Merge pull request #4019 from dopplershift/update-actions

dcamron · web-flow · commit 0d99aa2aeed1 · 2026-03-26T15:18:05.000-06:00
Update GitHub Actions configurations
diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml
@@ -59,7 +59,7 @@ runs:
 
     - name: Upload docs as artifact
       if: ${{ always() && inputs.key != '' }}
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ inputs.key }}-docs
         path: |
diff --git a/.github/actions/install-conda/action.yml b/.github/actions/install-conda/action.yml
@@ -16,7 +16,7 @@ runs:
   using: composite
   steps:
     - name: Set up Python ${{ inputs.python-version }}
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7
       with:
         # Name is needed for caching
         environment-name: CI
diff --git a/.github/actions/install-pypi/action.yml b/.github/actions/install-pypi/action.yml
@@ -28,7 +28,7 @@ runs:
   using: composite
   steps:
     - name: Set up Python ${{ inputs.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ inputs.python-version }}
         cache: 'pip'
diff --git a/.github/actions/run-tests/action.yml b/.github/actions/run-tests/action.yml
@@ -44,14 +44,14 @@ runs:
 
     - name: Upload test images
       if: failure()
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ inputs.key }}-images
         path: test_output/
 
     - name: Upload coverage artifact
       if: ${{ inputs.upload-coverage == 'true' }}
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ inputs.key }}
         path: coverage.xml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,6 +6,8 @@ updates:
     directory: "/ci"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 2
     # Boto3 makes patch releases daily, so ignore those to reduce the noise
     ignore:
       - dependency-name: "boto3"
@@ -32,6 +34,8 @@ updates:
     directory: "/ci-dev"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 2
     # We don't need to worry about updating to every patch release of dev tools
     ignore:
       - dependency-name: "*"
@@ -59,6 +63,8 @@ updates:
       - "/.github/actions/*"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 2
     open-pull-requests-limit: 10
     pull-request-branch-name:
       separator: "-"
diff --git a/.github/workflows/assign-milestone.yml b/.github/workflows/assign-milestone.yml
@@ -15,7 +15,7 @@ jobs:
     name: Assign Latest Milestone
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         name: Run script
         with:
           script: |
diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml
diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml
@@ -10,6 +10,7 @@ jobs:
   Backport:
     environment:
       name: PR Backport
+      deployment: false
     runs-on: ubuntu-slim
     if: github.event.pull_request.merged && contains( github.event.pull_request.labels.*.name, 'backport' )
     permissions:
@@ -21,7 +22,7 @@ jobs:
 
     steps:
       - name: Create App Token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -39,7 +40,7 @@ jobs:
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
 
       - name: Checkout PR HEAD
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 100
@@ -60,7 +61,7 @@ jobs:
 
       - name: Create backport PR
         id: create-pr
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ steps.app-token.outputs.token }}
           title: '${{ github.event.pull_request.title }} (backport)'
@@ -72,13 +73,13 @@ jobs:
           delete-branch: true
           labels: 'backported-pr,${{ join(github.event.pull_request.labels.*.name) }}'
 
-      - uses: actions-ecosystem/action-remove-labels@v1
+      - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
         with:
           number: ${{ steps.create-pr.outputs.pull-request-number }}
           labels: backport
 
       - name: Comment on completion
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             github.rest.issues.createComment({
@@ -90,7 +91,7 @@ jobs:
 
       - name: Comment on error
         if: failure()
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const workflow_url = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`;
diff --git a/.github/workflows/benchmark-pr.yml b/.github/workflows/benchmark-pr.yml
@@ -6,28 +6,30 @@ on:
     types: [opened, synchronize, reopened, labeled] #defaults and when labeled
   workflow_dispatch:
 
