ci: update and pin actions and remove expansion in run block (#492)

Author: fstr

.github/dependabot.yml

@@ -10,7 +10,9 @@ updates:
     schedule:
       interval: "weekly"
     commit-message:
-      prefix: "build(NoTicket)"
+      prefix: "chore(deps):"
+    cooldown:
+      default-days: 7
 
   # Keep GitHub Actions up to date
   - package-ecosystem: "github-actions"
@@ -22,4 +24,6 @@ updates:
       timezone: "UTC"
     open-pull-requests-limit: 5
     commit-message:
-      prefix: "build(NoTicket)"
+      prefix: "chore(deps):"
+    cooldown:
+      default-days: 7

.github/workflows/build-documentation.yml

@@ -14,16 +14,18 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: 3.x
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
@@ -44,21 +46,25 @@ jobs:
     - name: Resolve url path
       id: resolve_url_path
       shell: bash
+      env:
+        CUSTOM_PATH: ${{ github.event.inputs.custom-path }}
+        GITHUB_REF_NAME: ${{ github.ref_name }}
+        GITHUB_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
       run: |
-        if [[ -n "${{ github.event.inputs.custom-path }}" ]]; then
-            echo "path=${{ github.event.inputs.custom-path }}" >> $GITHUB_OUTPUT
+        if [[ -n "${CUSTOM_PATH}" ]]; then
+            echo "path=${CUSTOM_PATH}" >> $GITHUB_OUTPUT
         # 0.x releases deploy to 0.x path, all other releases deploy to latest path
-        elif [[ "${{ github.event_name }}" == "release" && "${{ github.event.release.tag_name }}" == 0.* ]]; then
+        elif [[ "${{ github.event_name }}" == "release" && "${GITHUB_RELEASE_TAG_NAME}" == 0.* ]]; then
             echo "path=0.x" >> $GITHUB_OUTPUT
         # for manual builds deploy to the branch name path
         elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "path=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+            echo "path=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
         else
             echo "path=latest" >> $GITHUB_OUTPUT
         fi
 
     - name: Deploy to GitHub Pages
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./docs_compiled

.github/workflows/check-pr-formatting.yml

@@ -7,9 +7,15 @@ on:
 
 jobs:
   pr-formatting:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
+    permissions:
+      pull-requests: read
     steps:
-      - name: Formatting conventions
-        uses: firebolt-db/action-pr-checks@main
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ !startsWith(github.head_ref, 'dependabot') }}
         with:
-          github-key: ${{ secrets.GITHUB_TOKEN }}
+          # Ensures the subject doesn't start with an uppercase character.
+          subjectPattern: ^(?![A-Z]).+$
+          requireScope: false

.github/workflows/code-check.yml

@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: ${{ inputs.branch }}
 
     - name: Set up Python 3.9
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: 3.9
 

.github/workflows/integration-tests-core.yml

@@ -46,18 +46,18 @@ jobs:
     runs-on: ${{ inputs.os_name }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: 'firebolt-db/firebolt-python-sdk'
 
       - name: Setup Firebolt Core
         id: setup-core
-        uses: firebolt-db/action-setup-core@main
+        uses: firebolt-db/action-setup-core@eabcd701de0be41793fda0655d29d46c70c847c2 # main
         with:
           tag_version: ${{ inputs.tag_version || vars.DEFAULT_CORE_IMAGE_TAG }}
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ inputs.python_version }}
 
@@ -94,15 +94,15 @@ jobs:
 
        # Need to pull the pages branch in order to fetch the previous runs
       - name: Get Allure history
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: always()
         continue-on-error: true
         with:
             ref: gh-pages
             path: gh-pages
 
       - name: Allure Report
-        uses: firebolt-db/action-allure-report@v1
+        uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1
         if: always()
         continue-on-error: true
         with:
@@ -113,12 +113,12 @@ jobs:
           repository-name: python-sdk
 
       - name: Allure Report HTTPS
-        uses: firebolt-db/action-allure-report@v1
+        uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1
         if: always()
         continue-on-error: true
         with:
           github-key: ${{ secrets.GITHUB_TOKEN }}
           test-type: core_https
           allure-dir: allure-results-https
           pages-branch: gh-pages
-          repository-name: python-sdk
+          repository-name: python-sdk

.github/workflows/integration-tests-v1.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python 3.9
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.9
 
@@ -30,7 +30,7 @@ jobs:
 
