Merge pull request #5668 from step-security-bot/stepsecurity_remediat…

…ion_1705999494

[StepSecurity] ci: Harden GitHub Actions

.github/workflows/codeql-analysis.yml

@@ -29,16 +29,16 @@ jobs:
         egress-policy: audit
 
     - name: Checkout repository
-      uses: actions/[email protected]
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1

.github/workflows/darker.yaml

@@ -19,13 +19,13 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: "3.11"
-      - uses: akaihola/[email protected]
+      - uses: akaihola/darker@ddcd430663c3a980ceb408ee05b7c90ba875d71b # 1.7.2
         with:
           options: "--check --diff"
           src: "./src/qcodes"

.github/workflows/docs.yaml

@@ -52,8 +52,7 @@ jobs:
       uses: step-security/harden-runner@v2
       with:
         egress-policy: audit
-
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         # we need full history with tags for the version number
         fetch-depth: '0'
@@ -67,7 +66,7 @@ jobs:
         sudo apt install pandoc
       if: runner.os == 'Linux'
     - name: Install pandoc on windows
-      uses: Wandalen/[email protected]
+      uses: Wandalen/wretry.action@a163f62ae554a8f3cbe27b23db15b60c0ae2e93c # v1.3.0
       with:
         action: crazy-max/[email protected]
         with: |
@@ -76,7 +75,7 @@ jobs:
         attempt_delay: 1000
       if: runner.os == 'Windows'
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -102,12 +101,12 @@ jobs:
         ./make.bat html
       if: runner.os == 'Windows'
     - name: Upload build docs
-      uses: actions/[email protected]
+      uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
       with:
         name: docs_${{ matrix.python-version }}_${{ matrix.os }}
         path: ${{ github.workspace }}/docs/_build/html
     - name: Deploy to gh pages
-      uses: JamesIves/[email protected]
+      uses: JamesIves/github-pages-deploy-action@65b5dfd4f5bcd3a7403bbc2959c144256167464e # v4.5.0
       with:
         branch: gh-pages
         folder: ${{ github.workspace }}/docs/_build/html

.github/workflows/pre-commit.yml

@@ -14,11 +14,12 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
+
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
         egress-policy: audit
 
-    - uses: actions/[email protected]
-    - uses: actions/setup-python@v5
-    - uses: pre-commit/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+    - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0

.github/workflows/pytest.yaml

@@ -48,18 +48,19 @@ jobs:
       PYTHON: ${{ matrix.python-version }}
 
     steps:
+
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
         egress-policy: audit
 
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         submodules: true
         # we need full history with tags for the version number
         fetch-depth: '0'
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -83,7 +84,7 @@ jobs:
       run: |
         pip install .[test] -c requirements.txt
       if: ${{ !matrix.min-version }}
-    - uses: jakebailey/[email protected]
+    - uses: jakebailey/pyright-action@03ab3c98073356eb56161009632b39fc2666321b # v2.0.1
       with:
         version: 1.1.339
       if: ${{ !matrix.min-version }}
@@ -98,7 +99,7 @@ jobs:
       run: |
         pytest -m "serial" -n 0 --dist no --cov=qcodes --cov-report xml --cov-append --hypothesis-profile ci tests
     - name: Upload coverage to Codecov
-      uses: codecov/[email protected]
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
       with:
         file: ./coverage.xml
         env_vars: OS,PYTHON

.github/workflows/upload_to_pypi.yaml

@@ -21,9 +21,9 @@ jobs:
       with:
         egress-policy: audit
 
-    - uses: actions/[email protected]
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: '3.10'
     - name: Install build deps
@@ -34,4 +34,4 @@ jobs:
     - name: Install Twine
       run: pip install twine
     - name: Publish to pypi
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # release/v1