diff --git a/.github/workflows/_repository-checks.yml b/.github/workflows/_repository-checks.yml index 0251369..fc626d2 100644 --- a/.github/workflows/_repository-checks.yml +++ b/.github/workflows/_repository-checks.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -28,12 +28,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 with: persona: auditor min-severity: medium @@ -45,7 +45,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/assets-build.yml b/.github/workflows/assets-build.yml index 3cb714e..3cd0be8 100644 --- a/.github/workflows/assets-build.yml +++ b/.github/workflows/assets-build.yml @@ -113,7 +113,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/automatic-release.yml b/.github/workflows/automatic-release.yml index f577661..242efad 100644 --- a/.github/workflows/automatic-release.yml +++ b/.github/workflows/automatic-release.yml @@ -70,7 +70,7 @@ jobs: cancel-in-progress: false steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -136,7 +136,7 @@ jobs: - name: Checkout workflow templates if: ${{ steps.release-config.outputs.has_config == 'false' }} - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ inputs.workflow_repository }} ref: ${{ inputs.workflow_ref }} diff --git a/.github/workflows/build-and-distribute.yml b/.github/workflows/build-and-distribute.yml index bf611a2..7190ab4 100644 --- a/.github/workflows/build-and-distribute.yml +++ b/.github/workflows/build-and-distribute.yml @@ -222,7 +222,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -860,6 +860,6 @@ jobs: printf 'path=%s\n' "${manifests[0]}" >> "$GITHUB_OUTPUT" - name: Attest artifact manifest - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: ${{ steps.manifest.outputs.path }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 377665f..cf92757 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,15 +32,15 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: languages: ${{ inputs.languages }} build-mode: ${{ inputs.build_mode }} - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 diff --git a/.github/workflows/composer-validate.yml b/.github/workflows/composer-validate.yml index 470a56f..57472a5 100644 --- a/.github/workflows/composer-validate.yml +++ b/.github/workflows/composer-validate.yml @@ -61,7 +61,7 @@ jobs: timeout-minutes: ${{ inputs.timeout_minutes }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/ddev-playwright.yml b/.github/workflows/ddev-playwright.yml index 55ec642..5489fb1 100644 --- a/.github/workflows/ddev-playwright.yml +++ b/.github/workflows/ddev-playwright.yml @@ -116,7 +116,7 @@ jobs: artifact: ${{ steps.artifact.outputs.name }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/deploy-deployer.yml b/.github/workflows/deploy-deployer.yml index 4d6d0b4..e8e10dd 100644 --- a/.github/workflows/deploy-deployer.yml +++ b/.github/workflows/deploy-deployer.yml @@ -139,7 +139,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/javascript-static-analysis.yml b/.github/workflows/javascript-static-analysis.yml index 34c0a48..e5058c4 100644 --- a/.github/workflows/javascript-static-analysis.yml +++ b/.github/workflows/javascript-static-analysis.yml @@ -79,7 +79,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/javascript-unit.yml b/.github/workflows/javascript-unit.yml index b21177e..ccd0c08 100644 --- a/.github/workflows/javascript-unit.yml +++ b/.github/workflows/javascript-unit.yml @@ -108,7 +108,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 79724da..50fb310 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: ${{ inputs.timeout_minutes }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/php-coding-standards.yml b/.github/workflows/php-coding-standards.yml index a4d4a09..49712e4 100644 --- a/.github/workflows/php-coding-standards.yml +++ b/.github/workflows/php-coding-standards.yml @@ -70,7 +70,7 @@ jobs: pull-requests: read steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/php-static-analysis.yml b/.github/workflows/php-static-analysis.yml index 70f91c0..1635a43 100644 --- a/.github/workflows/php-static-analysis.yml +++ b/.github/workflows/php-static-analysis.yml @@ -66,7 +66,7 @@ jobs: timeout-minutes: ${{ inputs.timeout_minutes }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/php-unit.yml b/.github/workflows/php-unit.yml index df8425c..dc9e868 100644 --- a/.github/workflows/php-unit.yml +++ b/.github/workflows/php-unit.yml @@ -91,7 +91,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index 177f853..0e72b1b 