Bump the github-actions group, remove composite action, pin actions to full length commit SHA (#710)

dependabot[bot] · weiji14 · web-flow · commit e9b050a479b0 · 2025-10-20T14:01:06.000-04:00
Remove composite action, inline into workflows directly: Dependabot did not update the actions/setup-python version in the composite action Pin actions to full length commit SHA version (more secure): Xref [https://docs.zizmor.sh/audits/#unpinned-uses](https://docs.zizmor.sh/audits/#unpinned-uses) and [https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Wei Ji <23487320+weiji14@users.noreply.github.com>
diff --git a/.github/actions/install-icepyx/action.yml b/.github/actions/install-icepyx/action.yml
diff --git a/.github/workflows/get_pypi_stats.yml b/.github/workflows/get_pypi_stats.yml
@@ -16,7 +16,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: "traffic"
 
@@ -29,7 +29,7 @@ jobs:
 
     # Commits files to repository
     - name: Commit changes
-      uses: EndBug/add-and-commit@v9
+      uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
       with:
         author_name: learn2phoenix
         message: "Pypi stats auto-update"
diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: "Fetch user permission"
         id: "permission"
-        uses: "actions-cool/check-user-permission@v2"
+        uses: "actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103" # v2.3.0
         with:
           require: "write"
           username: "${{ github.triggering_actor }}"
@@ -47,14 +47,20 @@ jobs:
           exit 1
 
       - name: "Checkout source"
-        uses: "actions/checkout@v5"
+        uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
         with:
           fetch-depth: 0
 
-      - uses: "./.github/actions/install-icepyx"
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.12"
 
+      - name: "Install package and test dependencies"
+        run: |
+          python -m pip install .
+          python -m pip install -r requirements-dev.txt
+
       - name: "Run integration tests"
         env:
           EARTHDATA_USERNAME: "icepyx_devteam"
@@ -66,6 +72,6 @@ jobs:
         # pytest icepyx/tests/integration --verbose --cov app -m "[not] downloads_data"
 
       - name: "Upload coverage report"
-        uses: "codecov/codecov-action@v5.5.0"
+        uses: "codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7" # v5.5.1
         with:
           token: "${{ secrets.CODECOV_TOKEN }}"
diff --git a/.github/workflows/linter_actions.yml b/.github/workflows/linter_actions.yml
@@ -9,9 +9,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       # Use the Ruff linter to annotate code style / best-practice issues
       # NOTE: More config provided in pyproject.toml
       - name: Lint and annotate PR
-        uses: astral-sh/ruff-action@v3
+        uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1
diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
@@ -21,14 +21,14 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         # fetch all history so that setuptools-scm works
         fetch-depth: 0
         persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: '3.11'
 
@@ -52,7 +52,7 @@ jobs:
         ls -lh dist/
 
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: python-package-distributions
         path: dist/
@@ -72,13 +72,13 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: python-package-distributions
         path: dist/
 
     - name: Publish distribution 📦 to TestPyPI
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
       with:
         repository-url: https://test.pypi.org/legacy/
 
@@ -96,10 +96,10 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: python-package-distributions
         path: dist/
 
     - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/traffic_action.yml b/.github/workflows/traffic_action.yml
@@ -17,7 +17,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: "traffic"
 
@@ -35,7 +35,7 @@ jobs:
 
     # Commits files to repository
     - name: Commit changes
-      uses: EndBug/add-and-commit@v9
+      uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
       with:
         author_name: Jessica Scheick
         message: "GitHub traffic auto-update"
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
@@ -13,11 +13,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.11"
 
@@ -26,4 +26,4 @@ jobs:
           python -m pip install .[complete]
           python -m pip install -r requirements-dev.txt
 
-      - uses: jakebailey/pyright-action@v2
+      - uses: jakebailey/pyright-action@6cabc0f01c4994be48fd45cd9dbacdd6e1ee6e5e # v2.3.3
diff --git a/.github/workflows/uml_action.yml b/.github/workflows/uml_action.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.event.pull_request.head.ref }}
       - name: set up environment
@@ -29,7 +29,7 @@ jobs:
           rm ./packages_dev_uml.svg
           mv ./*.svg ./doc/source/user_guide/documentation/
       - name: Commit changes
-        uses: EndBug/add-and-commit@v9
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
         with:
           author_name: GitHub Action
           message: "GitHub action UML generation auto-update"
diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml
@@ -30,19 +30,25 @@ jobs:
       matrix:
         python-version: ["3.11", "3.13"] #NOTE: min and max Python versions supported by icepyx
     steps:
-      - uses: "actions/checkout@v5"
+      - uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
         with:
           fetch-depth: 0
 
-      - uses: "./.github/actions/install-icepyx"
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "${{ matrix.python-version }}"
 
+      - name: "Install package and test dependencies"
+        run: |
+          python -m pip install .
+          python -m pip install -r requirements-dev.txt
+
       - name: "Run tests"
         run: |
           pytest icepyx/tests/unit --verbose --cov app
 
       - name: "Upload coverage report"
-        uses: "codecov/codecov-action@v5.5.0"
+        uses: "codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7" # v5.5.1
         with:
           token: "${{ secrets.CODECOV_TOKEN }}"
