From 35ad5959b57be078a2d7df486e996f97d0b106ee Mon Sep 17 00:00:00 2001 From: Luca Martini Date: Mon, 25 May 2026 18:39:19 +0200 Subject: [PATCH] ci: pin action SHAs to latest and fix devportal docs publishing --- .../actions/build-documentation/action.yml | 8 +++---- .github/workflows/cd.yaml | 23 +++++++++++-------- .github/workflows/ci.yaml | 17 ++++++++------ .github/workflows/gh-pages.yaml | 7 ++++-- .github/workflows/publish-devportal-docs.yml | 13 ++++++----- pyproject.toml | 2 +- 6 files changed, 41 insertions(+), 29 deletions(-) diff --git a/.github/actions/build-documentation/action.yml b/.github/actions/build-documentation/action.yml index 357049c..bc7e17b 100644 --- a/.github/actions/build-documentation/action.yml +++ b/.github/actions/build-documentation/action.yml @@ -14,7 +14,7 @@ runs: using: "composite" steps: - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" cache: "pip" @@ -24,12 +24,12 @@ runs: run: pip install hatch - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ inputs.node-version }} - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: package_json_file: docs/package.json @@ -43,6 +43,6 @@ runs: - name: Upload Pages artifact if: inputs.upload-pages-artifact == 'true' - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: docs/dist diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 3a1e9a6..a1a4490 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -26,8 +26,7 @@ on: concurrency: release permissions: - contents: write - packages: read + contents: read jobs: release: @@ -42,10 +41,16 @@ jobs: DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true' && '--noop' || '' }} PRERELEASE: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.prerelease || 'true' }} steps: - - uses: actions/checkout@v4 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 + id: app-token + with: + app-id: ${{ secrets.BOT_ID }} + private-key: ${{ secrets.BOT_SK }} + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} - name: Verify production puyapy and algorand-python dependencies if: ${{ env.PRERELEASE == 'false' }} @@ -75,7 +80,7 @@ jobs: run: pipx install hatch - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" cache: "pip" @@ -101,18 +106,18 @@ jobs: - name: Python Semantic Release id: semantic-release if: ${{ github.ref == 'refs/heads/main' }} - uses: python-semantic-release/python-semantic-release@master + uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3 with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-token.outputs.token }} prerelease: ${{ env.PRERELEASE == 'true' }} root_options: $DRY_RUN - name: Publish to PyPI if: ${{ !inputs.dry_run && steps.semantic-release.outputs.released == 'true' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: packages-dir: dist - - uses: actions/upload-artifact@v4 # upload artifacts so they are retained on the job + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: dist diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 58ae855..27fdb4c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,15 +6,18 @@ on: schedule: - cron: "0 8 * * 1" # Each monday 8 AM UTC +permissions: + contents: read + jobs: check-python: runs-on: "ubuntu-latest" steps: - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.12" cache: "pip" @@ -23,12 +26,12 @@ jobs: run: pip install hatch - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: package_json_file: docs/package.json @@ -63,10 +66,10 @@ jobs: python-version: ["3.12", "3.13"] steps: - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} cache: "pip" @@ -84,7 +87,7 @@ jobs: run: hatch run examples.py${{ matrix.python-version }}:tests - name: Upload coverage artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ matrix.python-version == '3.13' }} with: name: coverage-reports diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index 56f1a8e..c6d74e9 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -4,6 +4,9 @@ on: workflow_call: workflow_dispatch: +permissions: + contents: read + jobs: build-and-publish-docs: runs-on: ubuntu-latest @@ -13,7 +16,7 @@ jobs: id-token: write steps: - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build and upload docs artifact uses: ./.github/actions/build-documentation @@ -22,4 +25,4 @@ jobs: upload-pages-artifact: 'true' - name: Deploy to GitHub Pages - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 diff --git a/.github/workflows/publish-devportal-docs.yml b/.github/workflows/publish-devportal-docs.yml index 21142f4..e58d58a 100644 --- a/.github/workflows/publish-devportal-docs.yml +++ b/.github/workflows/publish-devportal-docs.yml @@ -3,6 +3,7 @@ name: Publish DevPortal Docs on: workflow_dispatch: push: + branches: [main] tags: ['v*'] permissions: @@ -12,17 +13,17 @@ jobs: publish-docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: - node-version: 22 + node-version: 24.x - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: package_json_file: docs/package.json - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' cache: pip @@ -34,6 +35,6 @@ jobs: run: hatch run docs:api - name: Publish DevPortal Docs - uses: algorandfoundation/devportal/.github/actions/publish-devportal-docs@ci/update-publish-devportal-docs-workflow + uses: algorandfoundation/devportal/.github/actions/publish-devportal-docs@release/ak-v4 with: docs-dir: docs diff --git a/pyproject.toml b/pyproject.toml index fc54a1b..967b86f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -335,7 +335,7 @@ pythonpath = ['src'] [tool.semantic_release] version_toml = ["pyproject.toml:project.version"] build_command = "pip install hatch && hatch build" -commit_message = "{version}\n\n[skip ci]" +commit_message = "{version}\n\nskip-checks: true" tag_format = "v{version}" major_on_zero = true