ci: pin actions (#11)

Ravencentric · web-flow · commit b4ee4044225e · 2025-05-11T01:13:04.000+05:30
* ci: pin actions

* fix: remove windows arm
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -24,22 +24,25 @@ jobs:
     permissions:
       pages: write
       id-token: write
+      contents: read
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: astral-sh/setup-uv@v6
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
       - run: uv run mkdocs build --strict
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: './site'
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,52 +3,64 @@ name: Build
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - 'v[0-9].[0-9]+.[0-9]+'
   workflow_dispatch:
   pull_request:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   build_wheels:
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         # macos-13 is an intel runner, macos-14 is apple silicon
         os: [ubuntu-latest, ubuntu-24.04-arm, windows-latest, macos-13, macos-14]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+        with:
+          enable-cache: false
 
       - name: Build wheels
-        uses: pypa/cibuildwheel@v2.23.3
+        uses: pypa/cibuildwheel@faf86a6ed7efa889faf6996aa23820831055001a # v2.23.3
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }}
           path: ./wheelhouse/*.whl
 
   build_sdist:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     name: Build sdist
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Build sdist
       run: pipx run build --sdist
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: cibw-sdist
         path: dist/*.tar.gz
   
   publish:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     needs: [build_wheels, build_sdist]
     environment: pypi
     permissions:
@@ -57,33 +69,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # Required for changelog
+        persist-credentials: false
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         pattern: cibw-*
         path: dist
         merge-multiple: true
     
     - name: Upload to PyPI
-      if: ${{ startsWith(github.ref, 'refs/tags/') }}
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
       with:
         skip-existing: true
 
-    - name: Generate changelog with git-cliff
-      uses: tj-actions/git-cliff@v1
-      with:
-        args: --latest --strip all
-        output: "CHANGELOG.md"
+    - name: Generate a changelog
+      shell: bash
+      run: >-
+        pipx run git-cliff --config .github/cliff-template.toml
+        --github-repo "${GH_REPO}"
+        --github-token "${GH_TOKEN}"
+        --latest --output "CHANGELOG.md"
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REPO: ${{ github.repository }}
 
-    - name: Create Github release
-      if: ${{ startsWith(github.ref, 'refs/tags/') }}
-      uses: ncipollo/release-action@v1
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        bodyFile: "CHANGELOG.md"
-        draft: false
-        prerelease: false
+
+    - name: Create Release
+      shell: bash
+      run: gh release create "${GH_REF_NAME}" -F "CHANGELOG.md" --fail-on-no-commits
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_REF_NAME: ${{ github.ref_name }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -35,10 +35,14 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: |
               3.9
@@ -50,5 +54,5 @@ jobs:
               pypy3.10
               pypy3.11
 
-      - uses: astral-sh/setup-uv@v6
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
       - run: uv run nox
