python-poetry · neersighted · Mar 26, 2024 · Mar 25, 2024 · Mar 25, 2024 · Mar 25, 2024
diff --git a/.github/actions/bootstrap-poetry/action.yml → .github/actions/bootstrap-poetry/action.yaml b/.github/actions/bootstrap-poetry/action.yml → .github/actions/bootstrap-poetry/action.yaml
@@ -3,8 +3,8 @@ description: Configure the environment with the specified Python and Poetry vers
 
 inputs:
   python-version:
-    description: Desired Python version expression
-    default: '3.12'
+    description: Desired node-semver compatible Python version expression (or 'default')
+    default: 'default'
   python-latest:
     description: Use an uncached Python if a newer match is available
     default: 'false'
@@ -26,15 +26,19 @@ outputs:
 runs:
   using: composite
   steps:
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5
       id: setup-python
+      if: inputs.python-version != 'default'
       with:
         python-version: ${{ inputs.python-version }}
         check-latest: ${{ inputs.python-latest == 'true' }}
         allow-prereleases: ${{ inputs.python-prereleases == 'true' }}
         update-environment: false
 
-    - run: pipx install --python '${{ steps.setup-python.outputs.python-path }}' '${{ inputs.poetry-spec }}'
+    - run: >
+        pipx install \
+          ${{ inputs.python-version != 'default' && format('--python "{0}"', steps.setup-python.outputs.python-path) || '' }} \
+          '${{ inputs.poetry-spec }}'
       shell: bash
 
     # Enable handling long path names (+260 char) on the Windows platform

diff --git a/.github/actions/poetry-install/action.yml → .github/actions/poetry-install/action.yaml b/.github/actions/poetry-install/action.yml → .github/actions/poetry-install/action.yaml
@@ -26,7 +26,7 @@ runs:
       if: inputs.cache == 'true'
       shell: bash
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
       id: cache
       if: inputs.cache == 'true'
       with:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,16 +1,9 @@
 version: 2
 
 updates:
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    # keep dependency updates manual for now
-    open-pull-requests-limit: 0
-    reviewers:
-      - "python-poetry/triage"
-
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "area/ci"
diff --git a/.github/workflows/.tests-matrix.yaml b/.github/workflows/.tests-matrix.yaml
@@ -28,7 +28,7 @@ jobs:
     runs-on: ${{ inputs.runner }}
     if: inputs.run-mypy
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - uses: ./.github/actions/bootstrap-poetry
         id: bootstrap-poetry
@@ -37,7 +37,7 @@ jobs:
 
       - uses: ./.github/actions/poetry-install
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
         with:
           path: .mypy_cache
           key: mypy-${{ runner.os }}-py${{ steps.bootstrap-poetry.outputs.python-version }}-${{ hashFiles('pyproject.toml', 'poetry.lock') }}
@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ inputs.runner }}
     if: inputs.run-pytest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - uses: ./.github/actions/bootstrap-poetry
         with:
@@ -74,7 +74,7 @@ jobs:
     runs-on: ${{ inputs.runner }}
     if: inputs.run-pytest-export
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - uses: ./.github/actions/bootstrap-poetry
         with:
@@ -87,7 +87,7 @@ jobs:
       - run: poetry run pip list --format json | jq -r '.[] | "\(.name)=\(.version)"' >> $GITHUB_OUTPUT
         id: package-versions
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           path: poetry-plugin-export
           repository: python-poetry/poetry-plugin-export

diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
@@ -21,9 +21,9 @@ jobs:
         )
       )
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       # This workflow requires a non-GHA token in order to trigger downstream CI, and to access the 'fork' repository.
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@78e5f2ddc08efcb88fbbee6cfa3fed770ba550c3 # v1
         id: app-token
         with:
           app-id: ${{ secrets.POETRY_TOKEN_APP_ID }}
@@ -37,4 +37,4 @@ jobs:
 
           ./.github/scripts/backport.sh --pr ${{ github.event.pull_request.number }} --comment --remote fork
         env:
-            GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -27,20 +27,20 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           repository: python-poetry/website
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           path: poetry
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version: "18"
 
-      - uses: peaceiris/actions-hugo@v2
+      - uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2
         with:
           hugo-version: '0.83.1'
 
@@ -59,7 +59,7 @@ jobs:
           # Build the static website.
           hugo -v --minify
 
-      - uses: amondnet/vercel-action@v25
+      - uses: amondnet/vercel-action@16e87c0a08142b0d0d33b76aeaf20823c381b9b9 # v25
         with:
           vercel-token: ${{ secrets.VERCEL_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/lock-threads.yaml b/.github/workflows/lock-threads.yaml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       issues: write
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5
         with:
           process-only: issues
           issue-inactive-days: 30
@@ -29,7 +29,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5
         with:
           process-only: prs
           pr-inactive-days: 30

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,11 +9,11 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - run: pipx run build
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
         with:
           name: distfiles
           path: dist/
@@ -26,7 +26,7 @@ jobs:
       contents: write
     needs: build
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4
         with:
           name: distfiles
 
@@ -42,10 +42,10 @@ jobs:
       id-token: write
     needs: build
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4
         with:
           name: distfiles
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # release/v1
         with:
           print-hash: true
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -23,13 +23,14 @@ jobs:
       src: ${{ steps.changes.outputs.src }}
       tests: ${{ steps.changes.outputs.tests }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
             workflow: &workflow
+              - '.github/actions/**'
               - '.github/workflows/tests.yaml'
               - '.github/workflows/.tests-matrix.yaml'
             project: &project
@@ -53,7 +54,7 @@ jobs:
     if: needs.changes.outputs.project == 'true'
     needs: changes
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - uses: ./.github/actions/bootstrap-poetry
 
@@ -65,7 +66,7 @@ jobs:
     if: needs.changes.outputs.project == 'true'
     needs: lockfile
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - run: pipx run build
 
@@ -84,7 +85,7 @@ jobs:
     if: needs.changes.outputs.fixtures-pypi == 'true'
     needs: changes
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - uses: ./.github/actions/bootstrap-poetry
 
@@ -100,7 +101,7 @@ jobs:
     # Use this matrix with multiple jobs defined in a reusable workflow:
     uses: ./.github/workflows/.tests-matrix.yaml
     name: ${{ matrix.os.name }} (Python ${{ matrix.python-version }})
-    if: '!cancelled()'
+    if: '!failure()'
     needs:
       - lockfile
       - changes