diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b1c4d80b13..c86dd26fd5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,5 @@ updates: labels: - "Github CI/CD" - "no releasenotes" + cooldown: + default-days: 7 diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml index 1714ad8427..6ca56d7c3b 100644 --- a/.github/workflows/devcontainer-docker-image.yml +++ b/.github/workflows/devcontainer-docker-image.yml @@ -23,16 +23,16 @@ jobs: steps: - name: Checkout source - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Setup Docker buildx - uses: docker/setup-buildx-action@v3.10.0 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Prepare metadata id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -40,7 +40,7 @@ jobs: type=raw,value=latest - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -48,7 +48,7 @@ jobs: - name: Build and push Docker image id: docker_build - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: scripts/dev.Dockerfile diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index aa4ab345a4..fc0f4f7a5e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -13,19 +13,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Login to Docker Hub - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: images: | name=pymc/pymc,enable=true @@ -36,7 +36,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Build and load image - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: scripts/Dockerfile @@ -48,7 +48,7 @@ jobs: docker run --rm ${{ env.CONTAINER_NAME }} conda run -n pymc-dev python -c 'import pymc;print(pymc.__version__)' - name: Build and push - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: true diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 4a2d072b9e..cb5bf370b4 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -12,10 +12,10 @@ jobs: mypy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/environment-test.yml create-args: >- diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml index db81b3f1a6..e3ba52d1c4 100644 --- a/.github/workflows/pr-auto-label.yml +++ b/.github/workflows/pr-auto-label.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Sync labels with closing issues - uses: williambdean/closing-labels@v0.0.4 + uses: williambdean/closing-labels@7a4384e0e725b80eee0142265d36c1332fda5f7a # v0.0.6 with: exclude: "help wanted,needs info,beginner friendly" env: diff --git a/.github/workflows/publish-release-notes-to-discourse.yml b/.github/workflows/publish-release-notes-to-discourse.yml index 08c22903ab..9c09dd2355 100644 --- a/.github/workflows/publish-release-notes-to-discourse.yml +++ b/.github/workflows/publish-release-notes-to-discourse.yml @@ -11,12 +11,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.11" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c418d0bba9..67385c5f76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,11 +16,11 @@ jobs: attestations: write id-token: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - - uses: hynek/build-and-inspect-python-package@b5076c307dc91924a82ad150cdd1533b444d3310 # v2.12.0 + - uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0 with: # Prove that the packages were built in the context of this workflow. attest-build-provenance-github: true @@ -38,12 +38,12 @@ jobs: id-token: write steps: - name: Download Distribution Artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: # The build-and-inspect-python-package action invokes upload-artifact. # These are the correct arguments from that action. name: Packages path: dist - name: Publish Package to PyPI - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 # Implicitly attests that the packages were uploaded in the context of this workflow. diff --git a/.github/workflows/rtd-link-preview.yml b/.github/workflows/rtd-link-preview.yml index 62ba591070..bf6628f868 100644 --- a/.github/workflows/rtd-link-preview.yml +++ b/.github/workflows/rtd-link-preview.yml @@ -11,6 +11,6 @@ jobs: permissions: pull-requests: write steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5 with: project-slug: "pymc" diff --git a/.github/workflows/slash_dispatch.yml b/.github/workflows/slash_dispatch.yml index 0f6faf35e1..8fc1ddf34d 100644 --- a/.github/workflows/slash_dispatch.yml +++ b/.github/workflows/slash_dispatch.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@v4 + uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4.0.0 with: token: ${{ secrets.ACTION_TRIGGER_TOKEN }} issue-type: pull-request diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2542cf4fc0..558ca63778 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -31,11 +31,11 @@ jobs: outputs: changes: ${{ steps.changes.outputs.src }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -151,10 +151,10 @@ jobs: run: shell: bash -leo pipefail {0} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/environment-test.yml create-args: >- @@ -171,7 +171,7 @@ jobs: run: | python -m pytest -vv --cov=pymc --cov-report=xml --no-cov-on-fail --cov-report term --durations=50 $TEST_SUBSET - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # use token for more robust uploads env_vars: TEST_SUBSET @@ -201,10 +201,10 @@ jobs: run: shell: cmd /C call {0} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/windows-environment-test.yml create-args: >- @@ -223,7 +223,7 @@ jobs: run: >- python -m pytest -vv --cov=pymc --cov-report=xml --no-cov-on-fail --cov-report term --durations=50 %TEST_SUBSET% - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # use token for more robust uploads env_vars: TEST_SUBSET @@ -261,10 +261,10 @@ jobs: run: shell: bash -leo pipefail {0} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/environment-test.yml create-args: >- @@ -281,7 +281,7 @@ jobs: run: | python -m pytest -vv --cov=pymc --cov-report=xml --no-cov-on-fail --cov-report term --durations=50 $TEST_SUBSET - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # use token for more robust uploads env_vars: TEST_SUBSET @@ -311,10 +311,10 @@ jobs: run: shell: bash -leo pipefail {0} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/environment-alternative-backends.yml create-args: >- @@ -331,7 +331,7 @@ jobs: run: | python -m pytest -vv --cov=pymc --cov-report=xml --no-cov-on-fail --cov-report term --durations=50 $TEST_SUBSET - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # use token for more robust uploads env_vars: TEST_SUBSET @@ -357,10 +357,10 @@ jobs: run: shell: cmd /C call {0} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: mamba-org/setup-micromamba@v2 + - uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7 with: environment-file: conda-envs/windows-environment-test.yml create-args: >- @@ -379,7 +379,7 @@ jobs: run: >- python -m pytest -vv --cov=pymc --cov-report=xml --no-cov-on-fail --cov-report term --durations=50 %TEST_SUBSET% - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # use token for more robust uploads env_vars: TEST_SUBSET diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index b747897eb8..cb5fd714c1 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -15,11 +15,11 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: hynek/setup-cached-uv@v2 + - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif @@ -27,7 +27,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif