diff --git a/.github/workflows/ci-backend.yml b/.github/workflows/ci-backend.yml index 3203d7291..82c4bb9bd 100644 --- a/.github/workflows/ci-backend.yml +++ b/.github/workflows/ci-backend.yml @@ -21,7 +21,7 @@ jobs: backend_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.backend == 'true' }} steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Decide run mode @@ -49,7 +49,7 @@ jobs: - name: Detect changes id: filter if: steps.force.outputs.run_all != 'true' - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: base: ${{ steps.range.outputs.base }} ref: ${{ steps.range.outputs.ref }} @@ -71,18 +71,18 @@ jobs: fail-fast: false steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Start containers run: | docker compose --file docker/compose/docker-compose.ci-test.yml pull --quiet docker compose --file docker/compose/docker-compose.ci-test.yml up --detach - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "${{ matrix.python-version }}" - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: ${{ env.DEFAULT_UV_VERSION }} enable-cache: true @@ -119,13 +119,13 @@ jobs: pytest - name: Upload test results to Codecov if: always() - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: flags: backend-python-${{ matrix.python-version }} files: junit.xml report_type: test_results - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: flags: backend-python-${{ matrix.python-version }} files: coverage.xml @@ -144,14 +144,14 @@ jobs: DEFAULT_PYTHON: "3.12" steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "${{ env.DEFAULT_PYTHON }}" - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: ${{ env.DEFAULT_UV_VERSION }} enable-cache: true @@ -173,7 +173,7 @@ jobs: check \ src/ - name: Cache Mypy - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: .mypy_cache # Keyed by OS, Python version, and dependency hashes diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index 2d6da2da9..cc02b48bf 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -41,7 +41,7 @@ jobs: ref-name: ${{ steps.ref.outputs.name }} steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Determine ref name id: ref run: | @@ -104,9 +104,9 @@ jobs: echo "repository=${repo_name}" echo "name=${repo_name}" >> $GITHUB_OUTPUT - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -119,7 +119,7 @@ jobs: sudo rm -rf "$AGENT_TOOLSDIRECTORY" - name: Docker metadata id: docker-meta - uses: docker/metadata-action@v6.0.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | ${{ env.REGISTRY }}/${{ steps.repo.outputs.name }} @@ -130,7 +130,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Build and push by digest id: build - uses: docker/build-push-action@v7.0.0 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . file: ./Dockerfile @@ -152,7 +152,7 @@ jobs: echo "${digest}" > "/tmp/digests/digest-${{ matrix.arch }}.txt" - name: Upload digest if: steps.check-push.outputs.should-push == 'true' - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: digests-${{ matrix.arch }} path: /tmp/digests/digest-${{ matrix.arch }}.txt @@ -169,7 +169,7 @@ jobs: packages: write steps: - name: Download digests - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: path: /tmp/digests pattern: digest-*.txt @@ -179,29 +179,29 @@ jobs: echo "Downloaded digests:" ls -la /tmp/digests/ - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub if: needs.build-arch.outputs.push-external == 'true' - uses: docker/login-action@v4.0.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Quay.io if: needs.build-arch.outputs.push-external == 'true' - uses: docker/login-action@v4.0.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - name: Docker metadata id: docker-meta - uses: docker/metadata-action@v6.0.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: | ${{ env.REGISTRY }}/${{ needs.build-arch.outputs.repository }} diff --git a/.github/workflows/ci-docs.yml b/.github/workflows/ci-docs.yml index 81d31dffe..b14de9627 100644 --- a/.github/workflows/ci-docs.yml +++ b/.github/workflows/ci-docs.yml @@ -23,7 +23,7 @@ jobs: docs_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.docs == 'true' }} steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Decide run mode @@ -51,7 +51,7 @@ jobs: - name: Detect changes id: filter if: steps.force.outputs.run_all != 'true' - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: base: ${{ steps.range.outputs.base }} ref: ${{ steps.range.outputs.ref }} @@ -68,16 +68,16 @@ jobs: name: Build Documentation runs-on: ubuntu-24.04 steps: - - uses: actions/configure-pages@v5.0.0 + - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: ${{ env.DEFAULT_UV_VERSION }} enable-cache: true @@ -93,7 +93,7 @@ jobs: --frozen \ zensical build --clean - name: Upload GitHub Pages artifact - uses: actions/upload-pages-artifact@v4.0.0 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: site name: github-pages-${{ github.run_id }}-${{ github.run_attempt }} @@ -107,7 +107,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Deploy GitHub Pages - uses: actions/deploy-pages@v4.0.5 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 id: deployment with: artifact_name: github-pages-${{ github.run_id }}-${{ github.run_attempt }} diff --git