diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 4c96ded160..cf6961ebad 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -18,7 +18,6 @@ jobs: if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@v3 - with: + uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index 010e5e6ef0..ed785ac7b8 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -15,8 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@v7 - with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c51be66de5..10c8b01108 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,22 +18,18 @@ jobs: go-version: ['1.21', '1.22'] steps: - - uses: actions/checkout@v4 - - - name: Refresh models catalog + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main mkdir -p pkg/llmproxy/registry/models git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json - name: Setup Go - uses: actions/setup-go@v5 - with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version: ${{ matrix.go-version }} - name: Cache Go modules - uses: actions/cache@v4 - with: + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -49,8 +45,7 @@ jobs: run: go test ./... -v -race -coverprofile=coverage.out - name: Upload coverage - uses: codecov/codecov-action@v3 - with: + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3with: files: ./coverage.out diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2a17bda1e4..172cf953b6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,23 +19,18 @@ jobs: language: [go] steps: - name: Checkout - uses: actions/checkout@v4 - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Build run: go build ./... - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - - analyze-skip-for-migrated-router-fix: + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: name: Analyze (Go) if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} runs-on: ubuntu-latest diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 63d8801d00..376840ff6e 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -15,8 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Re-request CodeRabbit when backlog is high and check is stale - uses: actions/github-script@v7 - with: + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: script: | const owner = context.repo.owner; const repo = context.repo.repo; diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 33b9bf25f9..88bd524d8d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -15,16 +15,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Refresh models catalog + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub - uses: docker/login-action@v3 - with: + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -33,8 +30,7 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (amd64) - uses: docker/build-push-action@v6 - with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: context: . platforms: linux/amd64 push: true @@ -50,16 +46,13 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@v4 - - name: Refresh models catalog + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub - uses: docker/login-action@v3 - with: + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -68,8 +61,7 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (arm64) - uses: docker/build-push-action@v6 - with: + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: context: . platforms: linux/arm64 push: true @@ -88,12 +80,9 @@ jobs: - docker_arm64 steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub - uses: docker/login-action@v3 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 22fcb0ce58..bdbf48a492 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,18 +19,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - - name: Setup Node - uses: actions/setup-node@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Setup Bun - uses: oven-sh/setup-bun@v2 - with: + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with: bun-version: latest - name: Install OXC dependencies @@ -54,8 +50,7 @@ jobs: run: test -f docs/.vitepress/dist/index.html - name: Upload pages artifact - uses: actions/upload-pages-artifact@v3 - with: + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: path: docs/.vitepress/dist/ build-skip-branch-ci-unblock: @@ -76,8 +71,6 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Configure Pages - uses: actions/configure-pages@v5 - - - name: Deploy + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index 13c4ec8317..af9012880c 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -11,11 +11,8 @@ jobs: generate-python-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - - name: Setup Python - uses: actions/setup-python@v5 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: python-version: '3.14' - name: Install OpenAPI Generator @@ -32,8 +29,7 @@ jobs: --additional-properties=pythonVersion==3.12,generateSourceCodeOnly=true - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: commit-message: 'chore: generate Python SDK' title: 'chore: generate Python SDK' body: | @@ -44,11 +40,8 @@ jobs: generate-typescript-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - - name: Setup Node - uses: actions/setup-node@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: node-version: '20' - name: Install OpenAPI Generator @@ -64,8 +57,7 @@ jobs: --additional-properties=typescriptVersion=5.0,npmName=@cliproxy/api - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: commit-message: 'chore: generate TypeScript SDK' title: 'chore: generate TypeScript SDK' body: | diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 2a32130193..1323682a3c 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -12,6 +12,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - - uses: KooshaPari/phenotypeActions/actions/lint-test@main + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index b2f32c25bc..d6b1a85972 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -12,10 +12,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/configure-pages@v4 - - uses: actions/upload-pages-artifact@v3 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: path: '.' - id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index 43ffd3e4e4..b11a59e721 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -7,6 +7,5 @@ jobs: enforce: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Enforce engineering policies + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Enforce engineering policies run: ./scripts/policy-gate.sh diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 9ab235acfc..c82d90bd52 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -11,13 +11,11 @@ jobs: name: ensure-no-translator-changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Detect pkg/llmproxy/translator changes id: changed-files - uses: tj-actions/changed-files@v45 - with: + uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45with: files: | pkg/llmproxy/translator/** - name: Fail when restricted paths change diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index bc1765bbac..8e7b94d1db 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -13,14 +13,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Refresh models catalog + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Build @@ -41,10 +39,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Run full tests with baseline @@ -58,8 +54,7 @@ jobs: exit "${test_exit}" - name: Upload baseline artifact if: always() - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4with: name: go-test-baseline path: target/test-baseline.json if-no-files-found: warn @@ -69,10 +64,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -86,8 +79,7 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest fi - name: Install Task - uses: arduino/setup-task@v2 - with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run CI quality gates @@ -101,10 +93,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -113,8 +103,7 @@ jobs: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 fi - name: Install Task - uses: arduino/setup-task@v2 - with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Check staged/diff files in PR range @@ -127,15 +116,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@v2 - with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Verify formatting @@ -146,10 +132,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -166,10 +150,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Run route lifecycle tests @@ -187,10 +169,8 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -222,10 +202,8 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -250,15 +228,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@v2 - with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run startup and control-plane smoke tests @@ -269,15 +244,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@v2 - with: + uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Validate config compatibility path @@ -289,10 +261,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Set up Go + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version-file: go.mod cache: true - name: Run targeted critical-path checks @@ -303,8 +273,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Detect change scopes run: | @@ -345,8 +314,7 @@ jobs: echo "scope=${scope}" >> "$GITHUB_ENV" echo "scope=${scope}" > target/changelog-scope.txt - name: Upload changelog scope artifact - uses: actions/upload-artifact@v4 - with: + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4with: name: changelog-scope path: target/changelog-scope.txt @@ -355,10 +323,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 497a162440..01f56b024e 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -7,6 +7,5 @@ jobs: verify: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Run quality checks + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Run quality checks run: ./scripts/quality-gate.sh verify diff --git a/.github/workflows/release-batch.yaml b/.github/workflows/release-batch.yaml index 3a5e24df5e..67b65bd463 100644 --- a/.github/workflows/release-batch.yaml +++ b/.github/workflows/release-batch.yaml @@ -14,12 +14,10 @@ jobs: release-batch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - run: git fetch --force --tags - - uses: actions/setup-go@v5 - with: + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: go-version: ">=1.26.0" cache: true - name: Configure git diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index a3a1e08d9c..9892c91949 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -9,6 +9,5 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 - env: + - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index da0e70cae3..56227dede8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,16 +10,14 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - run: git fetch --force --tags - - uses: actions/setup-go@v4 - with: + - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4with: go-version: '>=1.26.0' cache: true - name: Generate Build Metadata @@ -27,8 +25,7 @@ jobs: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_ENV echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - - uses: goreleaser/goreleaser-action@v4 - with: + - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4with: distribution: goreleaser version: latest args: release --clean --skip=validate @@ -43,8 +40,7 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Build in Termux Container run: | @@ -66,8 +62,7 @@ jobs: tar -czf cli-proxy-api-termux-aarch64.tar.gz cli-proxy-api LICENSE README.md README_CN.md config.example.yaml " - name: Upload to Release - uses: softprops/action-gh-release@v2 - if: startsWith(github.ref, 'refs/tags/') + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') with: files: cli-proxy-api-termux-aarch64.tar.gz env: diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index 5d47791656..22258b8359 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -12,9 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - - - name: Verify required check names exist + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Verify required check names exist run: | set -euo pipefail manifest=".github/required-checks.txt" diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index 1c5ef60db3..89d824525c 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -18,31 +18,23 @@ jobs: matrix: language: [go, javascript] steps: - - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - - trivy-repo: + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: name: Trivy Repository Scan runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v4 - - uses: aquasecurity/trivy-action@v0.35.0 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: scan-type: fs scan-ref: . format: sarif output: trivy-results.sarif - name: Upload Trivy SARIF - uses: github/codeql-action/upload-sarif@v4 - if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() with: sarif_file: trivy-results.sarif category: trivy @@ -52,9 +44,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -71,8 +61,7 @@ jobs: . - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 - if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() with: sarif_file: semgrep.sarif category: semgrep-full @@ -82,11 +71,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - - uses: trufflesecurity/trufflehog@v3.94.2 - with: + - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2with: path: ./ extra_args: --only-verified diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index e94e292ca3..4f0ad0fda6 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -17,11 +17,9 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - - uses: actions/setup-python@v5 - with: + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -31,8 +29,7 @@ jobs: run: | semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v4 - if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() with: sarif_file: semgrep.sarif @@ -44,17 +41,14 @@ jobs: # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@v4 - - name: Analyze licenses - uses: fsfe/reuse-action@v4 - continue-on-error: true # Allow findings but don't fail + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Analyze licenses + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses run: | # Check for problematic licenses grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true - name: Check license compliance - uses: fsfe/reuse-action@v4 - continue-on-error: true + uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Secret Scanning - Tier 2: Important (runs in parallel) secrets: @@ -62,12 +56,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 - env: + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: args: --verbose --redact @@ -80,7 +72,6 @@ jobs: output: trivy-results.sarif continue-on-error: true - name: Upload Trivy results - uses: github/codeql-action/upload-sarif@v4 - if: always() + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index aac6514540..62f0c276b2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,22 +19,18 @@ jobs: actions: read steps: - - uses: actions/checkout@v4 - with: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: persist-credentials: false - - uses: ossf/scorecard-action@v2.4.2 - with: + - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@v4 - with: + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@v3 - with: + - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3with: sarif_file: results.sarif diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 80f7582ad4..1179a48186 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -11,8 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - with: + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: fetch-depth: 0 - name: Wire Git hook path and verify guard hook diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index b6f6a3b246..cc1f5d8943 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -8,6 +8,5 @@ jobs: tag: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Create release tag + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Create release tag run: echo "Creating release for ${{ github.ref_name }}"