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -140,7 +140,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -271,7 +271,7 @@ jobs: fi - name: Cache Playwright browsers - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.cache/ms-playwright key: ${{ runner.os }}-playwright-${{ inputs.node_version }}-${{ hashFiles(format('{0}/package-lock.json', inputs.working_directory), format('{0}/npm-shrinkwrap.json', inputs.working_directory), format('{0}/pnpm-lock.yaml', inputs.working_directory), format('{0}/yarn.lock', inputs.working_directory), format('{0}/package.json', inputs.working_directory)) }} diff --git a/.github/workflows/sympress-qa.yml b/.github/workflows/sympress-qa.yml index 266faff..a6e8768 100644 --- a/.github/workflows/sympress-qa.yml +++ b/.github/workflows/sympress-qa.yml @@ -96,7 +96,7 @@ jobs: has_targets: ${{ steps.targets.outputs.has_targets }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -148,7 +148,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/text-quality.yml b/.github/workflows/text-quality.yml index 2777c84..2a9de5a 100644 --- a/.github/workflows/text-quality.yml +++ b/.github/workflows/text-quality.yml @@ -72,13 +72,13 @@ jobs: checks: write steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run typos if: ${{ inputs.run_typos }} - uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1 + uses: crate-ci/typos@bee27e3a4fd1ea2111cf90ab89cd076c870fce14 # v1.48.0 with: files: ${{ inputs.typos_files }} config: ${{ inputs.typos_config }} @@ -104,7 +104,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/wordpress-archive.yml b/.github/workflows/wordpress-archive.yml index f77124e..2ac7af3 100644 --- a/.github/workflows/wordpress-archive.yml +++ b/.github/workflows/wordpress-archive.yml @@ -139,7 +139,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -556,6 +556,6 @@ jobs: printf 'path=%s\n' "${manifests[0]}" >> "$GITHUB_OUTPUT" - name: Attest artifact manifest - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: ${{ steps.manifest.outputs.path }} diff --git a/.github/workflows/wp-scripts-lint.yml b/.github/workflows/wp-scripts-lint.yml index b0df5bf..3dd5ce7 100644 --- a/.github/workflows/wp-scripts-lint.yml +++ b/.github/workflows/wp-scripts-lint.yml @@ -89,7 +89,7 @@ jobs: ALLOW_UNPINNED_NODE_INSTALL: ${{ inputs.allow_unpinned_node_install }} steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/scripts/validate-contracts.mjs b/scripts/validate-contracts.mjs index 0c92fde..e1f4f71 100644 --- a/scripts/validate-contracts.mjs +++ b/scripts/validate-contracts.mjs @@ -179,7 +179,7 @@ for (const file of ['.github/workflows/build-and-distribute.yml', '.github/workf 'Artifact content matched a blocked secret pattern', 'artifact-sha256sums.txt', 'artifact-manifest.json', - 'actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32', + 'actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373', 'actions: read', 'attestations: write', 'id-token: write', @@ -234,7 +234,7 @@ assert(qit.includes('QIT_TEST'), 'woo-qit.yml must pass qit_test through env'); assert(qit.includes('args=("run:${QIT_TEST}"'), 'woo-qit.yml must run QIT with an argv array'); const repositoryChecks = read('.github/workflows/_repository-checks.yml'); -assert(repositoryChecks.includes('zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d'), '_repository-checks.yml must pin zizmor'); +assert(repositoryChecks.includes('zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa'), '_repository-checks.yml must pin zizmor'); assert(repositoryChecks.includes('npm run test:contracts'), '_repository-checks.yml must run contract tests'); assert(repositoryChecks.includes('npm run doctor -- --fail-on high fixtures/wp-plugin'), '_repository-checks.yml must run the doctor fixture gate'); assert(repositoryChecks.includes('npm run doctor:repo'), '_repository-checks.yml must run the repository doctor gate'); @@ -306,7 +306,7 @@ for (const file of [ } const playwright = read('.github/workflows/playwright.yml'); -assert(playwright.includes('actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae'), 'playwright.yml must pin the Playwright browser cache action'); +assert(playwright.includes('actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9'), 'playwright.yml must pin the Playwright browser cache action'); assert(!playwright.includes('source .env.ci'), 'playwright.yml must parse .env.ci without sourcing it'); const textQuality = read('.github/workflows/text-quality.yml');