From 27c8de8f1920067d5169eb8595939baf44ca9a66 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:02:01 +0200 Subject: [PATCH 01/21] Add cooldown to dependency updater --- .github/dependabot.yml | 6 +++++- exasol/toolbox/templates/github/dependabot.yml | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fc896980..d3693f0dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -15,4 +17,6 @@ updates: schedule: interval: "weekly" day: "monday" - open-pull-requests-limit: 4 \ No newline at end of file + open-pull-requests-limit: 4 + cooldown: + default-days: 7 diff --git a/exasol/toolbox/templates/github/dependabot.yml b/exasol/toolbox/templates/github/dependabot.yml index e9373b46e..d3693f0dc 100644 --- a/exasol/toolbox/templates/github/dependabot.yml +++ b/exasol/toolbox/templates/github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 # Maintain dependencies for poetry - package-ecosystem: "pip" @@ -16,3 +18,5 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 4 + cooldown: + default-days: 7 From 7f6d4d9dcc92eb153f33006684b430ab4cc0d145 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:11:51 +0200 Subject: [PATCH 02/21] Create ignore file and fill with everything so we can gradually remove the issues --- .github/zizmor.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..3f151f61c --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,13 @@ +rules: + artipacked: + disable: true + github-env: + disable: true + secrets-inherit: + disable: true + template-injection: + disable: true + unpinned-uses: + disable: true + use-trusted-publishing: + disable: true From 1df7291930359b9aaf2e3a52f7e78c5a4fa563f2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:19:26 +0200 Subject: [PATCH 03/21] Fix credential persistence from actions/checkout --- .github/workflows/fast-tests-extension.yml | 2 ++ .github/workflows/slow-checks.yml | 2 ++ .github/zizmor.yml | 2 -- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index b99aaeeb3..c4f10064a 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -13,6 +13,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8c4cd585f..b1d7f905e 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -26,6 +26,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 3f151f61c..174952c5b 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,6 +1,4 @@ rules: - artipacked: - disable: true github-env: disable: true secrets-inherit: From a0974e4b7fef123877406a074747f15b1ed66687 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:30:59 +0200 Subject: [PATCH 04/21] Switch checkout@v6 to the v6.0.3 SHA; even in documentation --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 16 ++++++++-------- .github/workflows/dependency-update.yml | 2 +- .github/workflows/fast-tests-extension.yml | 2 +- .github/workflows/fast-tests.yml | 2 +- .github/workflows/gh-pages.yml | 2 +- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- .github/workflows/test-python-environment.yml | 4 ++-- .github/zizmor.yml | 13 ++++++++++++- doc/github_actions/python_environment.rst | 2 +- doc/github_actions/security_issues.rst | 2 +- .../github_workflows/workflow_patcher.rst | 2 +- .../github/workflows/build-and-publish.yml | 2 +- .../github/workflows/check-release-tag.yml | 2 +- .../templates/github/workflows/checks.yml | 16 ++++++++-------- .../github/workflows/dependency-update.yml | 2 +- .../templates/github/workflows/fast-tests.yml | 2 +- .../templates/github/workflows/gh-pages.yml | 2 +- .../templates/github/workflows/matrix-all.yml | 2 +- .../templates/github/workflows/matrix-exasol.yml | 2 +- .../templates/github/workflows/matrix-python.yml | 2 +- .../templates/github/workflows/report.yml | 2 +- .../templates/github/workflows/slow-checks.yml | 2 +- 28 files changed, 54 insertions(+), 43 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 4b6befafa..01087bfba 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index b22a73290..aa09cf3b1 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 89a4bf141..44f1852a3 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -69,7 +69,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -107,7 +107,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -135,7 +135,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -167,7 +167,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -190,7 +190,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -213,7 +213,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 157e32fb5..25df03545 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index c4f10064a..a786b6a00 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index b692b8e38..de5715055 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index dceb9c487..cd8ce4c64 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index cc8e849b0..a960a991f 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index bab0ffb02..d7dbad6ae 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index c671c36f3..eb94dbc5c 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8e2bc1d91..b2dfcff04 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index b1d7f905e..a28ee5214 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index f05267e9a..f17ebd15a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -12,7 +12,7 @@ jobs: outputs: should_run: ${{ steps.diff.outputs.should_run }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -67,7 +67,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 174952c5b..5391b15b0 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -6,6 +6,17 @@ rules: template-injection: disable: true unpinned-uses: - disable: true + config: + policies: + actions/checkout: hash-pin + actions/cache: ref-pin + actions/deploy-pages: ref-pin + actions/download-artifact: ref-pin + actions/setup-python: ref-pin + actions/upload-artifact: ref-pin + actions/upload-pages-artifact: ref-pin + exasol/python-toolbox/.github/actions/python-environment: ref-pin + ravsamhq/notify-slack-action: ref-pin + zizmorcore/zizmor-action: ref-pin use-trusted-publishing: disable: true diff --git a/doc/github_actions/python_environment.rst b/doc/github_actions/python_environment.rst index f400b02b4..aa31f89eb 100644 --- a/doc/github_actions/python_environment.rst +++ b/doc/github_actions/python_environment.rst @@ -49,7 +49,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Python & Poetry Environment uses: exasol/python-toolbox/.github/actions/python-environment@v4 diff --git a/doc/github_actions/security_issues.rst b/doc/github_actions/security_issues.rst index d85f8ed33..ecb4558fc 100644 --- a/doc/github_actions/security_issues.rst +++ b/doc/github_actions/security_issues.rst @@ -26,7 +26,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Report Security Issues uses: exasol/python-toolbox/.github/actions/security-issues@v1 diff --git a/doc/user_guide/features/github_workflows/workflow_patcher.rst b/doc/user_guide/features/github_workflows/workflow_patcher.rst index d73adeca4..c0a3fc609 100644 --- a/doc/user_guide/features/github_workflows/workflow_patcher.rst +++ b/doc/user_guide/features/github_workflows/workflow_patcher.rst @@ -30,7 +30,7 @@ Model content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 6c42834b4..b2ffc3422 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index eda38dda8..91f4eb01c 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 9d88c6c87..8a91efbf8 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -41,7 +41,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -68,7 +68,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -106,7 +106,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -134,7 +134,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -166,7 +166,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -189,7 +189,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -212,7 +212,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index f24573f54..ea722d61e 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: true fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index c6f03c94f..265243ae9 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index e7ef3210a..ba4fa3b47 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index c24c2f2db..743900cf4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 18b3b851b..b74c8f1f4 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 062426ff1..f56ea13ff 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index 21dd0e086..e632ffdaa 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 618e1790a..bdad474c1 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false From b128c6afe35db5d157e4ab905a0d98ba91669bdf Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:42:35 +0200 Subject: [PATCH 05/21] Switch upload-pages-artifact@v5 to the v5.0.0 SHA --- .github/workflows/gh-pages.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/gh-pages.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index cd8ce4c64..244a09d59 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -35,7 +35,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 5391b15b0..715a65b36 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -14,7 +14,7 @@ rules: actions/download-artifact: ref-pin actions/setup-python: ref-pin actions/upload-artifact: ref-pin - actions/upload-pages-artifact: ref-pin + actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin ravsamhq/notify-slack-action: ref-pin zizmorcore/zizmor-action: ref-pin diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index ba4fa3b47..db6f5e582 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -34,7 +34,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@v5.0.0 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: html-documentation From 8ea6221c4f3f7c8c637eeafae155304871134712 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:52:13 +0200 Subject: [PATCH 06/21] Switch ravsamhq/notify-slack-action action from v2 to its SHA for v2.5.0 --- .github/workflows/dependency-update.yml | 2 +- .github/zizmor.yml | 3 +-- .../toolbox/templates/github/workflows/dependency-update.yml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 25df03545..ef16a7878 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -120,7 +120,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 715a65b36..8907a69de 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -16,7 +16,6 @@ rules: actions/upload-artifact: ref-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin - ravsamhq/notify-slack-action: ref-pin - zizmorcore/zizmor-action: ref-pin + ravsamhq/notify-slack-action: hash-pin use-trusted-publishing: disable: true diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index ea722d61e..8363d6e38 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -119,7 +119,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@v2 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' From a526b82e84afda385289909a5774969b82a25d2b Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 10:55:14 +0200 Subject: [PATCH 07/21] Switch actions/upload-artifact action from v7.0.0 to its SHA --- .github/workflows/checks.yml | 4 ++-- .github/workflows/fast-tests.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/checks.yml | 4 ++-- exasol/toolbox/templates/github/workflows/fast-tests.yml | 2 +- exasol/toolbox/templates/github/workflows/slow-checks.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 44f1852a3..4e475d10f 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -86,7 +86,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -152,7 +152,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index de5715055..2bafe1107 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -36,7 +36,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index a28ee5214..c387a8965 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -42,7 +42,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-slow path: .coverage diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 8907a69de..a488779fa 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -13,7 +13,7 @@ rules: actions/deploy-pages: ref-pin actions/download-artifact: ref-pin actions/setup-python: ref-pin - actions/upload-artifact: ref-pin + actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin ravsamhq/notify-slack-action: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 8a91efbf8..1d0dda31b 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -85,7 +85,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: lint-python${{ matrix.python-versions }} path: | @@ -151,7 +151,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: security-python${{ matrix.python-versions }} path: .security.json diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index 265243ae9..6575b8860 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -35,7 +35,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index bdad474c1..3bfe05dfc 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -44,7 +44,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage From 1e998f19c1c0592a9e6e00bba580457781f2017d Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:19:34 +0200 Subject: [PATCH 08/21] Switch actions/setup-python action from v6 to its v6.2.0 SHA --- .github/actions/python-environment/action.yml | 2 +- .github/actions/security-issues/action.yml | 2 +- .github/zizmor.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 2e0ba3559..2978703eb 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -34,7 +34,7 @@ runs: - name: Set up Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python-version }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 58c969d4b..65047483b 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -32,7 +32,7 @@ runs: steps: - name: Setup Python (${{ inputs.python-version}}) - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a488779fa..a3e4cfcbe 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -12,7 +12,7 @@ rules: actions/cache: ref-pin actions/deploy-pages: ref-pin actions/download-artifact: ref-pin - actions/setup-python: ref-pin + actions/setup-python: hash-pin actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin From e38283ccde5ae5537221b64cf8838c2727aeccf2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:24:50 +0200 Subject: [PATCH 09/21] Switch actions/download-artifact action from v8 to its v8.0.1 SHA --- .github/workflows/report.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/report.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index b2dfcff04..a9254b989 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -31,7 +31,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a3e4cfcbe..49a2406ea 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -11,7 +11,7 @@ rules: actions/checkout: hash-pin actions/cache: ref-pin actions/deploy-pages: ref-pin - actions/download-artifact: ref-pin + actions/download-artifact: hash-pin actions/setup-python: hash-pin actions/upload-artifact: hash-pin actions/upload-pages-artifact: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index e632ffdaa..bc7e1fd33 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -30,7 +30,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./artifacts From c7e46e51c12a763ad5d7063c4b40441a55e7b4b7 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:28:18 +0200 Subject: [PATCH 10/21] Switch actions/deploy-pages action from v5 to its v5.0.0 SHA --- .github/workflows/gh-pages.yml | 2 +- .github/zizmor.yml | 2 +- exasol/toolbox/templates/github/workflows/gh-pages.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 244a09d59..ea2f5b88f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -53,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 49a2406ea..90fa47872 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -10,7 +10,7 @@ rules: policies: actions/checkout: hash-pin actions/cache: ref-pin - actions/deploy-pages: ref-pin + actions/deploy-pages: hash-pin actions/download-artifact: hash-pin actions/setup-python: hash-pin actions/upload-artifact: hash-pin diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index db6f5e582..3f8edbd3b 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -52,4 +52,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 From a0136122eb079a804b5dfc1803783b6569be65b7 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:28:27 +0200 Subject: [PATCH 11/21] Add zizmor as a dependency --- poetry.lock | 27 ++++++++++++++++++++++++--- pyproject.toml | 1 + 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index fc191d526..2e052025a 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.0 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand. [[package]] name = "accessible-pygments" @@ -2649,8 +2649,8 @@ astroid = ">=4.0.2,<=4.1.dev0" colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""} dill = [ {version = ">=0.2", markers = "python_version < \"3.11\""}, - {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, {version = ">=0.3.6", markers = "python_version == \"3.11\""}, + {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, ] isort = ">=5,<5.13 || >5.13,<9" mccabe = ">=0.6,<0.8" @@ -4062,7 +4062,28 @@ enabler = ["pytest-enabler (>=3.4)"] test = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more_itertools", "pytest (>=6,!=8.1.*)", "pytest-ignore-flaky"] type = ["pytest-mypy (>=1.0.1) ; platform_python_implementation != \"PyPy\""] +[[package]] +name = "zizmor" +version = "1.25.2" +description = "Static analysis for GitHub Actions" +optional = false +python-versions = ">=3.10" +groups = ["main"] +files = [ + {file = "zizmor-1.25.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17cc8cfd9d472e8b11945a869c198d25cfdf4a33f36fa7a1f9674099f5fb509d"}, + {file = "zizmor-1.25.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d3e301eb4465e2da77857cf01ab4ef0184cf3818e826800b270ab01ae7338977"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_24_aarch64.whl", hash = "sha256:cf64374149b567c9373228b76c8e77a389b4071899f84b82c36ee50fab894e79"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_armv7l.whl", hash = "sha256:0beba1601be08bd00c9277e6ed4b026e125b26b379d86d6d98eb708409b3050d"}, + {file = "zizmor-1.25.2-py3-none-manylinux_2_28_x86_64.whl", hash = "sha256:c4246f1344d8dbeffc044d7bb11b131773a7db7eb57d9073c45942dfd3543a1f"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:dbb1b5c85b8de8eaa0227c6620f06c8e4fbd0a4da2086e218bc225c0bef0923d"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d670a1e2f00b3cd56febd145bc1a0b2c4caf1cbe5dad8128721843fa877e2d2e"}, + {file = "zizmor-1.25.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b75c84d7387389f95edadbe859fb2aaf0a360c5b080932cc53e92ae1db6f09ef"}, + {file = "zizmor-1.25.2-py3-none-win32.whl", hash = "sha256:aa9f4c43b499c55339c3ef2e885133c5017cd9a18d76d9335541203cfa5ae1e7"}, + {file = "zizmor-1.25.2-py3-none-win_amd64.whl", hash = "sha256:af55bd9bd119ea8cbce2a7addc3922503019de32c1fe31106d70b3dc77d77908"}, + {file = "zizmor-1.25.2.tar.gz", hash = "sha256:f26ffeb16659c8922c7b08203ca5a4f8bf5e1a7e8d190734961c40877cf778ea"}, +] + [metadata] lock-version = "2.1" python-versions = ">=3.10,<4.0" -content-hash = "3d5c07aeaab839a92ec06e66addd20d634864518ef66d76623d08d5eaae6817b" +content-hash = "a0c2776376a043679e656b301d640e4b13835be4910ee122da54fd8ef37ed85f" diff --git a/pyproject.toml b/pyproject.toml index 4dbc06d44..569c72ee3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -59,6 +59,7 @@ dependencies = [ "structlog (>=25.5.0,<26.0.0)", "typer[all]>=0.7.0", "twine>=6.1.0,<7", + "zizmor (>=1.25.2,<2.0.0)", ] [project.scripts] From 693e0c5e7972b82c7960be65a4fbef374b25f213 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:32:41 +0200 Subject: [PATCH 12/21] Switch actions/cache action from v5 to its v5.0.5 SHA --- .github/actions/python-environment/action.yml | 2 +- .github/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 2978703eb..7abfd448a 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -69,7 +69,7 @@ runs: - name: Cache Poetry environment if: inputs.use-cache == 'true' id: cache-poetry-env - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ steps.setup-cache-variables.outputs.POETRY_ENV_PATH }} key: poetry-env-${{ steps.setup-cache-variables.outputs.POETRY_SHA }}-${{ steps.setup-cache-variables.outputs.IMAGE_OS }}-${{ steps.setup-cache-variables.outputs.IMAGE_VERSION }}-${{ runner.arch }}-${{ inputs.poetry-version }}-${{ inputs.python-version }}-${{ inputs.extras }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 90fa47872..f589bed3b 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -9,7 +9,7 @@ rules: config: policies: actions/checkout: hash-pin - actions/cache: ref-pin + actions/cache: hash-pin actions/deploy-pages: hash-pin actions/download-artifact: hash-pin actions/setup-python: hash-pin From 392b4d938b6fb0d63ec0ac7617e6c9e9e19cce85 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:34:47 +0200 Subject: [PATCH 13/21] Make it the default that all except the PTB ones use hashes --- .github/zizmor.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index f589bed3b..a8f107c49 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -8,14 +8,7 @@ rules: unpinned-uses: config: policies: - actions/checkout: hash-pin - actions/cache: hash-pin - actions/deploy-pages: hash-pin - actions/download-artifact: hash-pin - actions/setup-python: hash-pin - actions/upload-artifact: hash-pin - actions/upload-pages-artifact: hash-pin + "*": hash-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin - ravsamhq/notify-slack-action: hash-pin use-trusted-publishing: disable: true From e3bdd9e770f624897170745faca21741eabd6734 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:40:45 +0200 Subject: [PATCH 14/21] Fix overrides --- .github/workflows/fast-tests.yml | 2 +- .workflow-patcher.yml | 2 +- test/unit/util/workflows/conftest.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index 2bafe1107..06f20755f 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index bdf6d52fe..f5e1c0e7b 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -8,7 +8,7 @@ workflows: # The PTB has unit tests which require the fetch-depth to be 0. - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 diff --git a/test/unit/util/workflows/conftest.py b/test/unit/util/workflows/conftest.py index c1e763f23..beec18e31 100644 --- a/test/unit/util/workflows/conftest.py +++ b/test/unit/util/workflows/conftest.py @@ -27,7 +27,7 @@ class ExamplePatcherYaml: content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 """ From 992d65c910e4411563d8a614274b4246c2846c3c Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:42:48 +0200 Subject: [PATCH 15/21] Fix as not with v --- .github/workflows/dependency-update.yml | 2 +- exasol/toolbox/templates/github/workflows/dependency-update.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index ef16a7878..4c1ae042a 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -120,7 +120,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 8363d6e38..72d51d0fd 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -119,7 +119,7 @@ jobs: - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} - uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2.5.0 + uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 with: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' From c6f957304a459f7829d7b44a2fdcbec47c3df5c4 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:51:35 +0200 Subject: [PATCH 16/21] Add changelog entry --- doc/changes/unreleased.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index fb4737052..810730617 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,3 +1,7 @@ # Unreleased ## Summary + +## Feature + +* #864: Modified PTB workflow templates to not persist-credentials and to use pinned SHAs \ No newline at end of file From f45cd60f75a2286a920419e731c0aaf46190c531 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 11:54:54 +0200 Subject: [PATCH 17/21] Fix tests --- test/unit/util/workflows/process_template_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/unit/util/workflows/process_template_test.py b/test/unit/util/workflows/process_template_test.py index 935cbc78a..a864fe21f 100644 --- a/test/unit/util/workflows/process_template_test.py +++ b/test/unit/util/workflows/process_template_test.py @@ -24,7 +24,7 @@ steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 run-unit-tests: name: Run Unit Tests (Python-${{ matrix.python-versions }}) @@ -39,7 +39,7 @@ steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 fast-report: name: Fast Report From c04760003e921d59e4b55658cb851c0a54cbbd38 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 12:10:10 +0200 Subject: [PATCH 18/21] Allow actions/ to use a ref-pin --- .github/zizmor.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a8f107c49..6a6e5fd3c 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -8,7 +8,8 @@ rules: unpinned-uses: config: policies: - "*": hash-pin + "actions/*": ref-pin exasol/python-toolbox/.github/actions/python-environment: ref-pin + "*": hash-pin use-trusted-publishing: disable: true From 9b4119c3cdd9adce75e2c6cc2b485f330151ca48 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 12:12:48 +0200 Subject: [PATCH 19/21] Revert SHA needed for actions from GitHub actions --- .github/actions/python-environment/action.yml | 4 ++-- .github/actions/security-issues/action.yml | 2 +- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 20 +++++++++---------- .github/workflows/dependency-update.yml | 2 +- .github/workflows/fast-tests-extension.yml | 2 +- .github/workflows/fast-tests.yml | 4 ++-- .github/workflows/gh-pages.yml | 6 +++--- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 4 ++-- .github/workflows/slow-checks.yml | 4 ++-- .github/workflows/test-python-environment.yml | 4 ++-- .workflow-patcher.yml | 2 +- doc/github_actions/python_environment.rst | 2 +- doc/github_actions/security_issues.rst | 2 +- .../github_workflows/workflow_patcher.rst | 2 +- .../github/workflows/build-and-publish.yml | 2 +- .../github/workflows/check-release-tag.yml | 2 +- .../templates/github/workflows/checks.yml | 20 +++++++++---------- .../github/workflows/dependency-update.yml | 2 +- .../templates/github/workflows/fast-tests.yml | 4 ++-- .../templates/github/workflows/gh-pages.yml | 6 +++--- .../templates/github/workflows/matrix-all.yml | 2 +- .../github/workflows/matrix-exasol.yml | 2 +- .../github/workflows/matrix-python.yml | 2 +- .../templates/github/workflows/report.yml | 4 ++-- .../github/workflows/slow-checks.yml | 4 ++-- test/unit/util/workflows/conftest.py | 2 +- .../util/workflows/process_template_test.py | 4 ++-- 32 files changed, 63 insertions(+), 63 deletions(-) diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 7abfd448a..2e0ba3559 