diff --git a/.github/workflows/documentation-upload-pr.yml b/.github/workflows/documentation-upload-pr.yml index 6ee2a5caa..315abec1f 100644 --- a/.github/workflows/documentation-upload-pr.yml +++ b/.github/workflows/documentation-upload-pr.yml @@ -33,7 +33,7 @@ jobs: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' && github.repository == 'huggingface/lerobot' - uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@main + uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3 # main with: package_name: lerobot secrets: diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index c7926c542..6efa1273e 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -55,7 +55,7 @@ jobs: github.repository == 'huggingface/lerobot' permissions: contents: read - uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@main + uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3 # main with: commit_sha: ${{ github.sha }} package: lerobot @@ -78,7 +78,7 @@ jobs: permissions: contents: read pull-requests: write - uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@main + uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@90b4ee2c10b81b5c1a6367c4e6fc9e2fb510a7e3 # main with: commit_sha: ${{ github.event.pull_request.head.sha }} pr_number: ${{ github.event.number }} diff --git a/.github/workflows/fast_tests.yml b/.github/workflows/fast_tests.yml index d0e73071f..d78bdd21b 100644 --- a/.github/workflows/fast_tests.yml +++ b/.github/workflows/fast_tests.yml @@ -65,7 +65,7 @@ jobs: HF_LEROBOT_HOME: /mnt/cache/.cache/huggingface/lerobot HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false lfs: true @@ -83,7 +83,7 @@ jobs: libusb-1.0-0-dev speech-dispatcher libgeos-dev portaudio19-dev - name: Setup uv and Python - uses: astral-sh/setup-uv@v6 # zizmor: ignore[unpinned-uses] + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: enable-cache: true version: ${{ env.UV_VERSION }} diff --git a/.github/workflows/full_tests.yml b/.github/workflows/full_tests.yml index c04815279..c672689d8 100644 --- a/.github/workflows/full_tests.yml +++ b/.github/workflows/full_tests.yml @@ -63,7 +63,7 @@ jobs: HF_LEROBOT_HOME: /mnt/cache/.cache/huggingface/lerobot HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false @@ -80,7 +80,7 @@ jobs: speech-dispatcher libgeos-dev portaudio19-dev - name: Setup uv and Python - uses: astral-sh/setup-uv@v6 # zizmor: ignore[unpinned-uses] + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: enable-cache: true version: ${{ env.UV_VERSION }} @@ -137,21 +137,21 @@ jobs: sudo apt-get update sudo apt-get install git-lfs git lfs install - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 # zizmor: ignore[unpinned-uses] + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: cache-binary: false - name: Login to Docker Hub - uses: docker/login-action@v3 # zizmor: ignore[unpinned-uses] + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }} password: ${{ secrets.DOCKERHUB_LEROBOT_PASSWORD }} - name: Build and push Docker image - uses: docker/build-push-action@v6 # zizmor: ignore[unpinned-uses] + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: ./docker/Dockerfile.internal diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index a84e9c17e..a7c49076d 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -43,16 +43,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' - name: Run pre-commit hooks - uses: pre-commit/action@v3.0.1 # zizmor: ignore[unpinned-uses] + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 with: extra_args: --all-files --show-diff-on-failure --color=always diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f7bd2be6c..aad52cf07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,12 +38,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' @@ -104,7 +104,7 @@ jobs: - name: Publish to TestPyPI for pre-releases # True for tags like 'v0.2.0-rc1' if: startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '-') - uses: pypa/gh-action-pypi-publish@v1.13.0 # zizmor: ignore[unpinned-uses, use-trusted-publishing] + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ verbose: true @@ -112,7 +112,7 @@ jobs: - name: Publish to PyPI if: startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') - uses: pypa/gh-action-pypi-publish@v1.13.0 # zizmor: ignore[unpinned-uses, use-trusted-publishing] + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: verbose: true print-hash: true @@ -127,7 +127,7 @@ jobs: env: MUJOCO_GL: egl steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false @@ -137,7 +137,7 @@ jobs: git curl libglib2.0-0 libegl1-mesa-dev ffmpeg libusb-1.0-0-dev \ speech-dispatcher libgeos-dev portaudio19-dev - name: Setup uv and Python - uses: astral-sh/setup-uv@v6 # zizmor: ignore[unpinned-uses] + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: enable-cache: true # zizmor: ignore[cache-poisoning] version: ${{ env.UV_VERSION }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 50c0c1fc3..8e2af59ca 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -43,12 +43,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 # zizmor: ignore[unpinned-uses] + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: Secret Scanning - uses: trufflesecurity/trufflehog@v3.90.0 # zizmor: ignore[unpinned-uses] + uses: trufflesecurity/trufflehog@eafb8c5f6a06175141c27f17bcc17941853d0047 # v3.90.0 with: extra_args: --only-verified