https://github.com/python/cpython/commit/45c92206ebc984228d89e98d690090c8b7565fd8
commit: 45c92206ebc984228d89e98d690090c8b7565fd8
branch: 3.13
author: William Woodruff <[email protected]>
committer: hugovk <[email protected]>
date: 2026-04-02T08:49:07+03:00
summary:
[3.13] gh-146488: hash-pin all action references (gh-146489) (#147981)
files:
M .github/workflows/add-issue-header.yml
M .github/workflows/build.yml
M .github/workflows/documentation-links.yml
M .github/workflows/jit.yml
M .github/workflows/lint.yml
M .github/workflows/mypy.yml
M .github/workflows/new-bugs-announce-notifier.yml
M .github/workflows/project-updater.yml
M .github/workflows/require-pr-label.yml
M .github/workflows/reusable-cifuzz.yml
M .github/workflows/reusable-context.yml
M .github/workflows/reusable-docs.yml
M .github/workflows/reusable-macos.yml
M .github/workflows/reusable-san.yml
M .github/workflows/reusable-ubuntu.yml
M .github/workflows/reusable-wasi.yml
M .github/workflows/reusable-windows-msi.yml
M .github/workflows/reusable-windows.yml
M .github/workflows/stale.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml
M .github/zizmor.yml
diff --git a/.github/workflows/add-issue-header.yml
b/.github/workflows/add-issue-header.yml
index c404bc519300e2..8a8571eedd1c77 100644
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -20,7 +20,7 @@ jobs:
issues: write
timeout-minutes: 5
steps:
- - uses: actions/github-script@v8
+ - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
v8.0.0
with:
# language=JavaScript
script: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a95a1f233c4af0..96d41bb7218269 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -55,10 +55,10 @@ jobs:
needs: build-context
if: needs.build-context.outputs.run-tests == 'true'
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
- name: Install dependencies
run: |
sudo ./.github/workflows/posix-deps-apt.sh
@@ -87,7 +87,7 @@ jobs:
if: ${{ failure() && steps.check.conclusion == 'failure' }}
run: |
make regen-abidump
- - uses: actions/upload-artifact@v6
+ - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
# v6.0.0
name: Publish updated ABI files
if: ${{ failure() && steps.check.conclusion == 'failure' }}
with:
@@ -109,7 +109,7 @@ jobs:
run: |
apt update && apt install git -yq
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
fetch-depth: 1
persist-credentials: false
@@ -146,10 +146,10 @@ jobs:
needs: build-context
if: needs.build-context.outputs.run-tests == 'true'
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3.x'
- name: Runner image version
@@ -299,7 +299,7 @@ jobs:
OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{
matrix.openssl_ver }}
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{
matrix.openssl_ver }}/lib
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Runner image version
@@ -315,7 +315,7 @@ jobs:
echo
"LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >>
"$GITHUB_ENV"
- name: 'Restore OpenSSL build'
id: cache-openssl
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -347,7 +347,7 @@ jobs:
runs-on: ${{ matrix.runs-on }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- name: Build and test
@@ -369,7 +369,7 @@ jobs:
OPENSSL_VER: 3.0.18
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Register gcc problem matcher
@@ -383,7 +383,7 @@ jobs:
echo
"LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >>
"$GITHUB_ENV"
- name: 'Restore OpenSSL build'
id: cache-openssl
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
@@ -429,7 +429,7 @@ jobs:
./python -m venv "$VENV_LOC" && "$VENV_PYTHON" -m pip install -r
"${GITHUB_WORKSPACE}/Tools/requirements-hypothesis.txt"
- name: 'Restore Hypothesis database'
id: cache-hypothesis-database
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ env.CPYTHON_BUILDDIR }}/.hypothesis/
key: hypothesis-database-${{ github.head_ref || github.run_id }}
@@ -456,7 +456,7 @@ jobs:
-x test_subprocess \
-x test_signal \
-x test_sysconfig
- - uses: actions/upload-artifact@v6
+ - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #
v6.0.0
if: always()
with:
name: hypothesis-example-db
@@ -477,7 +477,7 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Runner image version
@@ -487,7 +487,7 @@ jobs:
- name: Install dependencies
run: sudo ./.github/workflows/posix-deps-apt.sh
- name: Set up GCC-10 for ASAN
- uses: egor-tensin/setup-gcc@v2
+ uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 #
v2.0
with:
version: 10
- name: Configure OpenSSL env vars
@@ -497,7 +497,7 @@ jobs:
echo
"LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >>
"$GITHUB_ENV"
- name: 'Restore OpenSSL build'
id: cache-openssl
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
diff --git a/.github/workflows/documentation-links.yml
b/.github/workflows/documentation-links.yml
index a09a30587b35eb..19314dd0c889b0 100644
--- a/.github/workflows/documentation-links.yml
+++ b/.github/workflows/documentation-links.yml
@@ -22,7 +22,7 @@ jobs:
timeout-minutes: 5
steps:
- - uses: readthedocs/actions/preview@v1
+ - uses:
readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5
with:
project-slug: "cpython-previews"
single-version: "true"
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index ffd49ca2834ee4..ba26379bc8cb1e 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 90
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- name: Build tier two interpreter
@@ -107,10 +107,10 @@ jobs:
env:
CC: ${{ matrix.compiler }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3.11'
@@ -174,10 +174,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 90
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3.11'
- name: Build with JIT enabled and GIL disabled
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0ded53b00da0ef..e9a4eb2b0808cb 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,7 +19,7 @@ jobs:
timeout-minutes: 10
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: j178/prek-action@v1
+ - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 #
v1.1.1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 1c156356824c78..0c97ba4861dbc2 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -62,10 +62,10 @@ jobs:
"Tools/peg_generator",
]
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: "3.13"
cache: pip
diff --git a/.github/workflows/new-bugs-announce-notifier.yml
b/.github/workflows/new-bugs-announce-notifier.yml
index b25750f0897de2..13e1fdb9c0b985 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -13,12 +13,12 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- - uses: actions/setup-node@v6
+ - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #
v6.3.0
with:
node-version: 20
- run: npm install mailgun.js form-data
- name: Send notification
- uses: actions/github-script@v8
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
v8.0.0
env:
MAILGUN_API_KEY: ${{ secrets.MAILGUN_PYTHON_ORG_MAILGUN_KEY }}
with:
diff --git a/.github/workflows/project-updater.yml
b/.github/workflows/project-updater.yml
index 82b23019cb3d96..710424a28f2824 100644
--- a/.github/workflows/project-updater.yml
+++ b/.github/workflows/project-updater.yml
@@ -24,7 +24,7 @@ jobs:
- { project: 32, label: sprint }
steps:
- - uses: actions/[email protected]
+ - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e
# v1.0.2
with:
project-url: https://github.com/orgs/python/projects/${{
matrix.project }}
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
diff --git a/.github/workflows/require-pr-label.yml
b/.github/workflows/require-pr-label.yml
index d7c2580d4e0808..a41782da0e4a55 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -14,7 +14,7 @@ jobs:
timeout-minutes: 10
steps:
- - uses: mheap/github-action-required-labels@v5
+ - uses:
mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe #
v5.5.2
with:
mode: exactly
count: 0
diff --git a/.github/workflows/reusable-cifuzz.yml
b/.github/workflows/reusable-cifuzz.yml
index 1986f5fb2cc640..ecb5000ee6bb8c 100644
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -21,12 +21,12 @@ jobs:
steps:
- name: Build fuzzers (${{ inputs.sanitizer }})
id: build
- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ uses:
google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@ed23f8af80ff82b25ca67cd9b101e690b8897b3f
# master
with:
oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
sanitizer: ${{ inputs.sanitizer }}
- name: Run fuzzers (${{ inputs.sanitizer }})
- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ uses:
google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@ed23f8af80ff82b25ca67cd9b101e690b8897b3f
# master
with:
fuzz-seconds: 600
oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
@@ -34,13 +34,13 @@ jobs:
sanitizer: ${{ inputs.sanitizer }}
- name: Upload crash
if: failure() && steps.build.outcome == 'success'
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
# v6.0.0
with:
name: ${{ inputs.sanitizer }}-artifacts
path: ./out/artifacts
- name: Upload SARIF
if: always() && steps.build.outcome == 'success'
- uses: github/codeql-action/upload-sarif@v4
+ uses:
github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 #
v4.35.1
with:
sarif_file: cifuzz-sarif/results.sarif
checkout_path: cifuzz-sarif
diff --git a/.github/workflows/reusable-context.yml
b/.github/workflows/reusable-context.yml
index ee4d811fdf7ea3..79638845bb99ae 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -66,14 +66,14 @@ jobs:
run-windows-tests: ${{ steps.changes.outputs.run-windows-tests }}
steps:
- name: Set up Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: "3"
- run: >-
echo '${{ github.event_name }}'
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
ref: >-
diff --git a/.github/workflows/reusable-docs.yml
b/.github/workflows/reusable-docs.yml
index c1e58fd44d3790..bee44e8df27663 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -27,7 +27,7 @@ jobs:
refspec_pr: '+${{ github.event.pull_request.head.sha
}}:remotes/origin/${{ github.event.pull_request.head.ref }}'
steps:
- name: 'Check out latest PR branch commit'
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
ref: >-
@@ -52,7 +52,7 @@ jobs:
git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
--no-tags --prune --no-recurse-submodules