a/.github/workflows/ci-frontend.yml b/.github/workflows/ci-frontend.yml index bfd2ee5e4..19600b512 100644 --- a/.github/workflows/ci-frontend.yml +++ b/.github/workflows/ci-frontend.yml @@ -18,7 +18,7 @@ jobs: frontend_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.frontend == 'true' }} steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Decide run mode @@ -46,7 +46,7 @@ jobs: - name: Detect changes id: filter if: steps.force.outputs.run_all != 'true' - uses: dorny/paths-filter@v3.0.2 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: base: ${{ steps.range.outputs.base }} ref: ${{ steps.range.outputs.ref }} @@ -61,20 +61,20 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies id: cache-frontend-deps - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store @@ -89,19 +89,19 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store @@ -124,19 +124,19 @@ jobs: shard-count: [4] steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store @@ -148,13 +148,13 @@ jobs: run: cd src-ui && pnpm run test --max-workers=2 --shard=${{ matrix.shard-index }}/${{ matrix.shard-count }} - name: Upload test results to Codecov if: always() - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: flags: frontend-node-${{ matrix.node-version }} directory: src-ui/ report_type: test_results - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: flags: frontend-node-${{ matrix.node-version }} directory: src-ui/coverage/ @@ -175,19 +175,19 @@ jobs: shard-count: [2] steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store @@ -206,21 +206,21 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index c4df7d893..3d37579da 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-slim steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14" - name: Run prek - uses: j178/prek-action@v1.1.1 + uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1 diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index bbd9e6b09..0eef7eb23 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Wait for Docker build - uses: lewagon/wait-on-check-action@v1.5.0 + uses: lewagon/wait-on-check-action@74049309dfeff245fe8009a0137eacf28136cb3c # v1.5.0 with: ref: ${{ github.sha }} check-name: 'Build Docker Image' @@ -28,14 +28,14 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # ---- Frontend Build ---- - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' @@ -47,11 +47,11 @@ jobs: # ---- Backend Setup ---- - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: ${{ env.DEFAULT_UV_VERSION }} enable-cache: true @@ -118,7 +118,7 @@ jobs: sudo chown -R 1000:1000 paperless-ngx/ tar -cJf paperless-ngx.tar.xz paperless-ngx/ - name: Upload release artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: release path: dist/paperless-ngx.tar.xz @@ -133,7 +133,7 @@ jobs: version: ${{ steps.get-version.outputs.version }} steps: - name: Download release artifact - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: release path: ./ @@ -148,7 +148,7 @@ jobs: fi - name: Create release and changelog id: create-release - uses: release-drafter/release-drafter@v6.2.0 + uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6.2.0 with: name: Paperless-ngx ${{ steps.get-version.outputs.version }} tag: ${{ steps.get-version.outputs.version }} @@ -159,7 +159,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload release archive - uses: shogo82148/actions-upload-release-asset@v1.9.2 + uses: shogo82148/actions-upload-release-asset@8f6863c6c894ba46f9e676ef5cccec4752723c1e # v1.9.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} upload_url: ${{ steps.create-release.outputs.upload_url }} @@ -176,16 +176,16 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: ${{ env.DEFAULT_UV_VERSION }} enable-cache: true @@ -218,7 +218,7 @@ jobs: git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA" git push origin ${{ needs.publish-release.outputs.version }}-changelog - name: Create pull request - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const { repo, owner } = context.repo; diff --git a/.github/workflows/cleanup-tags.yml b/.github/workflows/cleanup-tags.yml index bc2ae655f..426554777 100644 --- a/.github/workflows/cleanup-tags.yml +++ b/.github/workflows/cleanup-tags.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Clean temporary images if: "${{ env.TOKEN != '' }}" - uses: stumpylog/image-cleaner-action/ephemeral@v0.12.0 + uses: stumpylog/image-cleaner-action/ephemeral@4fe057d991d63b8f6d5d22c40f17c1bca2226537 # v0.12.0 with: token: "${{ env.TOKEN }}" owner: "${{ github.repository_owner }}" @@ -53,7 +53,7 @@ jobs: steps: - name: Clean untagged images if: "${{ env.TOKEN != '' }}" - uses: stumpylog/image-cleaner-action/untagged@v0.12.0 + uses: stumpylog/image-cleaner-action/untagged@4fe057d991d63b8f6d5d22c40f17c1bca2226537 # v0.12.0 with: token: "${{ env.TOKEN }}" owner: "${{ github.repository_owner }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 32b1fc638..08c2bc1a2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,10 +34,10 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4.32.5 + uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -45,4 +45,4 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4.32.5 + uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index 