diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml index 856eff45c..93961e7e0 100644 --- a/.github/workflows/pull-request-main.yml +++ b/.github/workflows/pull-request-main.yml @@ -75,7 +75,7 @@ jobs: run: pnpm nx run signed-commits:build - name: Commit back any changes - uses: planetscale/ghcommit-action@b68767a2e130a71926b365322e62b583404a5e09 # v0.1.43 + uses: planetscale/ghcommit-action@f24050e41f8694750427d111b52f4ef9ca81a32d # v0.2.18 with: commit_message: "🤖 Update build" repo: ${{ github.repository }} diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index a0cc13e55..a3d5d8e9c 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -369,7 +369,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false - name: Install citool @@ -419,14 +419,14 @@ jobs: workflow_id: ${{ steps.gen_id.outputs.workflow_id }} steps: - name: Checkout code - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false - name: Setup Go - uses: actions/setup-go@v5.0.2 + uses: actions/setup-go@v5.5.0 with: - go-version: "1.24.0" + go-version: "1.25.2" check-latest: true cache: false # disable caching as this job doesn't benefit from it @@ -625,7 +625,7 @@ jobs: - name: Checkout the repo if: ${{ steps.check-image-exists.outputs.exists != 'true' }} - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false ref: ${{ inputs.chainlink_version }} @@ -666,7 +666,7 @@ jobs: }} steps: - name: Checkout the repo - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false ref: ${{ inputs.chainlink_version }} @@ -725,7 +725,7 @@ jobs: uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - name: Checkout repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false ref: ${{ inputs.chainlink_version }} @@ -937,13 +937,13 @@ jobs: - name: Upload trace data as artifact if: inputs.enable_otel_traces_for_ocr2_plugins && matrix.tests.test_env_vars.ENABLE_OTEL_TRACES == 'true' - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 with: name: trace-data path: ./integration-tests/smoke/traces/trace-data.json - name: Upload test log as artifact - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 if: failure() with: name: test_log_${{ env.TEST_ID }} @@ -953,7 +953,7 @@ jobs: - name: Upload cl node coverage data as artifact if: inputs.upload_cl_node_coverage_artifact - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 timeout-minutes: 2 continue-on-error: true with: @@ -970,7 +970,7 @@ jobs: - name: Upload test result as artifact if: ${{ always() }} - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 with: name: test_result_${{ needs.load-test-configurations.outputs.workflow_id }}_${{ env.TEST_ID }} @@ -979,7 +979,7 @@ jobs: - name: Upload custom test artifacts if: failure() && matrix.tests.test_artifacts_on_failure != '' - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 with: name: custom_test_artifacts_${{ env.TEST_ID }}_${{ needs.load-test-configurations.outputs.workflow_id }} @@ -1012,7 +1012,7 @@ jobs: }}.amazonaws.com/chainlink-tests steps: - name: Checkout repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false - name: Build Test Runner Image @@ -1081,7 +1081,7 @@ jobs: uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - name: Checkout repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false @@ -1226,7 +1226,7 @@ jobs: test_suite: ${{ matrix.tests.test_env_vars.TEST_SUITE }} - name: Upload test log as artifact - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 if: failure() with: name: test_log_${{ env.TEST_ID }} @@ -1236,7 +1236,7 @@ jobs: - name: Upload custom test artifacts if: failure() && matrix.tests.test_artifacts_on_failure != '' - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v4.6.2 with: name: ${{ format('custom_test_artifacts_{0}_{1}', env.TEST_ID, needs.load-test-configurations.outputs.workflow_id) }} path: ${{ matrix.tests.test_artifacts_on_failure }} @@ -1270,7 +1270,7 @@ jobs: uses: runs-on/action@66d4449b717b5462159659523d1241051ff470b9 # v1 - name: Checkout repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: persist-credentials: false @@ -1340,7 +1340,7 @@ jobs: test_results: ${{ steps.set_test_results.outputs.results }} steps: - name: Download all test result artifacts - uses: actions/download-artifact@v4.1.8 + uses: actions/download-artifact@v4.3.0 with: path: test_results pattern: test_result_${{ needs.load-test-configurations.outputs.workflow_id @@ -1391,7 +1391,7 @@ jobs: { echo "cl_ref=$cl_ref"; echo "cl_short_ref=$cl_short_ref"; echo "cl_ref_path=$cl_ref_path"; } >> "$GITHUB_OUTPUT" - name: Send Slack notification - uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 if: ${{ inputs.slack_notification_after_tests == 'true' || inputs.slack_notification_after_tests == 'always' || (inputs.slack_notification_after_tests == 'on_failure' && @@ -1432,7 +1432,7 @@ jobs: contains(join(needs.*.result, ','), 'failure') && inputs.slack_notification_after_tests_notify_user_id_on_failure != '' }} - uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} with: diff --git a/.github/workflows/solidity-review-artifacts.yml b/.github/workflows/solidity-review-artifacts.yml index 093ec2493..732d54021 100644 --- a/.github/workflows/solidity-review-artifacts.yml +++ b/.github/workflows/solidity-review-artifacts.yml @@ -141,7 +141,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout the caller repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: fetch-depth: 0 persist-credentials: false @@ -207,7 +207,7 @@ jobs: needs: [gather-basic-info] steps: - name: Checkout the caller repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@v4.3.0 with: ref: ${{ env.head_ref }} persist-credentials: false @@ -226,14 +226,14 @@ jobs: mkdir -p code-coverage - name: Install Foundry - uses: foundry-rs/foundry-toolchain@8f1998e9878d786675189ef566a2e4bf24869773 # v1.2.0 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: ${{ inputs.foundry_version }} # required for code coverage report generation - name: Setup LCOV if: ${{ inputs.generate_code_coverage == true }} - uses: hrishikesh-kadam/setup-lcov@f5da1b26b0dcf5d893077a3c4f29cf78079c841d # v1.0.0 + uses: hrishikesh-kadam/setup-lcov@6c1aa0cc9e1c02f9f58f01ac599f1064ccc83470 # v1.1.0 - name: Run Forge build for product contracts run: | @@ -308,14 +308,14 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout caller repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@v4.3.0 with: fetch-depth: 0 ref: ${{ env.head_ref }} persist-credentials: false - name: Checkout .github repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@v4.3.0 with: repository: smartcontractkit/.github ref: 65249c7eae628aad6e70a0c0850d981cd0074bf9 @@ -329,7 +329,7 @@ jobs: pnpm-version: ^10.0.0 - name: Install Foundry - uses: foundry-rs/foundry-toolchain@8f1998e9878d786675189ef566a2e4bf24869773 # v1.2.0 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: ${{ inputs.foundry_version }} @@ -342,7 +342,7 @@ jobs: if: ${{ inputs.generate_slither_reports == true }} uses: actions/setup-python@v5.6.0 with: - python-version: "3.8" + python-version: "3.14" - name: Install solc-select and solc if: ${{ inputs.generate_slither_reports == true }} @@ -472,14 +472,14 @@ jobs: - name: Checkout caller repository if: ${{ inputs.link_with_jira == true }} - uses: actions/checkout@v4.2.2 + uses: actions/checkout@v4.3.0 with: ref: ${{ env.head_ref }} persist-credentials: false - name: Checkout chainlink-github-actions repository if: ${{ inputs.link_with_jira == true }} - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: repository: smartcontractkit/.github ref: 