-
 concurrency:
   group: ${{ github.workflow}}-${{ github.head_ref }}
   cancel-in-progress: true
   
 jobs:
   benchmark:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     #sets only to run when the GitHub PR is labeled with 'benchmark'
     if: contains(github.event.pull_request.labels.*.name, 'benchmark')
     timeout-minutes: 20  #times out after 20 minutes
     defaults: 
       run: 
         working-directory: ./benchmarks #sets the default working directory to ./benchmarks 
     steps:
-          - uses: actions/setup-python@v6  #sets up python with version 3.12
+          - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
             with:
               python-version: "3.12"
           - name: Checkout repo
-            uses: actions/checkout@v6  #checks out repository
+            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             with:
               fetch-depth: 0  # Fetch full history
+              persist-credentials: false
           - run: python -m pip install numpy pandas xarray metpy netcdf4
           - name: Create data array
             run: python data_array_generate.py
diff --git a/.github/workflows/cffcheck.yml b/.github/workflows/cffcheck.yml
@@ -15,13 +15,15 @@ on:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Check out a copy of the repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Check validity of CITATION.cff
-        uses: citation-file-format/cffconvert-github-action@2.0.0
+        uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084 # 2.0.0
         with:
           args: "--validate"
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
@@ -28,14 +28,14 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
       with:
         config-file: ./.github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
diff --git a/.github/workflows/docs-conda.yml b/.github/workflows/docs-conda.yml
@@ -15,6 +15,8 @@ jobs:
   Docs:
     name: ${{ matrix.os }} ${{ matrix.python-version }}
     runs-on: ${{ matrix.os }}-latest
+    permissions:
+      contents: read
     defaults:
       run:
         shell: bash -l {0}
@@ -33,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout source
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 150
         fetch-tags: true
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -21,6 +21,8 @@ jobs:
   Docs:
     name: "Linux ${{ matrix.python-version }}"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -34,7 +36,7 @@ jobs:
 
     steps:
     - name: Checkout source
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 150
         persist-credentials: false
@@ -63,6 +65,7 @@ jobs:
     needs: Docs
     environment:
       name: github-pages
+      deployment: false
     runs-on: ubuntu-slim
     env:
       DOC_VERSION: dev
@@ -71,7 +74,7 @@ jobs:
 
     steps:
     - name: Download doc build
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: Linux-3.13-docs
         path: ./docs/build/html
@@ -86,7 +89,7 @@ jobs:
       run: echo "doc-version=${{ env.DOC_VERSION }}" >> $GITHUB_OUTPUT
 
     - name: Upload to GitHub Pages
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./docs/build/html
@@ -101,18 +104,19 @@ jobs:
     name: "Manage doc versions"
     environment:
       name: github-pages
+      deployment: false
     runs-on: ubuntu-slim
     permissions:
       contents: write
 
     steps:
     - name: Checkout docs
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: "gh-pages"
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
 
     - name: Install packaging
       run: python -m pip install packaging
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -13,13 +13,15 @@ jobs:
   lint:
     name: Run Lint Tools
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Python 3
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.x
           cache: 'pip'
@@ -29,7 +31,7 @@ jobs:
         run: python -m pip install -r ci-dev/linting_requirements.txt
 
       - name: Set up reviewdog
-        uses: reviewdog/action-setup@v1
+        uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # v1.5.0
 
       - name: Run ruff
         run: ruff check --output-format github
diff --git a/.github/workflows/nightly-builds.yml b/.github/workflows/nightly-builds.yml
@@ -22,6 +22,8 @@ on:
 
 jobs:
   Builds:
+    permissions:
+      contents: read
     uses: ./.github/workflows/unstable-builds.yml
 
   Report:
@@ -34,7 +36,7 @@ jobs:
 
     steps:
       - name: Download logs
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: /tmp/workspace/logs
 
@@ -44,7 +46,7 @@ jobs:
           touch tests-nightly.log build.log linkchecker.log
 
       - name: Report failures
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/run-unstable-pr.yml b/.github/workflows/run-unstable-pr.yml
diff --git a/.github/workflows/tests-conda.yml b/.github/workflows/tests-conda.yml
diff --git a/.github/workflows/tests-pypi.yml b/.github/workflows/tests-pypi.yml
diff --git a/.github/workflows/unstable-builds.yml b/.github/workflows/unstable-builds.yml
