diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index b44c39967..000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,9 +0,0 @@ -version: 2 -updates: - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - # Check for updates to GitHub Actions every weekday - interval: "daily" - diff --git a/.github/workflows/patch-test.yaml b/.github/workflows/patch-test.yaml index d04289d07..6bbd80637 100644 --- a/.github/workflows/patch-test.yaml +++ b/.github/workflows/patch-test.yaml @@ -17,7 +17,7 @@ jobs: outputs: ghc-matrix: ${{ steps.set-ghc-versions.outputs.ghc-matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - id: set-ghc-versions name: Extract from gen_ghc_bindist run: python .github/extract_from_ghc_bindist.py @@ -34,9 +34,9 @@ jobs: ghc-version: ${{ fromJSON(needs.find-ghc-version.outputs.ghc-matrix) }} runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Mount Bazel cache - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/repo-cache key: repo-cache-${{ runner.os }}-bindist-${{ env.cache-version }} diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index 82d92b709..f96cf603c 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -24,12 +24,12 @@ jobs: exit 1 fi - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: master # only create releases from main branch - name: Read section from CHANGELOG.md id: extract-changelog - uses: sean0x42/markdown-extract@v2 + uses: sean0x42/markdown-extract@4178293dd16a52514b6cb2c01f4d309d264b2736 # v2 with: file: CHANGELOG.md pattern: ${{ inputs.version }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index d8cf96237..7db67a00b 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 ref: release diff --git a/.github/workflows/update-ghc.yaml b/.github/workflows/update-ghc.yaml index 73f7ac1d2..a9ea02988 100644 --- a/.github/workflows/update-ghc.yaml +++ b/.github/workflows/update-ghc.yaml @@ -19,10 +19,10 @@ jobs: - '9.10' - '9.12' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: master - - uses: cachix/install-nix-action@v31 + - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2 with: nix_path: nixpkgs=nixpkgs/default.nix - name: Fetch updates @@ -32,7 +32,7 @@ jobs: 'python .github/update-ghc.py ${{ matrix.ghc }}' - name: Create Pull Request if: steps.ghc_update.outputs.latest != '' - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: commit-message: "Add GHC bindist version ${{ steps.ghc_update.outputs.latest }}" title: "[update] GHC ${{ matrix.ghc }}" diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index bd8bed62b..4eb3c5765 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -20,13 +20,13 @@ jobs: name: Format & Lint runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 - - uses: tweag/configure-bazel-remote-cache-auth@v0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: tweag/configure-bazel-remote-cache-auth@144b0b915f13a418f5eafe2f68d19564ec136c62 # v0.1.1 with: buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} bazelrc_path: .bazelrc.auth - uses: ./.github/actions/set_tcp_keepalive_time - - uses: extractions/netrc@v2 + - uses: extractions/netrc@f6f1722d05ce2890aa86fd9654565b1214ac53a4 # v2 with: machine: api.github.com password: ${{ secrets.GITHUB_TOKEN }} @@ -64,25 +64,25 @@ jobs: env: NIX_SHELL_ARGS: --arg docTools false --argstr ghcVersion ${{ matrix.ghc }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/free_disk_space_on_linux - name: Mount Bazel cache - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/repo-cache key: repo-cache-${{ runner.os }}-nixpkgs-${{ env.cache-version }} - - uses: cachix/install-nix-action@v31 + - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2 with: nix_path: nixpkgs=./nixpkgs/default.nix extra_nix_config: | trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= extra-substituters = https://cache.iog.io - - uses: tweag/configure-bazel-remote-cache-auth@v0 + - uses: tweag/configure-bazel-remote-cache-auth@144b0b915f13a418f5eafe2f68d19564ec136c62 # v0.1.1 with: buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} bazelrc_path: .bazelrc.auth - uses: ./.github/actions/set_tcp_keepalive_time - - uses: extractions/netrc@v2 + - uses: extractions/netrc@f6f1722d05ce2890aa86fd9654565b1214ac53a4 # v2 with: machine: api.github.com password: ${{ secrets.GITHUB_TOKEN }} @@ -101,7 +101,7 @@ jobs: cp .bazelrc.local rules_haskell_tests - name: Build & test - rules_haskell if: matrix.module == 'rules_haskell' - uses: tweag/run-nix-shell@v0 + uses: tweag/run-nix-shell@0d73770bd05096508387d191649e5e858a3c2654 # v0.2.1 with: options: ${{ env.NIX_SHELL_ARGS }} run: | @@ -110,14 +110,14 @@ jobs: bazel build //docs:guide_html - name: Build & test - rules_haskell_nix if: matrix.module == 'rules_haskell_nix' - uses: tweag/run-nix-shell@v0 + uses: tweag/run-nix-shell@0d73770bd05096508387d191649e5e858a3c2654 # v0.2.1 with: options: ${{ env.NIX_SHELL_ARGS }} working-directory: rules_haskell_nix run: bazel test //... - name: Build & test - rules_haskell_tests if: matrix.module == 'rules_haskell_tests' - uses: tweag/run-nix-shell@v0 + uses: tweag/run-nix-shell@0d73770bd05096508387d191649e5e858a3c2654 # v0.2.1 with: options: ${{ env.NIX_SHELL_ARGS }} working-directory: rules_haskell_tests @@ -162,19 +162,19 @@ jobs: GHC_VERSION: ${{ matrix.ghc }} runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/free_disk_space_on_linux - name: Mount Bazel cache - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/repo-cache key: repo-cache-${{ runner.os }}-bindist-${{ env.cache-version }} - - uses: tweag/configure-bazel-remote-cache-auth@v0 + - uses: tweag/configure-bazel-remote-cache-auth@144b0b915f13a418f5eafe2f68d19564ec136c62 # v0.1.1 with: buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} bazelrc_path: .bazelrc.auth - uses: ./.github/actions/set_tcp_keepalive_time - - uses: extractions/netrc@v2 + - uses: extractions/netrc@f6f1722d05ce2890aa86fd9654565b1214ac53a4 # v2 with: machine: api.github.com password: ${{ secrets.GITHUB_TOKEN }} @@ -244,7 +244,7 @@ jobs: - name: Upload Logs if: ${{ failure() && steps.collect_logs.conclusion == 'success' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: Logs ${{ matrix.os }} ${{ matrix.module }} ${{ matrix.bzlmod }} path: logs @@ -267,19 +267,19 @@ jobs: USE_BAZEL_VERSION: ${{ matrix.bazel }} runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: ./.github/actions/free_disk_space_on_linux - name: Mount Bazel cache - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/repo-cache key: repo-cache-${{ runner.os }}-bindist-${{ env.cache-version }} - - uses: tweag/configure-bazel-remote-cache-auth@v0 + - uses: tweag/configure-bazel-remote-cache-auth@144b0b915f13a418f5eafe2f68d19564ec136c62 # v0.1.1 with: buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} bazelrc_path: .bazelrc.auth - uses: ./.github/actions/set_tcp_keepalive_time - - uses: extractions/netrc@v2 + - uses: extractions/netrc@f6f1722d05ce2890aa86fd9654565b1214ac53a4 # v2 with: machine: api.github.com password: ${{ secrets.GITHUB_TOKEN }}