diff --git a/.github/actions/build-vsix/action.yml b/.github/actions/build-vsix/action.yml index c2515247de97..eaabe5141e8b 100644 --- a/.github/actions/build-vsix/action.yml +++ b/.github/actions/build-vsix/action.yml @@ -54,8 +54,10 @@ runs: shell: bash - name: Add Rustup target - run: rustup target add ${{ inputs.cargo_target }} + run: rustup target add "${CARGO_TARGET}" shell: bash + env: + CARGO_TARGET: ${{ inputs.cargo_target }} - name: Build Native Binaries run: nox --session native_build @@ -78,13 +80,17 @@ runs: shell: bash - name: Build VSIX - run: npx vsce package --target ${{ inputs.vsix_target }} --out ms-python-insiders.vsix --pre-release + run: npx vsce package --target "${VSIX_TARGET}" --out ms-python-insiders.vsix --pre-release shell: bash + env: + VSIX_TARGET: ${{ inputs.vsix_target }} - name: Rename VSIX # Move to a temp name in case the specified name happens to match the default name. - run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix ${{ inputs.vsix_name }} + run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix "${VSIX_NAME}" shell: bash + env: + VSIX_NAME: ${{ inputs.vsix_name }} - name: Upload VSIX uses: actions/upload-artifact@v4 diff --git a/.github/actions/smoke-tests/action.yml b/.github/actions/smoke-tests/action.yml index ed760e8b8202..0531ef5d42a3 100644 --- a/.github/actions/smoke-tests/action.yml +++ b/.github/actions/smoke-tests/action.yml @@ -32,7 +32,7 @@ runs: shell: bash - name: Install Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: options: '-t ./python_files/lib/python --implementation py' @@ -61,6 +61,6 @@ runs: env: DISPLAY: 10 INSTALL_JUPYTER_EXTENSION: true - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: node --no-force-async-hooks-checks ./out/test/smokeTest.js diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4b65b91a2cdf..78cbd9dfd0e4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,8 @@ on: - 'release/*' - 'release-*' +permissions: {} + env: NODE_VERSION: 20.18.0 PYTHON_VERSION: '3.10' # YML treats 3.10 the number as 3.1, so quotes around 3.10 @@ -83,12 +85,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: 'python-env-tools' + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -111,6 +116,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Lint uses: ./.github/actions/lint @@ -129,14 +136,16 @@ jobs: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install core Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: options: '-t ./python_files/lib/python --no-cache-dir --implementation py' - name: Install Jedi requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: requirements-file: './python_files/jedilsp_requirements/requirements.txt' options: '-t ./python_files/lib/jedilsp --no-cache-dir --implementation py' @@ -146,7 +155,7 @@ jobs: python -m pip install --upgrade -r build/test-requirements.txt - name: Run Pyright - uses: jakebailey/pyright-action@v2 + uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe # v2.3.2 with: version: 1.1.308 working-directory: 'python_files' @@ -172,6 +181,7 @@ jobs: uses: actions/checkout@v4 with: path: ${{ env.special-working-directory-relative }} + persist-credentials: false - name: Use Python ${{ matrix.python }} uses: actions/setup-python@v5 @@ -179,7 +189,7 @@ jobs: python-version: ${{ matrix.python }} - name: Install base Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: requirements-file: '"${{ env.special-working-directory-relative }}/requirements.txt"' options: '-t "${{ env.special-working-directory-relative }}/python_files/lib/python" --no-cache-dir --implementation py' @@ -211,12 +221,14 @@ jobs: uses: actions/checkout@v4 with: path: ${{ env.special-working-directory-relative }} + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: ${{ env.special-working-directory-relative }}/python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -358,7 +370,7 @@ jobs: env: TEST_FILES_SUFFIX: testvirtualenvs CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace working-directory: ${{ env.special-working-directory }} @@ -367,7 +379,7 @@ jobs: - name: Run single-workspace tests env: CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace working-directory: ${{ env.special-working-directory }} @@ -376,7 +388,7 @@ jobs: - name: Run multi-workspace tests env: CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testMultiWorkspace working-directory: ${{ env.special-working-directory }} @@ -385,7 +397,7 @@ jobs: - name: Run debugger tests env: CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testDebugger working-directory: ${{ env.special-working-directory }} @@ -415,12 +427,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: ${{ env.special-working-directory-relative }}/python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d902a68878e0..cfd7c393e3ed 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/community-feedback-auto-comment.yml b/.github/workflows/community-feedback-auto-comment.yml index cf3c4f51fe61..f606148f6e86 100644 --- a/.github/workflows/community-feedback-auto-comment.yml +++ b/.github/workflows/community-feedback-auto-comment.yml @@ -12,7 +12,7 @@ jobs: issues: write steps: - name: Check For Existing Comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: finder with: issue-number: ${{ github.event.issue.number }} @@ -21,7 +21,7 @@ jobs: - name: Add Community Feedback Comment if: steps.finder.outputs.comment-id == '' - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/gen-issue-velocity.yml b/.github/workflows/gen-issue-velocity.yml index a2fd9610892d..344fa161f02e 100644 --- a/.github/workflows/gen-issue-velocity.yml +++ b/.github/workflows/gen-issue-velocity.yml @@ -5,6 +5,9 @@ on: - cron: '0 0 * * 2' # Runs every Tuesday at midnight workflow_dispatch: +permissions: + issues: read + jobs: generate-summary: runs-on: ubuntu-latest @@ -12,6 +15,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 diff --git a/.github/workflows/info-needed-closer.yml b/.github/workflows/info-needed-closer.yml index 64a96b06e556..d7efbd199451 100644 --- a/.github/workflows/info-needed-closer.yml +++ b/.github/workflows/info-needed-closer.yml @@ -18,6 +18,7 @@ jobs: with: repository: 'microsoft/vscode-github-triage-actions' path: ./actions + persist-credentials: false ref: stable - name: Install Actions run: npm install --production --prefix ./actions diff --git a/.github/workflows/issue-labels.yml b/.github/workflows/issue-labels.yml index fbd92d9edd01..ec7d14d96cda 100644 --- a/.github/workflows/issue-labels.yml +++ b/.github/workflows/issue-labels.yml @@ -22,6 +22,7 @@ jobs: repository: 'microsoft/vscode-github-triage-actions' ref: stable path: ./actions + persist-credentials: false - name: Install Actions run: npm install --production --prefix ./actions diff --git a/.github/workflows/lock-issues.yml b/.github/workflows/lock-issues.yml index 47f243d71979..cb6ed2e9d54e 100644 --- a/.github/workflows/lock-issues.yml +++ b/.github/workflows/lock-issues.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Lock Issues' - uses: dessant/lock-threads@v5 + uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: '30' diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 4b1ea54618b8..81c427a31c7b 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -7,6 +7,8 @@ on: - main - release* +permissions: {} + env: NODE_VERSION: 20.18.0 PYTHON_VERSION: '3.10' # YML treats 3.10 the number as 3.1, so quotes around 3.10 @@ -56,12 +58,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: 'python-env-tools' + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -83,6 +88,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Lint uses: ./.github/actions/lint @@ -100,12 +107,15 @@ jobs: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: 'python-env-tools' + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -113,12 +123,12 @@ jobs: sparse-checkout-cone-mode: false - name: Install base Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: options: '-t ./python_files/lib/python --no-cache-dir --implementation py' - name: Install Jedi requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: requirements-file: './python_files/jedilsp_requirements/requirements.txt' options: '-t ./python_files/lib/jedilsp --no-cache-dir --implementation py' @@ -128,7 +138,7 @@ jobs: python -m pip install --upgrade -r build/test-requirements.txt - name: Run Pyright - uses: jakebailey/pyright-action@v2 + uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe # v2.3.2 with: version: 1.1.308 working-directory: 'python_files' @@ -155,6 +165,7 @@ jobs: uses: actions/checkout@v4 with: path: ${{ env.special-working-directory-relative }} + persist-credentials: false - name: Use Python ${{ matrix.python }} uses: actions/setup-python@v5 @@ -174,7 +185,7 @@ jobs: - name: Install specific pytest version run: python -m pytest --version - name: Install base Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: requirements-file: '"${{ env.special-working-directory-relative }}/requirements.txt"' options: '-t "${{ env.special-working-directory-relative }}/python_files/lib/python" --no-cache-dir --implementation py' @@ -207,12 +218,14 @@ jobs: uses: actions/checkout@v4 with: path: ${{ env.special-working-directory-relative }} + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: ${{ env.special-working-directory-relative }}/python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -354,7 +367,7 @@ jobs: env: TEST_FILES_SUFFIX: testvirtualenvs CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace working-directory: ${{ env.special-working-directory }} @@ -363,7 +376,7 @@ jobs: - name: Run single-workspace tests env: CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace working-directory: ${{ env.special-working-directory }} @@ -372,7 +385,7 @@ jobs: - name: Run debugger tests env: CI_PYTHON_VERSION: ${{ matrix.python }} - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testDebugger working-directory: ${{ env.special-working-directory }} @@ -402,12 +415,14 @@ jobs: uses: actions/checkout@v4 with: path: ${{ env.special-working-directory-relative }} + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: ${{ env.special-working-directory-relative }}/python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -438,12 +453,15 @@ jobs: # Need the source to have the tests available. - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -471,12 +489,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout Python Environment Tools uses: actions/checkout@v4 with: repository: 'microsoft/python-environment-tools' path: python-env-tools + persist-credentials: false sparse-checkout: | crates Cargo.toml @@ -510,12 +531,12 @@ jobs: build/functional-test-requirements.txt - name: Install base Python requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: options: '-t ./python_files/lib/python --implementation py' - name: Install Jedi requirements - uses: brettcannon/pip-secure-install@v1 + uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0 with: requirements-file: './python_files/jedilsp_requirements/requirements.txt' options: '-t ./python_files/lib/jedilsp --implementation py' @@ -618,7 +639,7 @@ jobs: TEST_FILES_SUFFIX: testvirtualenvs CI_PYTHON_VERSION: ${{ env.PYTHON_VERSION }} CI_DISABLE_AUTO_SELECTION: 1 - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace:cover @@ -626,7 +647,7 @@ jobs: env: CI_PYTHON_VERSION: ${{ env.PYTHON_VERSION }} CI_DISABLE_AUTO_SELECTION: 1 - uses: GabrielBB/xvfb-action@v1.7 + uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 with: run: npm run testSingleWorkspace:cover @@ -635,7 +656,7 @@ jobs: # env: # CI_PYTHON_VERSION: ${{ env.PYTHON_VERSION }} # CI_DISABLE_AUTO_SELECTION: 1 - # uses: GabrielBB/xvfb-action@v1.7 + # uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 # with: # run: npm run testMultiWorkspace:cover @@ -644,7 +665,7 @@ jobs: # env: # CI_PYTHON_VERSION: ${{ env.PYTHON_VERSION }} # CI_DISABLE_AUTO_SELECTION: 1 - # uses: GabrielBB/xvfb-action@v1.7 + # uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7 # with: # run: npm run testDebugger:cover diff --git a/.github/workflows/pr-file-check.yml b/.github/workflows/pr-file-check.yml index b5ba2fe1f109..180ab16a74c3 100644 --- a/.github/workflows/pr-file-check.yml +++ b/.github/workflows/pr-file-check.yml @@ -9,13 +9,15 @@ on: - 'labeled' - 'unlabeled' +permissions: {} + jobs: changed-files-in-pr: name: 'Check for changed files' runs-on: ubuntu-latest steps: - name: 'package-lock.json matches package.json' - uses: brettcannon/check-for-changed-files@v1.2.1 + uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1.2.1 with: prereq-pattern: 'package.json' file-pattern: 'package-lock.json' @@ -23,7 +25,7 @@ jobs: failure-message: '${prereq-pattern} was edited but ${file-pattern} was not (the ${skip-label} label can be used to pass this check)' - name: 'package.json matches package-lock.json' - uses: brettcannon/check-for-changed-files@v1.2.1 + uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1.2.1 with: prereq-pattern: 'package-lock.json' file-pattern: 'package.json' @@ -31,7 +33,7 @@ jobs: failure-message: '${prereq-pattern} was edited but ${file-pattern} was not (the ${skip-label} label can be used to pass this check)' - name: 'Tests' - uses: brettcannon/check-for-changed-files@v1.2.1 + uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1.2.1 with: prereq-pattern: src/**/*.ts file-pattern: | diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml index 730b8e5c5832..3b82068de5aa 100644 --- a/.github/workflows/pr-labels.yml +++ b/.github/workflows/pr-labels.yml @@ -12,9 +12,12 @@ jobs: classify: name: 'Classify PR' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: 'PR impact specified' - uses: mheap/github-action-required-labels@v5 + uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5.0 with: mode: exactly count: 1 diff --git a/.github/workflows/python27-issue-response.yml b/.github/workflows/python27-issue-response.yml index 4d51e9921ab4..9db84bca1a23 100644 --- a/.github/workflows/python27-issue-response.yml +++ b/.github/workflows/python27-issue-response.yml @@ -5,6 +5,8 @@ on: jobs: python27-issue-response: runs-on: ubuntu-latest + permissions: + issues: write if: "contains(github.event.issue.body, 'Python version (& distribution if applicable, e.g. Anaconda): 2.7')" steps: - name: Check for Python 2.7 string diff --git a/.github/workflows/remove-needs-labels.yml b/.github/workflows/remove-needs-labels.yml index 3d218e297a11..24352526d0d8 100644 --- a/.github/workflows/remove-needs-labels.yml +++ b/.github/workflows/remove-needs-labels.yml @@ -7,9 +7,11 @@ jobs: classify: name: 'Remove needs labels on issue closing' runs-on: ubuntu-latest + permissions: + issues: write steps: - name: 'Removes needs labels on issue close' - uses: actions-ecosystem/action-remove-labels@v1 + uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 with: labels: | needs PR diff --git a/.github/workflows/test-plan-item-validator.yml b/.github/workflows/test-plan-item-validator.yml index 17f1740345f2..91e8948cc784 100644 --- a/.github/workflows/test-plan-item-validator.yml +++ b/.github/workflows/test-plan-item-validator.yml @@ -16,6 +16,7 @@ jobs: with: repository: 'microsoft/vscode-github-triage-actions' path: ./actions + persist-credentials: false ref: stable - name: Install Actions diff --git a/.github/workflows/triage-info-needed.yml b/.github/workflows/triage-info-needed.yml index 1ded54ea3f59..f468fb293acd 100644 --- a/.github/workflows/triage-info-needed.yml +++ b/.github/workflows/triage-info-needed.yml @@ -7,13 +7,12 @@ on: env: TRIAGERS: '["karrtikr","karthiknadig","paulacamargo25","eleanorjboyd", "brettcannon","anthonykim1"]' -permissions: - issues: write - jobs: add_label: - runs-on: ubuntu-latest if: contains(github.event.issue.labels.*.name, 'triage-needed') && !contains(github.event.issue.labels.*.name, 'info-needed') + runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Checkout Actions uses: actions/checkout@v4 @@ -21,6 +20,7 @@ jobs: repository: 'microsoft/vscode-github-triage-actions' ref: stable path: ./actions + persist-credentials: false - name: Install Actions run: npm install --production --prefix ./actions @@ -35,6 +35,8 @@ jobs: remove_label: if: contains(github.event.issue.labels.*.name, 'info-needed') && contains(github.event.issue.labels.*.name, 'triage-needed') runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Checkout Actions uses: actions/checkout@v4 @@ -42,6 +44,7 @@ jobs: repository: 'microsoft/vscode-github-triage-actions' ref: stable path: ./actions + persist-credentials: false - name: Install Actions run: npm install --production --prefix ./actions