diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 136322878462..b8cd05367b6a 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -39,11 +39,12 @@ jobs:
SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }}
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
+ persist-credentials: false
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
name: Install Python
with:
python-version: '3.10'
@@ -69,7 +70,7 @@ jobs:
run: twine check dist/*
- name: Upload sdist result
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: cibw-sdist
path: dist/*.tar.gz
@@ -132,12 +133,12 @@ jobs:
steps:
- name: Set up QEMU
if: matrix.cibw_archs == 'aarch64'
- uses: docker/setup-qemu-action@v3
+ uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64
- name: Download sdist
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: cibw-sdist
path: dist/
@@ -201,7 +202,7 @@ jobs:
unset PIP_CONSTRAINT
if: matrix.cibw_archs != 'aarch64' && matrix.os != 'windows-latest'
- - uses: actions/upload-artifact@v4
+ - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: cibw-wheels-${{ runner.os }}-${{ matrix.cibw_archs }}
path: ./wheelhouse/*.whl
@@ -219,7 +220,7 @@ jobs:
contents: read
steps:
- name: Download packages
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: cibw-*
path: dist
diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index a64b312e8246..e0ed6adf4e65 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -28,16 +28,20 @@ jobs:
runs-on: ubuntu-latest
name: Post warnings/errors as review
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: Fetch result artifacts
id: fetch-artifacts
+ env:
+ target_url: "${{ github.event.target_url }}"
run: |
- python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}"
+ python .circleci/fetch_doc_logs.py "${target_url}"
- name: Set up reviewdog
if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
- uses: reviewdog/action-setup@v1
+ uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
with:
reviewdog_version: latest
diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml
index 77e49f7c1d9e..fc9021c920c0 100644
--- a/.github/workflows/clean_pr.yml
+++ b/.github/workflows/clean_pr.yml
@@ -10,9 +10,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: '0'
+ persist-credentials: false
- name: Check for added-and-deleted files
run: |
git fetch --quiet origin "$GITHUB_BASE_REF"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 203b0eee9ca4..4bf3e680f7b0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,12 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
languages: ${{ matrix.language }}
@@ -40,4 +42,4 @@ jobs:
pip install --user -v .
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml
index 3110839e5150..b018101f325c 100644
--- a/.github/workflows/conflictcheck.yml
+++ b/.github/workflows/conflictcheck.yml
@@ -9,12 +9,11 @@ on:
pull_request_target:
types: [synchronize]
-permissions:
- pull-requests: write
-
jobs:
main:
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
steps:
- name: Check if PRs have merge conflicts
uses: eps1lon/actions-label-merge-conflict@1b1b1fcde06a9b3d089f3464c96417961dde1168 # v3.0.2
diff --git a/.github/workflows/cygwin.yml b/.github/workflows/cygwin.yml
index 5dee68597d5c..bde902013412 100644
--- a/.github/workflows/cygwin.yml
+++ b/.github/workflows/cygwin.yml
@@ -79,11 +79,12 @@ jobs:
- name: Fix line endings
run: git config --global core.autocrlf input
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
+ persist-credentials: false
- - uses: cygwin/cygwin-install-action@v4
+ - uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4
with:
packages: >-
ccache gcc-g++ gdb git graphviz libcairo-devel libffi-devel
@@ -139,21 +140,21 @@ jobs:
# FreeType build fails with bash, succeeds with dash
- name: Cache pip
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: C:\cygwin\home\runneradmin\.cache\pip
key: Cygwin-py3.${{ matrix.python-minor-version }}-pip-${{ hashFiles('requirements/*/*.txt') }}
restore-keys: ${{ matrix.os }}-py3.${{ matrix.python-minor-version }}-pip-
- name: Cache ccache
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: C:\cygwin\home\runneradmin\.ccache
key: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-${{ hashFiles('src/*') }}
restore-keys: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-
- name: Cache Matplotlib
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: |
C:\cygwin\home\runneradmin\.cache\matplotlib
diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml
index dde5bfb5ec81..d8664df9ba9a 100644
--- a/.github/workflows/do_not_merge.yml
+++ b/.github/workflows/do_not_merge.yml
@@ -23,7 +23,6 @@ jobs:
echo "This PR cannot be merged because it has one of the following labels: "
echo "* status: needs comment/discussion"
echo "* status: waiting for other PR"
- echo "${{env.has_tag}}"
exit 1
- name: Allow merging
if: ${{'false' == env.has_tag}}
diff --git a/.github/workflows/good-first-issue.yml b/.github/workflows/good-first-issue.yml
index 8905511fc01d..cc15717e3351 100644
--- a/.github/workflows/good-first-issue.yml
+++ b/.github/workflows/good-first-issue.yml
@@ -12,7 +12,7 @@ jobs:
issues: write
steps:
- name: Add comment
- uses: peter-evans/create-or-update-comment@v4
+ uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
issue-number: ${{ github.event.issue.number }}
body: |
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index dc7a0716bfe8..8e2002353164 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -10,6 +10,6 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- - uses: actions/labeler@v5
+ - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
sync-labels: true
diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml
index 5b29a93b7533..57acc3616ae6 100644
--- a/.github/workflows/mypy-stubtest.yml
+++ b/.github/workflows/mypy-stubtest.yml
@@ -4,22 +4,25 @@ on: [pull_request]
permissions:
contents: read
- checks: write
jobs:
mypy-stubtest:
name: mypy-stubtest
runs-on: ubuntu-latest
+ permissions:
+ checks: write
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: Set up Python 3
- uses: actions/setup-python@v5
+ uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'
- name: Set up reviewdog
- uses: reviewdog/action-setup@v1
+ uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9
- name: Install tox
run: python -m pip install tox
diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml
index 533f676a0fab..3bb172ca70e7 100644
--- a/.github/workflows/pr_welcome.yml
+++ b/.github/workflows/pr_welcome.yml
@@ -3,15 +3,13 @@ name: PR Greetings
on: [pull_request_target]
-permissions:
- pull-requests: write
-
jobs:
greeting:
runs-on: ubuntu-latest
-
+ permissions:
+ pull-requests: write
steps:
- - uses: actions/first-interaction@v1
+ - uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: >+
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
index 12b59d866e42..24980f7a075b 100644
--- a/.github/workflows/reviewdog.yml
+++ b/.github/workflows/reviewdog.yml
@@ -4,18 +4,20 @@ on: [pull_request]
permissions:
contents: read
- checks: write
- pull-requests: write
jobs:
flake8:
name: flake8
runs-on: ubuntu-latest
+ permissions:
+ checks: write
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: Set up Python 3
- uses: actions/setup-python@v5
+ uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'
@@ -23,7 +25,7 @@ jobs:
run: pip3 install -r requirements/testing/flake8.txt
- name: Set up reviewdog
- uses: reviewdog/action-setup@v1
+ uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9
- name: Run flake8
env:
@@ -36,11 +38,15 @@ jobs:
mypy:
name: mypy
runs-on: ubuntu-latest
+ permissions:
+ checks: write
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: Set up Python 3
- uses: actions/setup-python@v5
+ uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'
@@ -48,7 +54,7 @@ jobs:
run: pip3 install -r requirements/testing/mypy.txt -r requirements/testing/all.txt
- name: Set up reviewdog
- uses: reviewdog/action-setup@v1
+ uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9
- name: Run mypy
env:
@@ -63,11 +69,15 @@ jobs:
eslint:
name: eslint
runs-on: ubuntu-latest
+ permissions:
+ checks: write
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- name: eslint
- uses: reviewdog/action-eslint@v1
+ uses: reviewdog/action-eslint@9b5b0150e399e1f007ee3c27bc156549810a64e3 # v1.33.0
with:
filter_mode: nofilter
github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/stale-tidy.yml b/.github/workflows/stale-tidy.yml
index 92a81ee856e4..ab16c9f1fa1c 100644
--- a/.github/workflows/stale-tidy.yml
+++ b/.github/workflows/stale-tidy.yml
@@ -9,7 +9,7 @@ jobs:
if: github.repository == 'matplotlib/matplotlib'
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v9
+ - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
operations-per-run: 300
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c606d4288bd2..4dc964a0ea73 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
if: github.repository == 'matplotlib/matplotlib'
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v9
+ - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
operations-per-run: 20
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 9692e0e9a7c7..47f6a09eb72d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -111,12 +111,13 @@ jobs:
pyside6-ver: '!=6.5.1'
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
+ persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
if: matrix.python-version != '3.13t'
with:
python-version: ${{ matrix.python-version }}
@@ -204,7 +205,7 @@ jobs:
esac
- name: Cache pip
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
if: startsWith(runner.os, 'Linux')
with:
path: ~/.cache/pip
@@ -212,7 +213,7 @@ jobs:
restore-keys: |
${{ matrix.os }}-py${{ matrix.python-version }}-pip-
- name: Cache pip
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
if: startsWith(runner.os, 'macOS')
with:
path: ~/Library/Caches/pip
@@ -220,7 +221,7 @@ jobs:
restore-keys: |
${{ matrix.os }}-py${{ matrix.python-version }}-pip-
- name: Cache ccache
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: |
~/.ccache
@@ -228,7 +229,7 @@ jobs:
restore-keys: |
${{ matrix.os }}-py${{ matrix.python-version }}-ccache-
- name: Cache Matplotlib
- uses: actions/cache@v4
+ uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: |
~/.cache/matplotlib
@@ -409,12 +410,12 @@ jobs:
fi
- name: Upload code coverage
if: ${{ !cancelled() && github.event_name != 'schedule' }}
- uses: codecov/codecov-action@v5
+ uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with:
name: "${{ matrix.python-version }} ${{ matrix.os }} ${{ matrix.name-suffix }}"
token: ${{ secrets.CODECOV_TOKEN }}
- - uses: actions/upload-artifact@v4
+ - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: failure()
with:
name: "${{ matrix.python-version }} ${{ matrix.os }} ${{ matrix.name-suffix }} result images"
@@ -431,7 +432,7 @@ jobs:
steps:
- name: Create issue on failure
- uses: imjohnbo/issue-bot@v3
+ uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd # v3.4.4
with:
title: "[TST] Upcoming dependency test failures"
body: |
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy