diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 8f889688..012038c1 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -33,7 +33,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # Use PAT to allow tag push to trigger publish workflow diff --git a/.github/workflows/blaze-bot.yml b/.github/workflows/blaze-bot.yml index e6c2e6df..7f82a569 100644 --- a/.github/workflows/blaze-bot.yml +++ b/.github/workflows/blaze-bot.yml @@ -182,7 +182,7 @@ jobs: private_key: ${{ secrets.BLAZE_BOT_PRIVATE_KEY }} - name: 📥 Checkout (FAST!) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/bot-monitoring.yml b/.github/workflows/bot-monitoring.yml index eafcc030..d54b5432 100644 --- a/.github/workflows/bot-monitoring.yml +++ b/.github/workflows/bot-monitoring.yml @@ -36,7 +36,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Check bot activity id: check diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4f5e372..942f1a47 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -113,7 +113,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -154,7 +154,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -265,7 +265,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Dependency Review uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 diff --git a/.github/workflows/ciel-bot.yml b/.github/workflows/ciel-bot.yml index a5ededa3..44d4cabc 100644 --- a/.github/workflows/ciel-bot.yml +++ b/.github/workflows/ciel-bot.yml @@ -195,7 +195,7 @@ jobs: private_key: ${{ secrets.CIEL_BOT_PRIVATE_KEY }} - name: 📥 Checkout (gently) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 8d921356..e149dc94 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 5c8da385..e2dadbb2 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -29,7 +29,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Note: Hash update is handled by developers locally + hash-check.yml in PRs # This workflow only deploys to CDN (Option D: Pre-merge CI verification) diff --git a/.github/workflows/generate-readme.yml b/.github/workflows/generate-readme.yml index 8d939f32..ae19dcf2 100644 --- a/.github/workflows/generate-readme.yml +++ b/.github/workflows/generate-readme.yml @@ -26,7 +26,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/hash-check.yml b/.github/workflows/hash-check.yml index de382c62..99c030bd 100644 --- a/.github/workflows/hash-check.yml +++ b/.github/workflows/hash-check.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/justice-bot.yml b/.github/workflows/justice-bot.yml index e6f69439..4955bd11 100644 --- a/.github/workflows/justice-bot.yml +++ b/.github/workflows/justice-bot.yml @@ -392,7 +392,7 @@ jobs: private_key: ${{ secrets.JUSTICE_BOT_PRIVATE_KEY }} - name: 📥 Checkout (for inspection) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/luna-bot.yml b/.github/workflows/luna-bot.yml index 8e0ceb27..481bb910 100644 --- a/.github/workflows/luna-bot.yml +++ b/.github/workflows/luna-bot.yml @@ -193,7 +193,7 @@ jobs: private_key: ${{ secrets.LUNA_BOT_PRIVATE_KEY }} - name: 📥 Checkout (excitedly) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/mimi-bot.yml b/.github/workflows/mimi-bot.yml index 0a837c1b..8860a71a 100644 --- a/.github/workflows/mimi-bot.yml +++ b/.github/workflows/mimi-bot.yml @@ -159,7 +159,7 @@ jobs: private_key: ${{ secrets.MIMI_BOT_PRIVATE_KEY }} - name: 📥 Checkout (quietly) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1121559c..0e99d47e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -43,7 +43,7 @@ jobs: uploads.github.com:443 - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index f73f5667..5c652cdc 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -22,7 +22,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/restyled.yml b/.github/workflows/restyled.yml index aeb144be..d5551c57 100644 --- a/.github/workflows/restyled.yml +++ b/.github/workflows/restyled.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # SECURITY: Use SHA (immutable) instead of branch ref (user-controlled) # to prevent potential injection attacks via malicious branch names. diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e529dd44..57e5f886 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,7 +33,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -78,7 +78,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -129,7 +129,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -168,7 +168,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -202,7 +202,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -227,7 +227,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -262,7 +262,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -288,7 +288,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/slow-bot.yml b/.github/workflows/slow-bot.yml index 4e2c8425..0b045097 100644 --- a/.github/workflows/slow-bot.yml +++ b/.github/workflows/slow-bot.yml @@ -213,7 +213,7 @@ jobs: private_key: ${{ secrets.SLOW_BOT_PRIVATE_KEY }} - name: 📥 Checkout (reluctantly) - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 05a3f9d3..eaf63940 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -26,7 +26,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/unpublish.yml b/.github/workflows/unpublish.yml index 9e93f498..1b6f27f9 100644 --- a/.github/workflows/unpublish.yml +++ b/.github/workflows/unpublish.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/vex-update.yml b/.github/workflows/vex-update.yml index 029128b0..8e76b888 100644 --- a/.github/workflows/vex-update.yml +++ b/.github/workflows/vex-update.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0