diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index ed257ff54..4ad5f56c5 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -53,7 +53,7 @@ jobs: requirements: ${{ steps.requirements.outputs.changed }} steps: - name: Checkout the repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 @@ -70,7 +70,7 @@ jobs: - name: Get changed files id: changed_files if: steps.version.outputs.publish == 'false' - uses: masesgroup/retrieve-changed-files@v3.0.0 + uses: masesgroup/retrieve-changed-files@491e80760c0e28d36ca6240a27b1ccb8e1402c13 # v3.0.0 - name: Check if requirements files changed id: requirements @@ -92,7 +92,7 @@ jobs: arch: ${{ fromJson(needs.init.outputs.architectures) }} steps: - name: Checkout the repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 @@ -104,6 +104,7 @@ jobs: echo "CARGO_NET_GIT_FETCH_WITH_CLI=true" ) > .env_file + # home-assistant/wheels doesn't support sha pinning - name: Build wheels if: needs.init.outputs.requirements == 'true' uses: home-assistant/wheels@2025.07.0 @@ -125,13 +126,13 @@ jobs: - name: Set up Python ${{ env.DEFAULT_PYTHON }} if: needs.init.outputs.publish == 'true' - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.DEFAULT_PYTHON }} - name: Install Cosign if: needs.init.outputs.publish == 'true' - uses: sigstore/cosign-installer@v3.9.2 + uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 with: cosign-release: "v2.4.3" @@ -149,7 +150,7 @@ jobs: - name: Login to GitHub Container Registry if: needs.init.outputs.publish == 'true' - uses: docker/login-action@v3.5.0 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -159,6 +160,7 @@ jobs: if: needs.init.outputs.publish == 'false' run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV + # home-assistant/builder doesn't support sha pinning - name: Build supervisor uses: home-assistant/builder@2025.03.0 with: @@ -178,7 +180,7 @@ jobs: steps: - name: Checkout the repository if: needs.init.outputs.publish == 'true' - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Initialize git if: needs.init.outputs.publish == 'true' @@ -203,8 +205,9 @@ jobs: timeout-minutes: 60 steps: - name: Checkout the repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # home-assistant/builder doesn't support sha pinning - name: Build the Supervisor if: needs.init.outputs.publish != 'true' uses: home-assistant/builder@2025.03.0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b012e20f5..f5eb55c7c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -26,15 +26,15 @@ jobs: name: Prepare Python dependencies steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python id: python - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.DEFAULT_PYTHON }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -48,7 +48,7 @@ jobs: pip install -r requirements.txt -r requirements_tests.txt - name: Restore pre-commit environment from cache id: cache-precommit - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ env.PRE_COMMIT_CACHE }} lookup-only: true @@ -68,15 +68,15 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -88,7 +88,7 @@ jobs: exit 1 - name: Restore pre-commit environment from cache id: cache-precommit - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ env.PRE_COMMIT_CACHE }} key: | @@ -111,15 +111,15 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -131,7 +131,7 @@ jobs: exit 1 - name: Restore pre-commit environment from cache id: cache-precommit - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ env.PRE_COMMIT_CACHE }} key: | @@ -154,7 +154,7 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Register hadolint problem matcher run: | echo "::add-matcher::.github/workflows/matchers/hadolint.json" @@ -169,15 +169,15 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -189,7 +189,7 @@ jobs: exit 1 - name: Restore pre-commit environment from cache id: cache-precommit - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ env.PRE_COMMIT_CACHE }} key: | @@ -213,15 +213,15 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -233,7 +233,7 @@ jobs: exit 1 - name: Restore pre-commit environment from cache id: cache-precommit - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ env.PRE_COMMIT_CACHE }} key: | @@ -257,15 +257,15 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -293,9 +293,9 @@ jobs: needs: prepare steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} @@ -307,7 +307,7 @@ jobs: echo "key=mypy-${{ env.MYPY_CACHE_VERSION }}-$mypy_version-$(date -u '+%Y-%m-%dT%H:%M:%s')" >> $GITHUB_OUTPUT - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: >- @@ -318,7 +318,7 @@ jobs: echo "Failed to restore Python virtual environment from cache" exit 1 - name: Restore mypy cache - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: .mypy_cache key: >- @@ -339,19 +339,19 @@ jobs: name: Run tests Python ${{ needs.prepare.outputs.python-version }} steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Install Cosign - uses: sigstore/cosign-installer@v3.9.2 + uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 with: cosign-release: "v2.4.3" - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -386,7 +386,7 @@ jobs: -o console_output_style=count \ tests - name: Upload coverage artifact - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage path: .coverage @@ -398,15 +398,15 @@ jobs: needs: ["pytest", "prepare"] steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Python ${{ needs.prepare.outputs.python-version }} - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 id: python with: python-version: ${{ needs.prepare.outputs.python-version }} - name: Restore Python virtual environment id: cache-venv - uses: actions/cache@v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: venv key: | @@ -417,7 +417,7 @@ jobs: echo "Failed to restore Python virtual environment from cache" exit 1 - name: Download all coverage artifacts - uses: actions/download-artifact@v5.0.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: coverage path: coverage/ @@ -428,4 +428,4 @@ jobs: coverage report coverage xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5.5.1 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index b5a98bfa1..790af5346 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -9,7 +9,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5.0.1 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: "30" diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index b9a1fdcd2..0685033ba 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ jobs: name: Release Drafter steps: - name: Checkout the repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 @@ -36,7 +36,7 @@ jobs: echo "version=$datepre.$newpost" >> "$GITHUB_OUTPUT" - name: Run Release Drafter - uses: release-drafter/release-drafter@v6.1.0 + uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 with: tag: ${{ steps.version.outputs.version }} name: ${{ steps.version.outputs.version }} diff --git a/.github/workflows/restrict-task-creation.yml b/.github/workflows/restrict-task-creation.yml index 16f6a6ed7..f30f446a0 100644 --- a/.github/workflows/restrict-task-creation.yml +++ b/.github/workflows/restrict-task-creation.yml @@ -12,7 +12,7 @@ jobs: if: github.event.issue.type.name == 'Task' steps: - name: Check if user is authorized - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const issueAuthor = context.payload.issue.user.login; diff --git a/.github/workflows/sentry.yaml b/.github/workflows/sentry.yaml index 316a9478a..2810b3b5f 100644 --- a/.github/workflows/sentry.yaml +++ b/.github/workflows/sentry.yaml @@ -10,9 +10,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code from GitHub - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Sentry Release - uses: getsentry/action-release@v3.2.0 + uses: getsentry/action-release@526942b68292201ac6bbb99b9a0747d4abee354c # v3.2.0 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e2baebf90..48db05258 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,7 +9,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10.0.0 + - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 diff --git a/.github/workflows/update_frontend.yml b/.github/workflows/update_frontend.yml index 26f4713bb..0ce84ac60 100644 --- a/.github/workflows/update_frontend.yml +++ b/.github/workflows/update_frontend.yml @@ -14,10 +14,10 @@ jobs: latest_version: ${{ steps.latest_frontend_version.outputs.latest_tag }} steps: - name: Checkout code - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Get latest frontend release id: latest_frontend_version - uses: abatilo/release-info-action@v1.3.3 + uses: abatilo/release-info-action@32cb932219f1cee3fc4f4a298fd65ead5d35b661 # v1.3.3 with: owner: home-assistant repo: frontend @@ -49,7 +49,7 @@ jobs: if: needs.check-version.outputs.skip != 'true' steps: - name: Checkout code - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Clear www folder run: | rm -rf supervisor/api/panel/* @@ -57,7 +57,7 @@ jobs: run: | echo "${{ needs.check-version.outputs.latest_version }}" > .ha-frontend-version - name: Download release assets - uses: robinraju/release-downloader@v1 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: 'home-assistant/frontend' tag: ${{ needs.check-version.outputs.latest_version }} @@ -68,7 +68,7 @@ jobs: run: | rm -f supervisor/api/panel/home_assistant_frontend_supervisor-*.tar.gz - name: Create PR - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: commit-message: "Update frontend to version ${{ needs.check-version.outputs.latest_version }}" branch: autoupdate-frontend