.github/workflows/hatch_release_security_checks.yml b/.github/workflows/hatch_release_security_checks.yml
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
 
