Merge branch 'main' into dependabot/pip/importlib-metadata-8.7.0

Author: eleanorjboyd

.github/actions/build-vsix/action.yml

@@ -54,8 +54,10 @@ runs:
       shell: bash
 
     - name: Add Rustup target
-      run: rustup target add ${{ inputs.cargo_target }}
+      run: rustup target add "${CARGO_TARGET}"
       shell: bash
+      env:
+        CARGO_TARGET: ${{ inputs.cargo_target }}
 
     - name: Build Native Binaries
       run: nox --session native_build
@@ -68,8 +70,15 @@ runs:
       shell: bash
 
     - name: Update optional extension dependencies
-      run: npm run addExtensionPackDependencies
+      run: |
+        if [[ "${VSIX_NAME}" == *"insiders"* ]]; then
+        npm run addExtensionPackDependenciesPreRelease
+        else
+        npm run addExtensionPackDependencies
+        fi
       shell: bash
+      env:
+        VSIX_NAME: ${{ inputs.vsix_name }}
 
     - name: Build Webpack
       run: |
@@ -78,13 +87,17 @@ runs:
       shell: bash
 
     - name: Build VSIX
-      run: npx vsce package --target ${{ inputs.vsix_target }} --out ms-python-insiders.vsix --pre-release
+      run: npx vsce package --target "${VSIX_TARGET}" --out ms-python-insiders.vsix --pre-release
       shell: bash
+      env:
+        VSIX_TARGET: ${{ inputs.vsix_target }}
 
     - name: Rename VSIX
       # Move to a temp name in case the specified name happens to match the default name.
-      run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix ${{ inputs.vsix_name }}
+      run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix "${VSIX_NAME}"
       shell: bash
+      env:
+        VSIX_NAME: ${{ inputs.vsix_name }}
 
     - name: Upload VSIX
       uses: actions/upload-artifact@v4

.github/actions/smoke-tests/action.yml

@@ -32,7 +32,7 @@ runs:
       shell: bash
 
     - name: Install Python requirements
-      uses: brettcannon/pip-secure-install@v1
+      uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
       with:
         options: '-t ./python_files/lib/python --implementation py'
 
@@ -61,6 +61,6 @@ runs:
       env:
         DISPLAY: 10
         INSTALL_JUPYTER_EXTENSION: true
-      uses: GabrielBB/[email protected]
+      uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
       with:
         run: node --no-force-async-hooks-checks ./out/test/smokeTest.js

.github/release_plan.md

@@ -40,7 +40,7 @@ NOTE: the number of this release is in the issue title and can be substituted in
 -   [ ] Update `pet`:
     -  [ ] Go to the [pet](https://github.com/microsoft/python-environment-tools) repo and check `main` and latest `release/*` branch. If there are new changes in `main` then create a branch called `release/YYYY.minor` (matching python extension release `major.minor`).
     -  [ ] Update `build\azure-pipeline.stable.yml` to point to the latest `release/YYYY.minor` for `python-environment-tools`.
--   [ ] Change the version in `package.json` to the next **even** number and switch the `-dev` to `-rc`. (🤖)
+-   [ ] Change the version in `package.json` to the next **even** number. (🤖)
 -   [ ] Run `npm install` to make sure `package-lock.json` is up-to-date _(you should now see changes to the `package.json` and `package-lock.json` at this point which update the version number **only**)_. (🤖)
 -   [ ] Update `ThirdPartyNotices-Repository.txt` as appropriate. You can check by looking at the [commit history](https://github.com/microsoft/vscode-python/commits/main) and scrolling through to see if there's anything listed there which might have pulled in some code directly into the repository from somewhere else. If you are still unsure you can check with the team.
 -   [ ] Create a PR from your branch  **`bump-release-[YYYY.minor]`** to `main`. Add the `"no change-log"` tag to the PR so it does not show up on the release notes before merging it.
@@ -64,7 +64,7 @@ NOTE: If there are release branches that are two versions old you can delete the
 ### Step 4: Return `main` to dev and unfreeze (❄️ ➡ 💧)
 NOTE: The purpose of this step is ensuring that main always is on a dev version number for every night's 🌃 pre-release. Therefore it is imperative that you do this directly after the previous steps to reset the version in main to a dev version **before** a pre-release goes out.
 -   [ ] Create a branch called **`bump-dev-version-YYYY.[minor+1]`**.
--   [ ] Bump the minor version number in the `package.json` to the next `YYYY.[minor+1]` which will be an odd number, and switch the `-rc` to `-dev`.(🤖)
+-   [ ] Bump the minor version number in the `package.json` to the next `YYYY.[minor+1]` which will be an odd number, and add `-dev`.(🤖)
 -   [ ] Run `npm install` to make sure `package-lock.json` is up-to-date _(you should now see changes to the `package.json` and `package-lock.json` only relating to the new version number)_ . (🤖)
 -   [ ] Create a PR from this branch against `main` and merge it.
 
@@ -83,12 +83,6 @@ NOTE: this PR should make all CI relating to `main` be passing again (such as th
 ### Step 6: Take the release branch from a candidate to the finalized release
 -   [ ] Make sure the [appropriate pull requests](https://github.com/microsoft/vscode-docs/pulls) for the [documentation](https://code.visualstudio.com/docs/python/python-tutorial) -- including the [WOW](https://code.visualstudio.com/docs/languages/python) page -- are ready.
 -   [ ] Check to make sure any final updates to the **`release/YYYY.minor`** branch have been merged.
--   [ ] Create a branch against  **`release/YYYY.minor`** called **`finalized-release-[YYYY.minor]`**.
--   [ ] Update the version in `package.json` to remove the `-rc` (🤖) from the version.
--   [ ] Run `npm install` to make sure `package-lock.json` is up-to-date _(the only update should be the version number if `package-lock.json` has been kept up-to-date)_. (🤖)
--   [ ] Update `ThirdPartyNotices-Repository.txt` manually if necessary.
--   [ ] Create a PR from **`finalized-release-[YYYY.minor]`** against `release/YYYY.minor` and merge it.
-
 
 ### Step 7: Execute the Release
 -   [ ] Make sure CI is passing for **`release/YYYY.minor`** release branch (🤖).

.github/workflows/build.yml

@@ -8,8 +8,10 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
-  NODE_VERSION: 20.18.0
+  NODE_VERSION: 20.18.1
   PYTHON_VERSION: '3.10' # YML treats 3.10 the number as 3.1, so quotes around 3.10
   # Force a path with spaces and to test extension works in these scenarios
   # Unicode characters are causing 2.7 failures so skip that for now.
@@ -83,12 +85,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: 'python-env-tools'
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml
@@ -111,6 +116,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -129,14 +136,16 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install core Python requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           options: '-t ./python_files/lib/python --no-cache-dir --implementation py'
 
       - name: Install Jedi requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           requirements-file: './python_files/jedilsp_requirements/requirements.txt'
           options: '-t ./python_files/lib/jedilsp --no-cache-dir --implementation py'
@@ -146,7 +155,7 @@ jobs:
           python -m pip install --upgrade -r build/test-requirements.txt
 
       - name: Run Pyright
-        uses: jakebailey/pyright-action@v2
+        uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe # v2.3.2
         with:
           version: 1.1.308
           working-directory: 'python_files'
@@ -172,14 +181,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       - name: Use Python ${{ matrix.python }}
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python }}
 
       - name: Install base Python requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           requirements-file: '"${{ env.special-working-directory-relative }}/requirements.txt"'
           options: '-t "${{ env.special-working-directory-relative }}/python_files/lib/python" --no-cache-dir --implementation py'
@@ -211,12 +221,14 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: ${{ env.special-working-directory-relative }}/python-env-tools
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml
@@ -358,7 +370,7 @@ jobs:
         env:
           TEST_FILES_SUFFIX: testvirtualenvs
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testSingleWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -367,7 +379,7 @@ jobs:
       - name: Run single-workspace tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testSingleWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -376,7 +388,7 @@ jobs:
       - name: Run multi-workspace tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testMultiWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -385,7 +397,7 @@ jobs:
       - name: Run debugger tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testDebugger
           working-directory: ${{ env.special-working-directory }}
@@ -415,12 +427,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: ${{ env.special-working-directory-relative }}/python-env-tools
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml

.github/workflows/codeql-analysis.yml

@@ -37,6 +37,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/community-feedback-auto-comment.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
     steps:
       - name: Check For Existing Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
         id: finder
         with:
           issue-number: ${{ github.event.issue.number }}
@@ -21,7 +21,7 @@ jobs:
 
       - name: Add Community Feedback Comment
         if: steps.finder.outputs.comment-id == ''
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           issue-number: ${{ github.event.issue.number }}
           body: |

.github/workflows/gen-issue-velocity.yml

@@ -5,13 +5,18 @@ on:
     - cron: '0 0 * * 2' # Runs every Tuesday at midnight
   workflow_dispatch:
 
+permissions:
+  issues: read
+
 jobs:
   generate-summary:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5

.github/workflows/info-needed-closer.yml

@@ -18,6 +18,7 @@ jobs:
         with:
           repository: 'microsoft/vscode-github-triage-actions'
           path: ./actions
+          persist-credentials: false
           ref: stable
       - name: Install Actions
         run: npm install --production --prefix ./actions

.github/workflows/issue-labels.yml

@@ -22,6 +22,7 @@ jobs:
           repository: 'microsoft/vscode-github-triage-actions'
           ref: stable
           path: ./actions
+          persist-credentials: false
 
       - name: Install Actions
         run: npm install --production --prefix ./actions

.github/workflows/lock-issues.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Lock Issues'
-        uses: dessant/lock-threads@v5
+        uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '30'