Bump and pin all GitHub Actions to their SHAs#275
Merged
krassowski merged 10 commits intojupyterlab:mainfrom Feb 26, 2026
Merged
Bump and pin all GitHub Actions to their SHAs#275krassowski merged 10 commits intojupyterlab:mainfrom
krassowski merged 10 commits intojupyterlab:mainfrom
Conversation
for more information, see https://pre-commit.ci
Member
|
Hi @agriyakhetarpal I am 👍 on this - any idea why the tests are failing after the changes? |
Member
Author
|
Hi @krassowski, thanks for triggering the test suite. I'll take a look over the weekend or early Monday! |
Member
Author
|
Ready for another look, @krassowski! |
krassowski
approved these changes
Feb 26, 2026
Member
krassowski
left a comment
krassowski
left a comment
There was a problem hiding this comment.
LGTM, thank you @agriyakhetarpal !
krassowski
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi!
I am using these reusable workflows as part of a downstream extension, where I wish to commit to higher security standards. Unfortunately, the actions here are not pinned, so I can't enable the "Require actions to be pinned to their SHAs" setting in my repository as a result (because it also takes transitive dependencies into account). This PR should change that. I also introduced a Dependabot cooldown (as Zizmor suggests adding). I have included a bunch of other security fixes from Zizmor (e.g., handling template injection via shell expansion), and also frozen the pre-commit hooks (pre-commit will handle the hashes with its updates). I have not added Zizmor as a pre-commit hook; however, please let me know if you'd like me to change that.