- name: 'Set up Python'
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3'
cache: 'pip'
@@ -82,10 +82,10 @@ jobs:
runs-on: ubuntu-24.04
timeout-minutes: 60
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- - uses: actions/cache@v5
+ - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ~/.cache/pip
key: ubuntu-doc-${{ hashFiles('Doc/requirements.txt') }}
@@ -108,11 +108,11 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: 'Set up Python'
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3'
cache: 'pip'
diff --git a/.github/workflows/reusable-macos.yml
b/.github/workflows/reusable-macos.yml
index 134a9c17a0f0c9..eb5d2e19bd4b09 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -28,7 +28,7 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1
TERM: linux
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Runner image version
diff --git a/.github/workflows/reusable-san.yml
b/.github/workflows/reusable-san.yml
index ac8b7b3fa3c64d..752f27cbe55c00 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-24.04
timeout-minutes: 60
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Runner image version
@@ -91,7 +91,7 @@ jobs:
run: find "${GITHUB_WORKSPACE}" -name 'san_log.*' | xargs head -n 1000
- name: Archive logs
if: always()
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #
v6.0.0
with:
name: >-
${{ inputs.sanitizer }}-logs-${{
diff --git a/.github/workflows/reusable-ubuntu.yml
b/.github/workflows/reusable-ubuntu.yml
index 5f16b992f6fdef..6335102d855261 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -26,7 +26,7 @@ jobs:
PYTHONSTRICTEXTENSIONBUILD: 1
TERM: linux
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Register gcc problem matcher
@@ -40,7 +40,7 @@ jobs:
echo
"LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >>
"$GITHUB_ENV"
- name: 'Restore OpenSSL build'
id: cache-openssl
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
key: ${{ matrix.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
diff --git a/.github/workflows/reusable-wasi.yml
b/.github/workflows/reusable-wasi.yml
index a8ac2db046e96c..5895c01f7ac3a3 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -18,17 +18,17 @@ jobs:
CROSS_BUILD_PYTHON: cross-build/build
CROSS_BUILD_WASI: cross-build/wasm32-wasip1
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# No problem resolver registered as one doesn't currently exist for Clang.
- name: "Install wasmtime"
- uses: bytecodealliance/actions/wasmtime/setup@v1
+ uses:
bytecodealliance/actions/wasmtime/setup@9152e710e9f7182e4c29ad218e4f335a7b203613
# v1.1.3
with:
version: ${{ env.WASMTIME_VERSION }}
- name: "Restore WASI SDK"
id: cache-wasi-sdk
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ${{ env.WASI_SDK_PATH }}
key: ${{ runner.os }}-wasi-sdk-${{ env.WASI_SDK_VERSION }}
@@ -39,7 +39,7 @@ jobs:
curl -s -S --location
"https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VERSION}/wasi-sdk-${WASI_SDK_VERSION}.0-x86_64-linux.tar.gz";
| \
tar --strip-components 1 --directory "${WASI_SDK_PATH}" --extract
--gunzip
- name: "Install Python"
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3.x'
- name: "Runner image version"
diff --git a/.github/workflows/reusable-windows-msi.yml
b/.github/workflows/reusable-windows-msi.yml
index b5bacabb392262..e690224f35537b 100644
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -23,7 +23,7 @@ jobs:
ARCH: ${{ inputs.arch }}
IncludeFreethreaded: true
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Build CPython installer
diff --git a/.github/workflows/reusable-windows.yml
b/.github/workflows/reusable-windows.yml
index fabe55f5554943..8bed897bd3de22 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -30,7 +30,7 @@ jobs:
env:
ARCH: ${{ inputs.arch }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Register MSVC problem matcher
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index febb2dd823a8fe..845f75bafd8a41 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -14,7 +14,7 @@ jobs:
steps:
- name: "Check PRs"
- uses: actions/stale@v9
+ uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: 'This PR is stale because it has been open for 30
days with no activity.'
diff --git a/.github/workflows/verify-ensurepip-wheels.yml
b/.github/workflows/verify-ensurepip-wheels.yml
index 135979078710cc..cb40f6abc0b3b7 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -25,10 +25,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3'
- name: Compare checksum of bundled wheels to the ones published on PyPI
diff --git a/.github/workflows/verify-expat.yml
b/.github/workflows/verify-expat.yml
index 6b12b95cb11ff2..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
persist-credentials: false
- name: Download and verify bundled libexpat files
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 8b7b4de0fc8f31..7c776d5ea1f941 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -4,7 +4,3 @@ rules:
dangerous-triggers:
ignore:
- documentation-links.yml
- unpinned-uses:
- config:
- policies:
- "*": ref-pin
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
