diff --git a/.github/workflows/codeql-android-critical-security.yml b/.github/workflows/codeql-android-critical-security.yml index 8ac806564344..29bfc0042d54 100644 --- a/.github/workflows/codeql-android-critical-security.yml +++ b/.github/workflows/codeql-android-critical-security.yml @@ -35,7 +35,7 @@ jobs: java-version: "21" - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: java-kotlin build-mode: manual @@ -46,6 +46,6 @@ jobs: run: ./gradlew --no-daemon :app:assemblePlayDebug - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-security/android" diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml index d883449e0b65..a7905e772813 100644 --- a/.github/workflows/codeql-critical-quality.yml +++ b/.github/workflows/codeql-critical-quality.yml @@ -342,13 +342,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/core-auth-secrets" @@ -365,13 +365,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/config-boundary" @@ -388,13 +388,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/gateway-runtime-boundary" @@ -411,13 +411,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/channel-runtime-boundary" @@ -460,7 +460,7 @@ jobs: - name: Initialize CodeQL if: ${{ github.event_name != 'pull_request' }} - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml @@ -468,7 +468,7 @@ jobs: - name: Analyze id: analyze if: ${{ github.event_name != 'pull_request' }} - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: output: sarif-results category: "/codeql-critical-quality/network-runtime-boundary" @@ -518,13 +518,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/agent-runtime-boundary" @@ -541,13 +541,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/mcp-process-runtime-boundary" @@ -564,13 +564,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/memory-runtime-boundary" @@ -587,13 +587,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/session-diagnostics-boundary" @@ -610,13 +610,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/plugin-sdk-reply-runtime" @@ -633,13 +633,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/provider-runtime-boundary" @@ -655,13 +655,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/ui-control-plane" @@ -677,13 +677,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/web-media-runtime-boundary" @@ -700,13 +700,13 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/plugin-boundary" @@ -723,12 +723,12 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-critical-quality/plugin-sdk-package-contract" diff --git a/.github/workflows/codeql-macos-critical-security.yml b/.github/workflows/codeql-macos-critical-security.yml index 1619b56cb7a0..f136b255a11f 100644 --- a/.github/workflows/codeql-macos-critical-security.yml +++ b/.github/workflows/codeql-macos-critical-security.yml @@ -35,7 +35,7 @@ jobs: swift --version - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: swift build-mode: manual @@ -46,7 +46,7 @@ jobs: - name: Analyze id: analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: output: sarif-results upload: failure-only @@ -83,7 +83,7 @@ jobs: done - name: Upload filtered SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: sarif_file: sarif-results-filtered category: "/codeql-critical-security/macos" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c1b5aa0fb5c2..ce4338a26746 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -101,12 +101,12 @@ jobs: .github/codeql - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: ${{ matrix.language }} config-file: ${{ matrix.config_file }} - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/codeql-security-high/${{ matrix.category }}" diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index d986108f0877..6ff05de03d90 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -89,7 +89,7 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 @@ -161,7 +161,7 @@ jobs: - name: Build and push amd64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/amd64 @@ -179,7 +179,7 @@ jobs: id: build-browser if: steps.tags.outputs.browser != '' # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/amd64 @@ -280,7 +280,7 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 @@ -352,7 +352,7 @@ jobs: - name: Build and push arm64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/arm64 @@ -370,7 +370,7 @@ jobs: id: build-browser if: steps.tags.outputs.browser != '' # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/arm64 @@ -562,7 +562,7 @@ jobs: fetch-depth: 1 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 diff --git a/.github/workflows/docs-agent.yml b/.github/workflows/docs-agent.yml index a939f9c0af61..6df42c682a67 100644 --- a/.github/workflows/docs-agent.yml +++ b/.github/workflows/docs-agent.yml @@ -149,7 +149,7 @@ jobs: - name: Run Codex docs agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 + uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 env: DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }} DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }} diff --git a/.github/workflows/mantis-telegram-desktop-proof.yml b/.github/workflows/mantis-telegram-desktop-proof.yml index a0f7ab6f4ba5..b3c60d39a62e 100644 --- a/.github/workflows/mantis-telegram-desktop-proof.yml +++ b/.github/workflows/mantis-telegram-desktop-proof.yml @@ -445,7 +445,7 @@ jobs: sudo chown -R codex:codex "$GITHUB_WORKSPACE" - name: Run Codex Mantis Telegram agent - uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 + uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 env: BASELINE_REF: ${{ needs.resolve_request.outputs.baseline_ref }} BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }} diff --git a/.github/workflows/opengrep-precise-full.yml b/.github/workflows/opengrep-precise-full.yml index 324e826f2410..0ecd5c1771e6 100644 --- a/.github/workflows/opengrep-precise-full.yml +++ b/.github/workflows/opengrep-precise-full.yml @@ -53,7 +53,7 @@ jobs: scripts/run-opengrep.sh --sarif --error - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@v4.36.1 # Only upload if the scan actually produced a SARIF file. if: always() && hashFiles('.opengrep-out/precise.sarif') != '' with: diff --git a/.github/workflows/opengrep-precise.yml b/.github/workflows/opengrep-precise.yml index cc2a3ffa5e7f..11babbbd6d6f 100644 --- a/.github/workflows/opengrep-precise.yml +++ b/.github/workflows/opengrep-precise.yml @@ -84,7 +84,7 @@ jobs: scripts/run-opengrep.sh --changed --sarif --error - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@v4.36.1 # Only upload if the scan actually produced a SARIF file. if: always() && hashFiles('.opengrep-out/precise.sarif') != '' with: diff --git a/.github/workflows/sandbox-common-smoke.yml b/.github/workflows/sandbox-common-smoke.yml index e7c529443dd9..aa92a617cf62 100644 --- a/.github/workflows/sandbox-common-smoke.yml +++ b/.github/workflows/sandbox-common-smoke.yml @@ -35,7 +35,7 @@ jobs: submodules: false - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Build minimal sandbox base (USER sandbox) shell: bash diff --git a/.github/workflows/test-performance-agent.yml b/.github/workflows/test-performance-agent.yml index 2311912dba27..0ec19bd43995 100644 --- a/.github/workflows/test-performance-agent.yml +++ b/.github/workflows/test-performance-agent.yml @@ -129,7 +129,7 @@ jobs: - name: Run Codex test performance agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 + uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 with: openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }} prompt-file: .github/codex/prompts/test-performance-agent.md