From 379fd021d016c02991b196ecff4c2f3c240dd2a9 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Wed, 20 Nov 2024 10:24:12 -0600
Subject: [PATCH] chore: github actions cleanup

- [x] switch to umutable actions on ones that allow it (closes 10 security warnings)
- [x] solve actionlint issues
  - [x] group commands instead of instead of individual redirects
  - [x] double quote variable to prevent globbing and word splitting

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/docker-image.yml          | 2 +-
 .github/workflows/linter.yaml               | 2 +-
 .github/workflows/major-version-updater.yml | 6 ++----
 .github/workflows/python-package.yml        | 4 ++--
 .github/workflows/release.yml               | 4 ++--
 .github/workflows/scorecard.yml             | 4 ++--
 .github/workflows/stale.yaml                | 2 +-
 .github/workflows/use-action.yml            | 2 +-
 8 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index bf25bf0..a2a8329 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -14,6 +14,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64 --tag stale_repos:"$(date +%s)"
diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
index c049bb4..0bf83eb 100644
--- a/.github/workflows/linter.yaml
+++ b/.github/workflows/linter.yaml
@@ -18,7 +18,7 @@ jobs:
       statuses: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           # Full git history is needed to get a proper
           # list of changed files within `super-linter`
diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml
index 1b5c40d..a55dcab 100644
--- a/.github/workflows/major-version-updater.yml
+++ b/.github/workflows/major-version-updater.yml
@@ -15,16 +15,14 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
       - name: version
         id: version
         run: |
           tag=${GITHUB_REF/refs\/tags\//}
           version=${tag#v}
           major=${version%%.*}
-          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-          echo "major=${major}" >> "$GITHUB_OUTPUT"
+          { echo "tag=${tag}"; echo "version=${version}"; echo "major=${major}"; } >> "$GITHUB_OUTPUT"
       - name: force update major tag
         run: |
           git tag v${{ steps.version.outputs.major }}
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 7df3a13..28d07b3 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -19,9 +19,9 @@ jobs:
       matrix:
         python-version: [3.9, 3.11, 3.12]
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@v5.3.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d886103..0ca2ae1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -42,7 +42,7 @@ jobs:
         id: get_tag_name
         run: |
           short_tag=$(echo ${{ steps.release-drafter.outputs.tag_name }} | cut -d. -f1)
-          echo "SHORT_TAG=$short_tag" >> $GITHUB_OUTPUT
+          echo "SHORT_TAG=$short_tag" >> "$GITHUB_OUTPUT"
   create_action_images:
     needs: create_release
     runs-on: ubuntu-latest
@@ -60,7 +60,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Push Docker Image
         if: ${{ success() }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index db45112..a91031e 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           persist-credentials: false
 
@@ -36,7 +36,7 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@v4.4.3
         with:
           name: SARIF file
           path: results.sarif
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 9448521..2d8c416 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
+      - uses: actions/stale@v9.0.0
         with:
           stale-issue-message: "This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days."
           close-issue-message: "This issue was closed because it has been stalled for 35 days with no activity."
diff --git a/.github/workflows/use-action.yml b/.github/workflows/use-action.yml
index 21ed4ac..48e434c 100644
--- a/.github/workflows/use-action.yml
+++ b/.github/workflows/use-action.yml
@@ -19,7 +19,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@v4.2.2
       - name: Run stale_repos tool
         uses: docker://ghcr.io/github/stale_repos:v1
         env: