Lingering CI/CD pins, add cooldowns, remove template injections (psf#4906)

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/dependabot.yml

@@ -8,9 +8,13 @@ updates:
     schedule:
       interval: "weekly"
     labels: ["skip news", "C: dependencies"]
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "docs/"
     schedule:
       interval: "weekly"
     labels: ["skip news", "C: dependencies", "T: documentation"]
+    cooldown:
+      default-days: 7

.github/workflows/docker.yml

@@ -68,4 +68,6 @@ jobs:
           tags: pyfound/black:latest_prerelease
 
       - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
+        run: echo ${STEPS_DOCKER_BUILD_OUTPUTS_DIGEST}
+        env:
+          STEPS_DOCKER_BUILD_OUTPUTS_DIGEST: ${{ steps.docker_build.outputs.digest }}

.github/workflows/pypi_upload.yml

@@ -8,9 +8,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
-  id-token: write # Required for PyPI trusted publishing
+permissions: {}
 
 jobs:
   main:
@@ -21,6 +19,9 @@ jobs:
       name: release
       url: https://pypi.org/p/black
 
+    permissions:
+      id-token: write # Required for PyPI trusted publishing
+
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -42,7 +43,7 @@ jobs:
 
       - if: github.event_name == 'release'
         name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           verbose: true
 
@@ -99,6 +100,8 @@ jobs:
     environment:
       name: release
       url: https://pypi.org/p/black
+    permissions:
+      id-token: write # Required for PyPI trusted publishing
     strategy:
       fail-fast: false
       matrix:
@@ -121,7 +124,7 @@ jobs:
 
       - if: github.event_name == 'release'
         name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: wheelhouse/
           verbose: true
@@ -145,5 +148,7 @@ jobs:
       - if: github.event_name == 'release'
         name: Update stable branch to release tag & push
         run: |
-          git reset --hard ${{ github.event.release.tag_name }}
+          git reset --hard "${TAG_NAME}"
           git push
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}

action.yml

@@ -64,7 +64,7 @@ runs:
         # Display the raw output in the step
         echo "${out}"
 
-        if [ "${{ inputs.summary }}" == "true" ]; then
+        if [ "${INPUT_SUMMARY}" == "true" ]; then
           # Display the Markdown output in the job summary
           echo "\`\`\`python" >> $GITHUB_STEP_SUMMARY
           echo "${out}" >> $GITHUB_STEP_SUMMARY
@@ -81,6 +81,7 @@ runs:
         INPUT_BLACK_ARGS: ${{ inputs.black_args }}
         INPUT_VERSION: ${{ inputs.version }}
         INPUT_USE_PYPROJECT: ${{ inputs.use_pyproject }}
+        INPUT_SUMMARY: ${{ inputs.summary }}
         OUTPUT_FILE: ${{ inputs.output-file }}
         pythonioencoding: utf-8
       shell: bash