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -34,7 +34,7 @@ runs: - name: Set up Python (${{ inputs.python-version}}) - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@v6 with: python-version: ${{ inputs.python-version }} @@ -69,7 +69,7 @@ runs: - name: Cache Poetry environment if: inputs.use-cache == 'true' id: cache-poetry-env - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@v5 with: path: ${{ steps.setup-cache-variables.outputs.POETRY_ENV_PATH }} key: poetry-env-${{ steps.setup-cache-variables.outputs.POETRY_SHA }}-${{ steps.setup-cache-variables.outputs.IMAGE_OS }}-${{ steps.setup-cache-variables.outputs.IMAGE_VERSION }}-${{ runner.arch }}-${{ inputs.poetry-version }}-${{ inputs.python-version }}-${{ inputs.extras }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 65047483b..58c969d4b 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -32,7 +32,7 @@ runs: steps: - name: Setup Python (${{ inputs.python-version}}) - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@v6 with: python-version: 3.11 diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 01087bfba..4b6befafa 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index aa09cf3b1..b22a73290 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 4e475d10f..89a4bf141 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -69,7 +69,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -86,7 +86,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: lint-python${{ matrix.python-versions }} path: | @@ -107,7 +107,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -135,7 +135,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -152,7 +152,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -167,7 +167,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -190,7 +190,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -213,7 +213,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 4c1ae042a..daf803866 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: true fetch-depth: 0 diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index a786b6a00..c4f10064a 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index 06f20755f..b692b8e38 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false fetch-depth: 0 @@ -36,7 +36,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index ea2f5b88f..2c0c465ca 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 persist-credentials: false @@ -35,7 +35,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 + uses: actions/upload-pages-artifact@v5 with: path: html-documentation @@ -53,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 + uses: actions/deploy-pages@v5 diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index a960a991f..cc8e849b0 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index d7dbad6ae..bab0ffb02 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index eb94dbc5c..c671c36f3 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index a9254b989..8e2bc1d91 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 persist-credentials: false @@ -31,7 +31,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + uses: actions/download-artifact@v8 with: path: ./artifacts diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index c387a8965..b1d7f905e 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -42,7 +42,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: coverage-python${{ matrix.python-version }}-slow path: .coverage diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index f17ebd15a..f05267e9a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -12,7 +12,7 @@ jobs: outputs: should_run: ${{ steps.diff.outputs.should_run }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@v6 with: fetch-depth: 0 persist-credentials: false @@ -67,7 +67,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index f5e1c0e7b..bdf6d52fe 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -8,7 +8,7 @@ workflows: # The PTB has unit tests which require the fetch-depth to be 0. - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false fetch-depth: 0 diff --git a/doc/github_actions/python_environment.rst b/doc/github_actions/python_environment.rst index aa31f89eb..f400b02b4 100644 --- a/doc/github_actions/python_environment.rst +++ b/doc/github_actions/python_environment.rst @@ -49,7 +49,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 - name: Setup Python & Poetry Environment uses: exasol/python-toolbox/.github/actions/python-environment@v4 diff --git a/doc/github_actions/security_issues.rst b/doc/github_actions/security_issues.rst index ecb4558fc..d85f8ed33 100644 --- a/doc/github_actions/security_issues.rst +++ b/doc/github_actions/security_issues.rst @@ -26,7 +26,7 @@ Example Usage steps: - name: SCM Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 - name: Report Security Issues uses: exasol/python-toolbox/.github/actions/security-issues@v1 diff --git a/doc/user_guide/features/github_workflows/workflow_patcher.rst b/doc/user_guide/features/github_workflows/workflow_patcher.rst index c0a3fc609..d73adeca4 100644 --- a/doc/user_guide/features/github_workflows/workflow_patcher.rst +++ b/doc/user_guide/features/github_workflows/workflow_patcher.rst @@ -30,7 +30,7 @@ Model content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index b2ffc3422..6c42834b4 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index 