63853f6c5..38e73bbb5 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.PNGX_BOT_PAT }} - name: crowdin action - uses: crowdin/github-action@v2.15.0 + uses: crowdin/github-action@8818ff65bfc4322384f983ea37e3926948c11745 # v2.15.0 with: upload_translations: false download_translations: true diff --git a/.github/workflows/pr-bot.yml b/.github/workflows/pr-bot.yml index f36e9cd9f..e9f976608 100644 --- a/.github/workflows/pr-bot.yml +++ b/.github/workflows/pr-bot.yml @@ -10,7 +10,7 @@ jobs: issues: read pull-requests: write steps: - - uses: peakoss/anti-slop@v0.2.1 + - uses: peakoss/anti-slop@85daca1880e9e1af197fc06ea03349daf08f4202 # v0.2.1 with: max-failures: 4 failure-add-pr-labels: 'ai' @@ -23,11 +23,11 @@ jobs: steps: - name: Label PR by file path or branch name # see .github/labeler.yml for the labeler config - uses: actions/labeler@v6.0.1 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Label by size - uses: Gascon1/pr-size-labeler@v1.3.0 + uses: Gascon1/pr-size-labeler@deff8ed00a76639a7c0f197525bafa3350ba4c36 # v1.3.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} xs_label: 'small-change' @@ -37,7 +37,7 @@ jobs: fail_if_xl: 'false' excluded_files: /\.lock$/ /\.txt$/ ^src-ui/pnpm-lock\.yaml$ ^src-ui/messages\.xlf$ ^src/locale/en_US/LC_MESSAGES/django\.po$ - name: Label by PR title - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const pr = context.payload.pull_request; @@ -63,7 +63,7 @@ jobs: } - name: Label bot-generated PRs if: ${{ contains(github.actor, 'dependabot') || contains(github.actor, 'crowdin-bot') }} - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const pr = context.payload.pull_request; @@ -88,7 +88,7 @@ jobs: } - name: Welcome comment if: ${{ !contains(github.actor, 'bot') }} - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const pr = context.payload.pull_request; diff --git a/.github/workflows/project-actions.yml b/.github/workflows/project-actions.yml index 289a83115..519a1f562 100644 --- a/.github/workflows/project-actions.yml +++ b/.github/workflows/project-actions.yml @@ -19,6 +19,6 @@ jobs: if: github.event_name == 'pull_request_target' && (github.event.action == 'opened' || github.event.action == 'reopened') && github.event.pull_request.user.login != 'dependabot' steps: - name: Label PR with release-drafter - uses: release-drafter/release-drafter@v6.2.0 + uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6.2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/repo-maintenance.yml b/.github/workflows/repo-maintenance.yml index 93d41f5a6..1d4903193 100644 --- a/.github/workflows/repo-maintenance.yml +++ b/.github/workflows/repo-maintenance.yml @@ -15,7 +15,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: actions/stale@v10.2.0 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-stale: 7 days-before-close: 14 @@ -37,7 +37,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: dessant/lock-threads@v6.0.0 + - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0 with: issue-inactive-days: '30' pr-inactive-days: '30' @@ -57,7 +57,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: actions/github-script@v8.0.0 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | function sleep(ms) { @@ -114,7 +114,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: actions/github-script@v8.0.0 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | function sleep(ms) { @@ -206,7 +206,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: actions/github-script@v8.0.0 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | function sleep(ms) { diff --git a/.github/workflows/translate-strings.yml b/.github/workflows/translate-strings.yml index 220aee9cc..bfd6cd84e 100644 --- a/.github/workflows/translate-strings.yml +++ b/.github/workflows/translate-strings.yml @@ -11,7 +11,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 env: GH_REF: ${{ github.ref }} # sonar rule:githubactions:S7630 - avoid injection with: @@ -19,13 +19,13 @@ jobs: ref: ${{ env.GH_REF }} - name: Set up Python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - name: Install system dependencies run: | sudo apt-get update -qq sudo apt-get install -qq --no-install-recommends gettext - name: Install uv - uses: astral-sh/setup-uv@v7.3.1 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: enable-cache: true - name: Install backend python dependencies @@ -36,18 +36,18 @@ jobs: - name: Generate backend translation strings run: cd src/ && uv run manage.py makemessages -l en_US -i "samples*" - name: Install pnpm - uses: pnpm/action-setup@v4.2.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - name: Use Node.js 24 - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x cache: 'pnpm' cache-dependency-path: 'src-ui/pnpm-lock.yaml' - name: Cache frontend dependencies id: cache-frontend-deps - uses: actions/cache@v5.0.3 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | ~/.pnpm-store @@ -63,7 +63,7 @@ jobs: cd src-ui pnpm run ng extract-i18n - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v7.1.0 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: file_pattern: 'src-ui/messages.xlf src/locale/en_US/LC_MESSAGES/django.po' commit_message: "Auto translate strings"