       - name: Setup database and engine
         id: setup
-        uses: firebolt-db/integration-testing-setup@v1
+        uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2
         with:
           firebolt-username: ${{ secrets.FIREBOLT_STG_USERNAME }}
           firebolt-password: ${{ secrets.FIREBOLT_STG_PASSWORD }}
@@ -39,7 +39,7 @@ jobs:
 
       - name: Restore cached failed tests
         id: cache-tests-restore
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             .pytest_cache/v/cache/lastfailed
@@ -64,9 +64,9 @@ jobs:
 
       - name: Save failed tests
         id: cache-tests-save
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         if: failure()
         with:
           path: |
             .pytest_cache/v/cache/lastfailed
-          key: ${{ steps.cache-tests-restore.outputs.cache-primary-key }}
+          key: ${{ steps.cache-tests-restore.outputs.cache-primary-key }}

.github/workflows/integration-tests-v2.yml

@@ -23,12 +23,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: 'firebolt-db/firebolt-python-sdk'
 
       - name: Set up Python 3.9
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.9
 
@@ -39,7 +39,7 @@ jobs:
 
       - name: Setup database and engine
         id: setup
-        uses: firebolt-db/integration-testing-setup@v2
+        uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2
         with:
           firebolt-client-id: ${{ secrets.FIREBOLT_CLIENT_ID_STG_NEW_IDN }}
           firebolt-client-secret: ${{ secrets.FIREBOLT_CLIENT_SECRET_STG_NEW_IDN }}
@@ -62,15 +62,15 @@ jobs:
 
       # Need to pull the pages branch in order to fetch the previous runs
       - name: Get Allure history
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: always()
         continue-on-error: true
         with:
             ref: gh-pages
             path: gh-pages
 
       - name: Allure Report
-        uses: firebolt-db/action-allure-report@v1
+        uses: firebolt-db/action-allure-report@781b4529b67b4f393c63d7dc1e098cb558e1ab16 # v1.4.1
         if: always()
         with:
           github-key: ${{ inputs.token || secrets.GITHUB_TOKEN }}

.github/workflows/integration-tests.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Decorate commit
-        uses: Sibz/github-status-action@v1
+        uses: Sibz/github-status-action@650dd1a882a76dbbbc4576fb5974b8d22f29847f # v1.1.6
         with:
           authToken: ${{secrets.GITHUB_TOKEN}}
           context: 'Integration tests'

.github/workflows/nightly-v1.yml

@@ -39,10 +39,10 @@ jobs:
         python-version: ['3.9', '3.10', '3.11']
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -57,7 +57,7 @@ jobs:
 
       - name: Setup database and engine
         id: setup
-        uses: firebolt-db/integration-testing-setup@v1
+        uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2
         with:
           firebolt-username: ${{ secrets.FIREBOLT_STG_USERNAME }}
           firebolt-password: ${{ secrets.FIREBOLT_STG_PASSWORD }}
@@ -85,7 +85,7 @@ jobs:
       - name: Slack Notify of failure
         if: failure()
         id: slack
-        uses: firebolt-db/action-slack-nightly-notify@v1
+        uses: firebolt-db/action-slack-nightly-notify@1bdd915837fbe0986aeacd2ee63a648ae2dcc6db # v1.0.0
         with:
           os: ${{ matrix.os }}
           programming-language: Python

.github/workflows/nightly-v2.yml

@@ -39,10 +39,10 @@ jobs:
         python-version: ['3.9', '3.10', '3.11']
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -57,7 +57,7 @@ jobs:
 
       - name: Setup database and engine
         id: setup
-        uses: firebolt-db/integration-testing-setup@v2
+        uses: firebolt-db/integration-testing-setup@813c4835ef38adcba3f8760e7afc21a3c7248023 # v2.6.2
         with:
           firebolt-client-id: ${{ secrets.FIREBOLT_CLIENT_ID_STG_NEW_IDN }}
           firebolt-client-secret: ${{ secrets.FIREBOLT_CLIENT_SECRET_STG_NEW_IDN }}
@@ -81,7 +81,7 @@ jobs:
       - name: Slack Notify of failure
         if: failure()
         id: slack
-        uses: firebolt-db/action-slack-nightly-notify@v1
+        uses: firebolt-db/action-slack-nightly-notify@1bdd915837fbe0986aeacd2ee63a648ae2dcc6db # v1.0.0
         with:
           os: ${{ matrix.os }}
           programming-language: Python