From 0c85d214a82e550547afc1363bd357309d7e52a2 Mon Sep 17 00:00:00 2001 From: Nikita Grigorian Date: Thu, 26 Feb 2026 14:27:44 -0800 Subject: [PATCH 1/3] pin GH actions by SHA --- .github/workflows/conda-package.yml | 58 +++++++++---------- .github/workflows/generate-coverage.yaml | 8 +-- .github/workflows/generate-docs.yml | 12 ++-- .github/workflows/openssf-scorecard.yml | 4 +- .github/workflows/os-llvm-sycl-build.yml | 8 +-- .github/workflows/pre-commit.yml | 6 +- .../workflows/run-tests-from-dppy-bits.yaml | 2 +- 7 files changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/conda-package.yml b/.github/workflows/conda-package.yml index 8d3f6efb75..cbdea6668f 100644 --- a/.github/workflows/conda-package.yml +++ b/.github/workflows/conda-package.yml @@ -31,7 +31,7 @@ jobs: with: access_token: ${{ github.token }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -39,7 +39,7 @@ jobs: run: | echo "pkgs_dirs: [~/.conda/pkgs]" >> ~/.condarc - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -69,12 +69,12 @@ jobs: $CHANNELS \ conda-recipe - name: Upload artifact - uses: actions/upload-artifact@v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} path: /usr/share/miniconda/conda-bld/linux-64/${{ env.PACKAGE_NAME }}-*.conda - name: Upload wheels artifact - uses: actions/upload-artifact@v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Wheels Python ${{ matrix.python }} path: ${{ env.WHEELS_OUTPUT_FOLDER }}${{ env.PACKAGE_NAME }}-*.whl @@ -92,11 +92,11 @@ jobs: with: access_token: ${{ github.token }} - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0 with: miniforge-variant: Miniforge3 miniforge-version: latest @@ -112,7 +112,7 @@ jobs: conda list -n base - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -137,13 +137,13 @@ jobs: conda build --no-test --python ${{ matrix.python }} --numpy 2.0 -c ${{ env.INTEL_CHANNEL }} -c conda-forge --override-channels conda-recipe - name: Upload artifact - uses: actions/upload-artifact@v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} path: ${{ env.CONDA_BLD }}${{ env.PACKAGE_NAME }}-*.conda - name: Upload wheels artifact - uses: actions/upload-artifact@v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Wheels Python ${{ matrix.python }} path: ${{ env.WHEELS_OUTPUT_FOLDER }}${{ env.PACKAGE_NAME }}-*.whl @@ -168,7 +168,7 @@ jobs: run: | echo ${{ env.CHANNELS }} - name: Download artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - name: Add conda to system path @@ -197,7 +197,7 @@ jobs: run: | echo "pkgs_dirs: [~/.conda/pkgs]" >> ~/.condarc - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -269,11 +269,11 @@ jobs: echo ${{ env.CHANNELS }} - name: Download artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0 with: miniforge-version: latest channels: conda-forge @@ -335,7 +335,7 @@ jobs: run: Get-Content -Path .\lockfile - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -425,12 +425,12 @@ jobs: python: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - name: Download conda artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - name: Download wheel artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Wheels Python ${{ matrix.python }} @@ -469,16 +469,16 @@ jobs: python: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - name: Download artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - name: Download wheel artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Wheels Python ${{ matrix.python }} - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0 with: miniforge-version: latest channels: conda-forge @@ -531,11 +531,11 @@ jobs: conda update -n base --all conda install conda-index -c conda-forge --override-channels - name: Checkout dpctl repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Download artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - name: Add conda to system path @@ -559,7 +559,7 @@ jobs: run: | echo "pkgs_dirs: [~/.conda/pkgs]" >> ~/.condarc - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -686,12 +686,12 @@ jobs: run: | echo ${{ env.CHANNELS }} - name: Checkout dpctl repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Cache array API tests id: cache-array-api-tests - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: ARRAY_CACHE: 3 with: @@ -710,7 +710,7 @@ jobs: git clone --recurse-submodules https://github.com/data-apis/array-api-tests array-api-tests cd array-api-tests - name: Download artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ env.PACKAGE_NAME }} ${{ runner.os }} Python ${{ matrix.python }} - name: Add conda to system path @@ -739,7 +739,7 @@ jobs: run: | echo "pkgs_dirs: [~/.conda/pkgs]" >> ~/.condarc - name: Cache conda packages - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 env: CACHE_NUMBER: 3 # Increase to reset cache with: @@ -806,7 +806,7 @@ jobs: run: echo "::notice ${{ env.MESSAGE }}" - name: Post result to PR if: ${{ github.event.pull_request && !github.event.pull_request.head.repo.fork }} - uses: mshick/add-pr-comment@v2 + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 with: message: | ${{ env.MESSAGE }} @@ -822,7 +822,7 @@ jobs: run: shell: bash -el {0} steps: - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0 with: run-post: false channel-priority: "disabled" @@ -834,7 +834,7 @@ jobs: run: conda install anaconda-client -c conda-forge --override-channels - name: Checkout repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: IntelPython/devops-tools fetch-depth: 0 diff --git a/.github/workflows/generate-coverage.yaml b/.github/workflows/generate-coverage.yaml index ec1ea335af..b88307fd02 100644 --- a/.github/workflows/generate-coverage.yaml +++ b/.github/workflows/generate-coverage.