65249c7eae628aad6e70a0c0850d981cd0074bf9 diff --git a/actions/beholder-pulumi-deploy-schema/action.yml b/actions/beholder-pulumi-deploy-schema/action.yml index 4fe2aa995..8212f5be0 100644 --- a/actions/beholder-pulumi-deploy-schema/action.yml +++ b/actions/beholder-pulumi-deploy-schema/action.yml @@ -24,7 +24,7 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@v4.3.0 - name: Docker login to ECR shell: bash diff --git a/actions/branch-out-upload/action.yml b/actions/branch-out-upload/action.yml index 662819a1a..8dc814050 100644 --- a/actions/branch-out-upload/action.yml +++ b/actions/branch-out-upload/action.yml @@ -62,7 +62,7 @@ runs: echo "::endgroup::" - name: Upload Test Results to Trunk.io - uses: trunk-io/analytics-uploader@f2631c653f9675d391e6e68cc877370db927c64c # v2.0.0 + uses: trunk-io/analytics-uploader@e15a1f52c853d03426af5aff6bad7321fda0f7a4 # v2.0.2 continue-on-error: ${{ inputs.trunk-upload-only == 'true' }} env: TRUNK_TELEMETRY: "off" diff --git a/actions/build-push-docker-manifest/action.yml b/actions/build-push-docker-manifest/action.yml index 7ee65b56f..e5d0f921a 100644 --- a/actions/build-push-docker-manifest/action.yml +++ b/actions/build-push-docker-manifest/action.yml @@ -169,7 +169,7 @@ runs: version: v0.27.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: 900 @@ -372,7 +372,7 @@ runs: - name: Install cosign if: inputs.docker-manifest-sign == 'true' - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 with: cosign-release: "v2.4.2" diff --git a/actions/build-push-docker/action.yml b/actions/build-push-docker/action.yml index 81d5e0498..97fa9cd03 100644 --- a/actions/build-push-docker/action.yml +++ b/actions/build-push-docker/action.yml @@ -202,7 +202,7 @@ runs: if: ${{ steps.dockerfile-ecr-parse.outputs.needs-ecr-login == 'true' || inputs.docker-push == 'true' }} - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: 900 @@ -229,14 +229,14 @@ runs: registries: ${{ inputs.aws-account-number }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: version: latest - name: Docker meta if: ${{ inputs.docker-push == 'true' }} id: docker-meta - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ format('{0}/{1}', inputs.docker-registry-url, @@ -307,7 +307,7 @@ runs: - name: Build & push image id: build-image - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 env: DOCKER_BUILD_CHECKS_ANNOTATIONS: true DOCKER_BUILD_SUMMARY: true diff --git a/actions/ci-beholder-validator/action.yml b/actions/ci-beholder-validator/action.yml index e2e21bf37..a27eb4711 100644 --- a/actions/ci-beholder-validator/action.yml +++ b/actions/ci-beholder-validator/action.yml @@ -31,7 +31,7 @@ runs: using: composite steps: - name: Checkout repo - uses: actions/checkout@v4.2.1 + uses: actions/checkout@v4.3.0 with: fetch-depth: ${{ inputs.checkout-repo-fetch-depth }} diff --git a/actions/ci-benchmarking/action.yml b/actions/ci-benchmarking/action.yml index 7b799809f..407e4830a 100644 --- a/actions/ci-benchmarking/action.yml +++ b/actions/ci-benchmarking/action.yml @@ -116,7 +116,7 @@ runs: - name: Run github-action-benchmark for PRs if: ${{ env.IS_PR == 'true' }} - uses: benchmark-action/github-action-benchmark@4de1bed97a47495fc4c5404952da0499e31f5c29 # v1.20.3 + uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7 with: tool: "go" output-file-path: output.txt @@ -129,7 +129,7 @@ runs: - name: Run github-action-benchmark for Merges if: ${{ env.IS_MERGE == 'true' }} - uses: benchmark-action/github-action-benchmark@4de1bed97a47495fc4c5404952da0499e31f5c29 # v1.20.3 + uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7 with: tool: "go" output-file-path: output.txt diff --git a/actions/ci-lint-charts/action.yml b/actions/ci-lint-charts/action.yml index 60af32b70..4448c2fdb 100644 --- a/actions/ci-lint-charts/action.yml +++ b/actions/ci-lint-charts/action.yml @@ -46,7 +46,7 @@ runs: fi - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 - name: Run chart-testing (lint) shell: bash diff --git a/actions/ci-lint-go/action.yml b/actions/ci-lint-go/action.yml index 92d7164a1..0095eecd5 100644 --- a/actions/ci-lint-go/action.yml +++ b/actions/ci-lint-go/action.yml @@ -83,7 +83,7 @@ runs: - name: Assume aws gati role if: inputs.use-gati == 'true' - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn-gati }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} diff --git a/actions/ci-lint-misc/action.yml b/actions/ci-lint-misc/action.yml index eb013e2d8..a01c19082 100644 --- a/actions/ci-lint-misc/action.yml +++ b/actions/ci-lint-misc/action.yml @@ -22,7 +22,7 @@ runs: fetch-depth: ${{ inputs.checkout-repo-fetch-depth }} - name: Run actionlint - uses: reviewdog/action-actionlint@4f8f9963ca57a41e5fd5b538dd79dbfbd3e0b38a # v1.54.0 + uses: reviewdog/action-actionlint@f00ad0691526c10be4021a91b2510f0a769b14d0 # v1.68.0 - name: Run shellcheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 diff --git a/actions/ci-sonarqube-go/action.yml b/actions/ci-sonarqube-go/action.yml index c24f65f8e..88dc35ea2 100644 --- a/actions/ci-sonarqube-go/action.yml +++ b/actions/ci-sonarqube-go/action.yml @@ -94,7 +94,7 @@ runs: echo "SONARQUBE_ARGS=$ARGS" >> $GITHUB_ENV - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@0c0f3958d90fc466625f1d1af1f47bddd4cc6bd1 # v3.0.0 + uses: sonarsource/sonarqube-scan-action@13990a695682794b53148ff9f6a8b6e22e43955e # v3.1.0 with: args: ${{ env.SONARQUBE_ARGS }} env: diff --git a/actions/ci-sonarqube-ts/action.yml b/actions/ci-sonarqube-ts/action.yml index 06a56dbe9..72d8f4007 100644 --- a/actions/ci-sonarqube-ts/action.yml +++ b/actions/ci-sonarqube-ts/action.yml @@ -110,7 +110,7 @@ runs: steps.sonarqube_report_paths.outputs.sonarqube_lint_report_paths }} - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@0c0f3958d90fc466625f1d1af1f47bddd4cc6bd1 # v3.0.0 + uses: sonarsource/sonarqube-scan-action@13990a695682794b53148ff9f6a8b6e22e43955e # v3.1.0 with: args: ${{ env.SONARQUBE_ARGS }} env: diff --git a/actions/ci-test-go/action.yml b/actions/ci-test-go/action.yml index c931d7c33..1695e548e 100644 --- a/actions/ci-test-go/action.yml +++ b/actions/ci-test-go/action.yml @@ -108,7 +108,7 @@ runs: - name: Assume aws gati role if: inputs.use-gati == 'true' - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn-gati }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} diff --git a/actions/ci-test-sol/action.yml b/actions/ci-test-sol/action.yml index 4dab02012..c67a89f74 100644 --- a/actions/ci-test-sol/action.yml +++ b/actions/ci-test-sol/action.yml @@ -68,7 +68,7 @@ runs: run-install: "true" - name: Setup foundry - uses: foundry-rs/foundry-toolchain@8f1998e9878d786675189ef566a2e4bf24869773 # v1.2.0 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: ${{ inputs.foundry-version }} diff --git a/actions/cicd-build-publish-artifacts-go/action.yml b/actions/cicd-build-publish-artifacts-go/action.yml index 8d82e2283..1ceee563d 100644 --- a/actions/cicd-build-publish-artifacts-go/action.yml +++ b/actions/cicd-build-publish-artifacts-go/action.yml @@ -117,7 +117,7 @@ runs: - name: Assume aws gati role if: inputs.use-gati == 'true' - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn-gati }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} @@ -148,15 +148,15 @@ runs: - name: Setup zig if: inputs.use-zig == 'true' - uses: goto-bus-stop/setup-zig@7ab2955eb728f5440978d5824358023be3a2802d # v2.2.0 + uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2.2.1 with: version: ${{ inputs.zig-version }} - name: Setup docker buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Set up qemu - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Process params shell: bash @@ -177,7 +177,7 @@ runs: fi - name: Configure aws creds - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 if: inputs.publish == 'true' && inputs.docker-registry == 'aws' with: role-to-assume: ${{ inputs.aws-role-arn }} @@ -193,14 +193,14 @@ runs: - name: Update tag if: inputs.update-git-tag == 'true' - uses: richardsimko/update-tag@e173a8ef8f54ab526a91dad6139a25efed62424c # v1.0.11 + uses: richardsimko/update-tag@aab2434e9a5040687874aa39d1c6377ec0cb0d94 # v1.1.6 with: tag_name: v0.0.0-devel env: GITHUB_TOKEN: ${{ github.token }} # ${{ steps.get-gh-token.outputs.access-token }} - name: Run goreleaser release - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1 + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: version: ${{ inputs.goreleaser-version }} distribution: ${{ inputs.goreleaser-dist }} diff --git a/actions/cicd-build-publish-artifacts-ts/action.yml b/actions/cicd-build-publish-artifacts-ts/action.yml index 07a1446cf..0abc75c13 100644 --- a/actions/cicd-build-publish-artifacts-ts/action.yml +++ b/actions/cicd-build-publish-artifacts-ts/action.yml @@ -85,11 +85,11 @@ runs: - name: Set up qemu if: inputs.setup-qemu == 'true' - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Setup foundry if: inputs.setup-foundry == 'true' - uses: foundry-rs/foundry-toolchain@8f1998e9878d786675189ef566a2e4bf24869773 # v1.2.0 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: ${{ inputs.foundry-version }} @@ -108,7 +108,7 @@ runs: - name: Upload artifacts to release if: inputs.publish-release == 'true' - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # 2.11.2 with: repo_token: ${{ github.token }} file: ${{ inputs.release-assets }} @@ -118,7 +118,7 @@ runs: - name: Upload artifacts to monorepo release if: inputs.publish-monorepo-release == 'true' - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # 2.11.2 with: repo_token: ${{ github.token }} file: diff --git a/actions/cicd-build-publish-charts/action.yml b/actions/cicd-build-publish-charts/action.yml index eb7a437a7..0739a5bd7 100644 --- a/actions/cicd-build-publish-charts/action.yml +++ b/actions/cicd-build-publish-charts/action.yml @@ -53,7 +53,7 @@ runs: fetch-depth: ${{ inputs.checkout-repo-fetch-depth }} - name: Setup helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v3.12.0 @@ -69,7 +69,7 @@ runs: - name: Configure aws creds if: inputs.publish == 'true' - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} diff --git a/actions/cicd-changesets/action.yml b/actions/cicd-changesets/action.yml index 1eafc1335..a557627ba 100644 --- a/actions/cicd-changesets/action.yml +++ b/actions/cicd-changesets/action.yml @@ -107,7 +107,7 @@ runs: using: composite steps: - name: Assume aws gati role - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} diff --git a/actions/crib-deploy-environment/action.yml b/actions/crib-deploy-environment/action.yml index 900af3187..6a5e60257 100644 --- a/actions/crib-deploy-environment/action.yml +++ b/actions/crib-deploy-environment/action.yml @@ -364,7 +364,7 @@ runs: failure() && inputs.crib-alert-slack-webhook != '' && inputs.send-alerts == 'true' id: slack - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 with: # For posting a rich message using Block Kit payload: ${{ steps.render-slack-template.outputs.result }} diff --git a/actions/ctf-build-test-image/action.yml b/actions/ctf-build-test-image/action.yml index 404e400dc..e46190539 100644 --- a/actions/ctf-build-test-image/action.yml +++ b/actions/ctf-build-test-image/action.yml @@ -53,7 +53,7 @@ runs: # Base Test Image Logic - name: Get CTF Version id: version - uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/mod-version@fc3e0df622521019f50d772726d6bf8dc919dd38 # v2.3.19 + uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/mod-version@1ada5d85b0de3439a0ba238210d40605b5ed6704 # v2.3.32 with: go-project-path: ./integration-tests module-name: github.com/smartcontractkit/chainlink-testing-framework/lib @@ -90,7 +90,7 @@ runs: - name: Check if test base image exists if: steps.version.outputs.is_semantic == 'false' id: check-base-image - uses: smartcontractkit/chainlink-github-actions/docker/image-exists@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25 + uses: smartcontractkit/chainlink-github-actions/docker/image-exists@1ada5d85b0de3439a0ba238210d40605b5ed6704 # v2.3.32 with: repository: test-base-image tag: ${{ steps.long_sha.outputs.long_sha }} @@ -102,7 +102,7 @@ runs: if: steps.version.outputs.is_semantic == 'false' && steps.check-base-image.outputs.exists == 'false' - uses: smartcontractkit/chainlink-github-actions/docker/build-push@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25 + uses: smartcontractkit/chainlink-github-actions/docker/build-push@1ada5d85b0de3439a0ba238210d40605b5ed6704 # v2.3.32 env: BASE_IMAGE_NAME: ${{ inputs.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ inputs.QA_AWS_REGION @@ -146,7 +146,7 @@ runs: - name: Check if image exists id: check-image - uses: smartcontractkit/chainlink-github-actions/docker/image-exists@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25 + uses: smartcontractkit/chainlink-github-actions/docker/image-exists@1ada5d85b0de3439a0ba238210d40605b5ed6704 # v2.3.32 with: repository: ${{ inputs.repository }} tag: ${{ inputs.tag || steps.test_runner_hash.outputs.hash_value }} @@ -154,7 +154,7 @@ runs: AWS_ROLE_TO_ASSUME: ${{ inputs.QA_AWS_ROLE_TO_ASSUME }} - name: Build and Publish Test Runner if: steps.check-image.outputs.exists == 'false' - uses: smartcontractkit/chainlink-github-actions/docker/build-push@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25 + uses: smartcontractkit/chainlink-github-actions/docker/build-push@1ada5d85b0de3439a0ba238210d40605b5ed6704 # v2.3.32 with: tags: | ${{ inputs.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ inputs.QA_AWS_REGION }}.amazonaws.com/${{ inputs.repository }}:${{ inputs.tag || steps.test_runner_hash.outputs.hash_value }} diff --git a/actions/ctf-fetch-aws-secret/action.yml b/actions/ctf-fetch-aws-secret/action.yml index 84693f434..6f5c793b6 100644 --- a/actions/ctf-fetch-aws-secret/action.yml +++ b/actions/ctf-fetch-aws-secret/action.yml @@ -25,7 +25,7 @@ runs: using: "composite" steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: ${{ inputs.aws_region }} role-to-assume: ${{ inputs.aws_role_to_assume }} diff --git a/actions/ctf-setup-run-tests-environment/action.yml b/actions/ctf-setup-run-tests-environment/action.yml index 92b099c84..f869a3528 100644 --- a/actions/ctf-setup-run-tests-environment/action.yml +++ b/actions/ctf-setup-run-tests-environment/action.yml @@ -195,7 +195,7 @@ runs: # Setup AWS cred and K8s context - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ inputs.QA_AWS_REGION }} role-to-assume: ${{ inputs.QA_AWS_ROLE_TO_ASSUME }} @@ -229,13 +229,13 @@ runs: # To avoid rate limiting from Docker Hub, we can login with a paid user account. - name: Login to Docker Hub if: inputs.dockerhub_username && inputs.dockerhub_password - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ inputs.dockerhub_username }} password: ${{ inputs.dockerhub_password }} # Helm Setup - - uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0 + - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v3.13.1 - name: Add required helm charts including chainlink-qa diff --git a/actions/docker-image-patch/action.yml b/actions/docker-image-patch/action.yml index 6931eabfa..df3cc00b4 100644 --- a/actions/docker-image-patch/action.yml +++ b/actions/docker-image-patch/action.yml @@ -129,7 +129,7 @@ runs: echo "::endgroup::" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: 900 diff --git a/actions/ecr-image-exists/action.yml b/actions/ecr-image-exists/action.yml index 0abae528e..135d3bdfd 100644 --- a/actions/ecr-image-exists/action.yml +++ b/actions/ecr-image-exists/action.yml @@ -33,7 +33,7 @@ runs: using: composite steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ inputs.aws-region }} role-to-assume: ${{ inputs.aws-role-arn }} diff --git a/actions/helm-version-bump-receiver/action.yml b/actions/helm-version-bump-receiver/action.yml index 7bc1ad205..3f8b6293e 100644 --- a/actions/helm-version-bump-receiver/action.yml +++ b/actions/helm-version-bump-receiver/action.yml @@ -96,7 +96,7 @@ runs: - name: Bump helm chart version id: bump-helm-chart-version - uses: mikefarah/yq@f15500b20a1c991c8729870ba60a4dc3524b6a94 # v4.44.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 env: AWS_SECRET_ACCESS_KEY: "" AWS_ACCESS_KEY_ID: "" @@ -110,7 +110,7 @@ runs: - name: Update helm chart repo if: inputs.helm-chart-repo-update == 'true' id: update-helm-chart-repo - uses: mikefarah/yq@f15500b20a1c991c8729870ba60a4dc3524b6a94 # v4.44.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 env: AWS_SECRET_ACCESS_KEY: "" AWS_ACCESS_KEY_ID: "" diff --git a/actions/k8s-tailscale-connect/action.yml b/actions/k8s-tailscale-connect/action.yml index b6fdb5e38..4199c60a2 100644 --- a/actions/k8s-tailscale-connect/action.yml +++ b/actions/k8s-tailscale-connect/action.yml @@ -39,7 +39,7 @@ runs: tags: ${{ inputs.tailscale-tags }} - name: Configure AWS credentials using OIDC - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ inputs.aws-oidc-role }} aws-region: ${{ inputs.aws-region }} diff --git a/actions/parse-and-mask-test-secrets/action.yml b/actions/parse-and-mask-test-secrets/action.yml index b6251dd3f..4cac098a6 100644 --- a/actions/parse-and-mask-test-secrets/action.yml +++ b/actions/parse-and-mask-test-secrets/action.yml @@ -13,7 +13,7 @@ runs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: 1.21.3 + go-version: 1.25.2 - name: Parse and mask test secrets shell: bash diff --git a/actions/pr-quality-check/action.yml b/actions/pr-quality-check/action.yml index 2a4eb1622..4dd6992fa 100644 --- a/actions/pr-quality-check/action.yml +++ b/actions/pr-quality-check/action.yml @@ -104,7 +104,7 @@ runs: if: env.SHOULD_RUN == 'true' && github.event.action != 'closed' uses: actions/setup-python@v5 with: - python-version: "3.11" + python-version: "3.14" - name: Install dependencies if: env.SHOULD_RUN == 'true' && github.event.action != 'closed' @@ -302,7 +302,7 @@ runs: steps.check-claude.outputs.should-run-claude == 'true' && steps.check-fingerprint.outputs.fingerprint-changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository - uses: actions/setup-node@v4.0.3 + uses: actions/setup-node@v4.4.0 with: node-version: "22" @@ -326,7 +326,7 @@ runs: steps.check-claude.outputs.should-run-claude == 'true' && steps.check-fingerprint.outputs.fingerprint-changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c #v2.1.2 + uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13 with: credentials_json: ${{ inputs.claude-code-gcp-service-account-key }} create_credentials_file: true diff --git a/actions/pr-slack-alert/action.yml b/actions/pr-slack-alert/action.yml index 6ca19691a..719fef6ad 100644 --- a/actions/pr-slack-alert/action.yml +++ b/actions/pr-slack-alert/action.yml @@ -56,7 +56,7 @@ runs: - name: Send slack alert if: steps.filter.outputs.SKIP_SLACK != 'true' id: slack - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e #v1.26.0 + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 with: channel-id: ${{ inputs.slack-channel-id }} # https://api.slack.com/surfaces/messages#payloads