91f4eb01c..eda38dda8 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index 1d0dda31b..9d88c6c87 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -41,7 +41,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -68,7 +68,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -85,7 +85,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: lint-python${{ matrix.python-versions }} path: | @@ -106,7 +106,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -134,7 +134,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -151,7 +151,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: security-python${{ matrix.python-versions }} path: .security.json @@ -166,7 +166,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -189,7 +189,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -212,7 +212,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 72d51d0fd..a620b9b21 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: true fetch-depth: 0 diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index 6575b8860..c6f03c94f 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -35,7 +35,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: coverage-python${{ matrix.python-versions }}-fast path: .coverage diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index 3f8edbd3b..17fdbdbf3 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 persist-credentials: false @@ -34,7 +34,7 @@ jobs: - name: Upload Artifact id: upload-artifact - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 + uses: actions/upload-pages-artifact@v5 with: path: html-documentation @@ -52,4 +52,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deploy-to-github-pages - uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 + uses: actions/deploy-pages@v5 diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index 743900cf4..c24c2f2db 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index b74c8f1f4..18b3b851b 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index f56ea13ff..062426ff1 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index bc7e1fd33..21dd0e086 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 persist-credentials: false @@ -30,7 +30,7 @@ jobs: - name: Download Artifacts id: download-artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + uses: actions/download-artifact@v8 with: path: ./artifacts diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 3bfe05dfc..618e1790a 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: persist-credentials: false @@ -44,7 +44,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@v7 with: name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow path: .coverage diff --git a/test/unit/util/workflows/conftest.py b/test/unit/util/workflows/conftest.py index beec18e31..c1e763f23 100644 --- a/test/unit/util/workflows/conftest.py +++ b/test/unit/util/workflows/conftest.py @@ -27,7 +27,7 @@ class ExamplePatcherYaml: content: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 with: fetch-depth: 0 """ diff --git a/test/unit/util/workflows/process_template_test.py b/test/unit/util/workflows/process_template_test.py index a864fe21f..935cbc78a 100644 --- a/test/unit/util/workflows/process_template_test.py +++ b/test/unit/util/workflows/process_template_test.py @@ -24,7 +24,7 @@ steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 run-unit-tests: name: Run Unit Tests (Python-${{ matrix.python-versions }}) @@ -39,7 +39,7 @@ steps: - name: Check out Repository id: check-out-repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@v6 fast-report: name: Fast Report From 6b1b64461c7de41113b2d8fb4779e27567d1da47 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Thu, 11 Jun 2026 12:22:05 +0200 Subject: [PATCH 20/21] Add linting job for PTB only --- .github/workflows/fast-tests-extension.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/fast-tests-extension.yml b/.github/workflows/fast-tests-extension.yml index c4f10064a..0c8dfca7f 100644 --- a/.github/workflows/fast-tests-extension.yml +++ b/.github/workflows/fast-tests-extension.yml @@ -26,3 +26,21 @@ jobs: - name: Lint Imports id: lint-imports run: poetry run -- nox -s lint:import + + # This will be moved to a standard check in the checks.yml in: + # https://github.com/exasol/python-toolbox/issues/811 + lint-github-actions: + name: Lint GitHub Actions + runs-on: ubuntu-24.04 + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Lint GitHub actions with Zizmor + id: lint-github-actions + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false From 5dc909054ff7c34774f69fb441a1707f2bb9278e Mon Sep 17 00:00:00 2001 From: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com> Date: Thu, 11 Jun 2026 12:39:55 +0200 Subject: [PATCH 21/21] Improve description instead of using keyword from GitHub checkout action Co-authored-by: Steffen Pankratz --- doc/changes/unreleased.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index 1f14650d2..6bc5dd92f 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -6,4 +6,4 @@ ## Feature * #730: Added support to extend GitHub workflow `cd.yml` -* #864: Modified PTB workflow templates to not persist-credentials and to use pinned SHAs \ No newline at end of file +* #864: Modified PTB workflow templates to not persist credentials and to use pinned SHAs \ No newline at end of file