upgrade github actions

fsbraun · fsbraun · commit 285f04f88938 · 2025-10-31T21:02:17.000+01:00
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -26,19 +26,27 @@ jobs:
         ]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: '2'
 
     - name: Setup Python
-      uses: actions/setup-python@master
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Generate Report
       run: |
         pip install -r tests/requirements/${{ matrix.requirements-file }}
         pip install -e .
         coverage run ./run_tests.py
-    - name: Upload Coverage to Codecov
-      uses: codecov/codecov-action@v3
+    - name: Generate XML report
+      run: |
+        coverage xml
+    - name: Upload coverage artifact (for CI consumption)
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-xml-${{ matrix.python-version }}-${{ matrix.requirements-file }}
+        path: coverage.xml
+    # If you need to upload to Codecov, prefer their minimal uploader binary or pin the action by SHA.
+    # Upload to Codecov is intentionally omitted here to avoid unpinned third-party actions.
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -12,14 +12,14 @@ jobs:
     name: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.9'
           cache: 'pip'
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('docs/requirements.txt') }}
@@ -38,14 +38,14 @@ jobs:
     needs: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.9'
           cache: 'pip'
       - name: Cache dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('docs/requirements.txt') }}
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -15,6 +15,16 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR title (Conventional Commits)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const title = context.payload.pull_request && context.payload.pull_request.title;
+            if (!title) {
+              core.setFailed('No pull request title found.');
+            }
+            // Conventional commit regex (type(scope)?: subject)
+            const re = /^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\([\w\-\.]+\))?!?:\s.+/;
+            if (!re.test(title)) {
+              core.setFailed(`PR title is not a valid Conventional Commit: "${title}"`);
+            }
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -13,13 +13,13 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Ruff check
-        uses: astral-sh/ruff-action@v3
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          version: latest
-          args: check .
+          python-version: '3.x'
+      - name: Install Ruff
+        run: python -m pip install --upgrade ruff
+      - name: Ruff check
+        run: ruff check .
       - name: Ruff format (check only)
-        uses: astral-sh/ruff-action@v3
-        with:
-          version: latest
-          args: format --check
+        run: ruff format --check
diff --git a/.github/workflows/publish-to-live-pypi.yml b/.github/workflows/publish-to-live-pypi.yml
@@ -10,9 +10,9 @@ jobs:
     name: Build and publish Python 🐍 distributions 📦 to pypi
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
     - name: Set up Python 3.10
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: '3.10'
 
@@ -31,9 +31,12 @@ jobs:
         --outdir dist/
         .
 
+    - name: Install twine
+      run: python -m pip install --upgrade twine
     - name: Publish distribution 📦 to PyPI
       if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+      env:
+        TWINE_USERNAME: __token__
+        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+      run: >-
+        python -m twine upload dist/*
diff --git a/.github/workflows/publish-to-test-pypi.yml b/.github/workflows/publish-to-test-pypi.yml
@@ -13,9 +13,9 @@ jobs:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
     - name: Set up Python 3.10
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: '3.10'
 
@@ -34,11 +34,11 @@ jobs:
         --outdir dist/
         .
 
+    - name: Install twine
+      run: python -m pip install --upgrade twine
     - name: Publish distribution 📦 to Test PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-        skip_existing: true
-        verbose: true
+      env:
+        TWINE_USERNAME: __token__
+        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
+      run: >-
+        python -m twine upload --repository-url https://test.pypi.org/legacy/ --skip-existing dist/*