diff --git a/actions/pull-private-ecr-image/action.yml b/actions/pull-private-ecr-image/action.yml index c50510473..e248f2383 100644 --- a/actions/pull-private-ecr-image/action.yml +++ b/actions/pull-private-ecr-image/action.yml @@ -68,7 +68,7 @@ runs: fi - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ inputs.aws-region }} role-to-assume: ${{ inputs.aws-role-arn }} diff --git a/actions/setup-gap/action.yml b/actions/setup-gap/action.yml index 0a24f5d7a..5b6b5bf0f 100644 --- a/actions/setup-gap/action.yml +++ b/actions/setup-gap/action.yml @@ -159,7 +159,7 @@ runs: - name: Assume role # We only need to assume a role if we intend to use k8s API server access via the proxy if: inputs.use-k8s == 'true' - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} diff --git a/actions/setup-github-token/action.yml b/actions/setup-github-token/action.yml index 322fea69d..d31ca84ec 100644 --- a/actions/setup-github-token/action.yml +++ b/actions/setup-github-token/action.yml @@ -47,7 +47,7 @@ runs: fi - name: Assume role capable of getting token from gati - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: ${{ inputs.aws-region }} mask-aws-account-id: true diff --git a/actions/setup-nix-cache/action.yml b/actions/setup-nix-cache/action.yml index 5a2507fa6..0805d950d 100644 --- a/actions/setup-nix-cache/action.yml +++ b/actions/setup-nix-cache/action.yml @@ -42,7 +42,7 @@ runs: steps: # Step to configure AWS credentials for Nix cache - name: Configure AWS credentials for Nix cache - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.role-to-assume }} role-duration-seconds: ${{ inputs.role-duration-seconds }} diff --git a/actions/setup-nodejs/action.yml b/actions/setup-nodejs/action.yml index 5a6cf659d..0260254b2 100644 --- a/actions/setup-nodejs/action.yml +++ b/actions/setup-nodejs/action.yml @@ -77,7 +77,7 @@ runs: echo "pnpm-version=${PNPM_VERSION_FROM_FILE}" | tee -a "${GITHUB_OUTPUT}" - name: Install pnpm - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: ${{ steps.pnpm-version.outputs.pnpm-version }} run_install: false diff --git a/actions/setup-renovate/action.yml b/actions/setup-renovate/action.yml index 7fbdb99b7..8e1fbe8dd 100644 --- a/actions/setup-renovate/action.yml +++ b/actions/setup-renovate/action.yml @@ -62,7 +62,7 @@ runs: aws-role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} - name: Run renovate - uses: renovatebot/github-action@76d49712364696a06b60e8647df46b288fff0ddc # v40.2.4 + uses: renovatebot/github-action@0984fb80fc633b17e57f3e8b6c007fe0dc3e0d62 # v40.3.6 with: renovate-version: ${{ inputs.renovate-version }} token: ${{ steps.get-access-token.outputs.access-token }} diff --git a/actions/slack-notify-git-ref/action.yml b/actions/slack-notify-git-ref/action.yml index 57b5d81be..021a27482 100644 --- a/actions/slack-notify-git-ref/action.yml +++ b/actions/slack-notify-git-ref/action.yml @@ -109,7 +109,7 @@ runs: } >> $GITHUB_ENV - name: Notify slack - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 with: payload: ${{ env.payload }} channel-id: ${{ inputs.slack-channel-id }} diff --git a/actions/update-actions/action.yml b/actions/update-actions/action.yml index af7612446..5c5ee9df7 100644 --- a/actions/update-actions/action.yml +++ b/actions/update-actions/action.yml @@ -42,7 +42,7 @@ runs: fetch-depth: ${{ inputs.checkout-repo-fetch-depth }} - name: Assume role capable of getting token from gati - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }} @@ -56,7 +56,7 @@ runs: url: ${{ inputs.aws-lambda-url }} - name: Assume role capable of getting token from gati for updater - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: role-to-assume: ${{ inputs.aws-role-arn-updater }} role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}