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@0.13.0 + uses: styfle/cancel-workflow-action@3155a141048f8f89c06b4cdae32e7853e97536bc # 0.13.0 with: access_token: ${{ github.token }} @@ -49,14 +49,14 @@ jobs: sudo apt-get install ninja-build - name: Setup Python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' architecture: x64 - name: Cache Gtest id: cache-gtest - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | /home/runner/work/googletest-1.15.2/install @@ -80,7 +80,7 @@ jobs: make && make install - name: Checkout repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml index 7f752e05be..cdd4ff20ae 100644 --- a/.github/workflows/generate-docs.yml +++ b/.github/workflows/generate-docs.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@0.13.0 + uses: styfle/cancel-workflow-action@3155a141048f8f89c06b4cdae32e7853e97536bc # 0.13.0 with: access_token: ${{ github.token }} - name: Add Intel repository @@ -50,7 +50,7 @@ jobs: sudo apt-get install ninja-build - name: Setup Python if: ${{ !github.event.pull_request || github.event.action != 'closed' }} - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.10' architecture: x64 @@ -63,7 +63,7 @@ jobs: sphinxcontrib-jsmath sphinx-copybutton sphinxcontrib-spelling \ versioneer[toml]==0.29 - name: Checkout repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false @@ -101,7 +101,7 @@ jobs: git push tokened_docs gh-pages - name: Save built docs as an artifact if: ${{ github.event.pull_request && github.event.pull_request.head.repo.fork && github.event.action != 'closed'}} - uses: actions/upload-artifact@v6.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.PACKAGE_NAME }} rendered documentation path: ~/docs @@ -146,7 +146,7 @@ jobs: if: ${{ github.event.pull_request && !github.event.pull_request.head.repo.fork && github.event.action != 'closed' }} env: PR_NUM: ${{ github.event.number }} - uses: mshick/add-pr-comment@v2 + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 with: message: | View rendered docs @ https://intelpython.github.io/dpctl/pulls/${{ env.PR_NUM }}/index.html @@ -155,7 +155,7 @@ jobs: if: ${{ github.event.pull_request && !github.event.pull_request.head.repo.fork && github.event.action == 'closed' }} env: PR_NUM: ${{ github.event.number }} - uses: mshick/add-pr-comment@v2 + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 with: message: | Deleted rendered PR docs from intelpython.github.com/dpctl, latest should be updated shortly. :crossed_fingers: diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 2d2a93a7d8..df3b2995cd 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -34,7 +34,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -61,7 +61,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4.4.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/os-llvm-sycl-build.yml b/.github/workflows/os-llvm-sycl-build.yml index 0be574bacd..c61d2c1a74 100644 --- a/.github/workflows/os-llvm-sycl-build.yml +++ b/.github/workflows/os-llvm-sycl-build.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@0.13.0 + uses: styfle/cancel-workflow-action@3155a141048f8f89c06b4cdae32e7853e97536bc # 0.13.0 with: access_token: ${{ github.token }} @@ -33,7 +33,7 @@ jobs: - name: Cache sycl bundle id: cache-sycl-bundle - uses: actions/cache@v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: | /home/runner/work/sycl_bundle @@ -99,7 +99,7 @@ jobs: fi - name: Setup Python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' architecture: x64 @@ -110,7 +110,7 @@ jobs: pip install numpy cython setuptools"<80" pytest scikit-build cmake ninja versioneer[toml]==0.29 - name: Checkout repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 6300071a37..7a136e5903 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -12,11 +12,11 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 30 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6.2.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - name: Version of clang-format run: | clang-format --version - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/run-tests-from-dppy-bits.yaml b/.github/workflows/run-tests-from-dppy-bits.yaml index 0ee861aea1..3a883cf1f1 100644 --- a/.github/workflows/run-tests-from-dppy-bits.yaml +++ b/.github/workflows/run-tests-from-dppy-bits.yaml @@ -96,7 +96,7 @@ jobs: run: | echo ${{ env.CHANNELS }} - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0 with: miniforge-version: latest channels: conda-forge From 2961873e28836478e968acd70b31c96dee0d5daa Mon Sep 17 00:00:00 2001 From: Nikita Grigorian Date: Thu, 26 Feb 2026 01:32:16 -0800 Subject: [PATCH 2/3] fix typo in pre-commit autoupdate workflow --- .github/workflows/pre-commit-autoupdate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml index 2727f554dd..84770153d0 100644 --- a/.github/workflows/pre-commit-autoupdate.yml +++ b/.github/workflows/pre-commit-autoupdate.yml @@ -25,7 +25,7 @@ jobs: pull-requests: write steps: - - name: Checkout DPNP repo + - name: Checkout dpctl repo uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2 - name: Set up python From a5f9dec35b2bec021b8a4f42662b8a6204ebd347 Mon Sep 17 00:00:00 2001 From: Nikita Grigorian Date: Thu, 26 Feb 2026 14:14:37 -0800 Subject: [PATCH 3/3] adjust pre-commit auto-update workflow update actions, fix incorrect tags --- .github/workflows/pre-commit-autoupdate.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml index 84770153d0..d3a4ff5e2b 100644 --- a/.github/workflows/pre-commit-autoupdate.yml +++ b/.github/workflows/pre-commit-autoupdate.yml @@ -1,14 +1,11 @@ name: Autoupdate pre-commit on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: + workflow_dispatch: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '28 2 * * 6' # Saturday at 02:28 UTC - workflow_dispatch: permissions: read-all @@ -25,13 +22,13 @@ jobs: pull-requests: write steps: - - name: Checkout dpctl repo - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2 + - name: Checkout repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.13' + python-version: '3.14' - name: Install pre-commit run: pip install pre-commit @@ -40,7 +37,7 @@ jobs: run: pre-commit autoupdate - name: Create a PR with autoupdate changes - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: 'chore: update pre-commit hooks' add-paths: .pre-commit-config.yaml