diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 09f461b..b731c62 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,13 +5,21 @@ on: branches: [ master ] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} # Deny all permissions by default at workflow level + jobs: test-build: runs-on: ubuntu-latest steps: # 1 – Check out the code - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # 2 – Expose the version tag as $PACKAGE_VERSION (only if this is a v* tag ref) - name: Set environment package version from tag @@ -25,20 +33,20 @@ jobs: fi # 3 – Set up Python - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' cache: 'pip' # 4 – Set up Node.js - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' cache: 'npm' # 5 – Set up JDK 17 and enable sbt cache - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '17' @@ -46,7 +54,7 @@ jobs: # 6 – Install sbt 1.12.4 - name: Set up sbt - uses: sbt/setup-sbt@v1 + uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 with: sbt-runner-version: '1.12.4' diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index b0a9653..e73fa11 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -11,21 +11,29 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} # Deny all permissions by default at workflow level + jobs: check-code: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24.x cache: yarn cache-dependency-path: yarn.lock - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 132a6b3..5ba42a2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,12 @@ on: tags: - 'v*' # runs only when you push tags like v1.2.3 +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} # Deny all permissions by default at workflow level + jobs: build-publish: runs-on: ubuntu-latest @@ -14,7 +20,9 @@ jobs: steps: # 1 – Check out the repo - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # 2 – Expose the tag (e.g. 1.2.3) as $PACKAGE_VERSION - name: Set environment package version from tag @@ -24,28 +32,26 @@ jobs: echo "PACKAGE_VERSION=${ref#v}" >> "$GITHUB_ENV" # 3 – Set up Python - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - cache: 'pip' # 4 – Set up Node.js - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' - cache: 'npm' + package-manager-cache: false # 5 – Set up JDK 17 and enable sbt cache - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '17' - cache: 'sbt' # 6 – Install sbt 1.12.4 - name: Set up sbt - uses: sbt/setup-sbt@v1 + uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 with: sbt-runner-version: '1.12.4' @@ -59,4 +65,4 @@ jobs: # 9 – Publish to PyPI (Trusted Publishing) - name: Publish distribution to PyPI 🚀 - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 118856a..6b43d4f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,25 +8,36 @@ on: required: true default: "patch" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} # Deny all permissions by default at workflow level + jobs: bump-version: runs-on: ubuntu-latest + environment: tag-release steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - name: Install release tooling run: python -m pip install bump2version - name: Bump and tag + env: + BUMP: ${{ github.event.inputs.bump }} run: | git config --local user.email "swan-admins@cern.ch" git config --local user.name "swan-admins[bot]" - bump2version ${{ github.event.inputs.bump }} + bump2version ${BUMP} - name: Push changes - uses: ad-m/github-push-action@master - with: - github_token: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} - tags: true + env: + WORKFLOW_ACCESS_TOKEN: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} + REF_NAME: ${{ github.ref_name }} + run: | + git remote set-url origin "https://x-access-token:${WORKFLOW_ACCESS_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" + git push origin "${REF_NAME}" --tags --atomic