diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f9de29a53b..b7d18aea4d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,6 +8,9 @@ on: - cron: '30 10 * * *' workflow_dispatch: +permissions: + contents: read + jobs: build: @@ -130,7 +133,7 @@ jobs: steps: - name: Sync Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive @@ -180,7 +183,7 @@ jobs: - name: Install Python ${{ matrix.python }} if: matrix.python != 'None' - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python }} architecture: ${{ matrix.architecture }} @@ -322,48 +325,48 @@ jobs: - name: Upload Installed Package if: matrix.python != 'None' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MaterialX_${{ matrix.name }} path: build/installed/ - name: Upload Formatted Source if: matrix.clang_format == 'ON' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MaterialX_ClangFormat path: source - name: Upload Reference Shaders - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.upload_shaders == 'ON' with: name: MaterialX_ReferenceShaders path: build/bin/reference/ - name: Upload Renders - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.test_render == 'ON' with: name: Renders_${{ matrix.name }} path: build/render/*.png - name: Upload Resources (MacOS) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.test_render == 'ON' && runner.os == 'macOS' with: name: Resources_${{ matrix.name }} path: build/bin/resources - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.coverage_analysis == 'ON' with: name: MaterialX_Coverage path: build/coverage - name: Upload Perfetto Traces - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.extended_build_perfetto == 'ON' && env.IS_EXTENDED_BUILD == 'true' with: name: Traces_${{ matrix.name }} @@ -376,7 +379,7 @@ jobs: steps: - name: Sync Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Emscripten run: | @@ -388,7 +391,7 @@ jobs: echo "EMSDK=$EMSDK" >> $GITHUB_ENV - name: Install Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22.16.0' @@ -420,7 +423,7 @@ jobs: single-commit: true - name: Upload JavaScript Package - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MaterialX_JavaScript path: javascript/build/installed/JavaScript/MaterialX @@ -434,10 +437,10 @@ jobs: steps: - name: Sync Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.11 @@ -449,7 +452,7 @@ jobs: echo "filename=$(ls dist)" >> "$GITHUB_OUTPUT" - name: Upload SDist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MaterialX_Python_SDist path: dist/*.tar.gz @@ -467,25 +470,25 @@ jobs: steps: - name: Sync Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Python 3.${{ matrix.python-minor }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: 3.${{ matrix.python-minor }} - name: Download Sdist - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: MaterialX_Python_SDist path: sdist - name: Install Doxygen (Windows) - uses: ssciwr/doxygen-install@v1 + uses: ssciwr/doxygen-install@f13be1686235deee0aeb6cdf56640170691dc96b # v1 if: runner.os == 'Windows' - name: Build Wheel - uses: pypa/cibuildwheel@v2.23.2 + uses: pypa/cibuildwheel@6a41245b42fcb325223b8793746f10456ed07436 # v2.23.2 with: package-dir: ${{ github.workspace }}/sdist/${{ needs.sdist.outputs.sdist_filename }} env: @@ -509,7 +512,7 @@ jobs: working-directory: python - name: Upload Wheel - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MaterialX_Python_Wheel_${{ runner.os }}_3_${{ matrix.python-minor }} path: wheelhouse/*.whl diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6ddb62f2b4..bd47b2280d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Sync Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive @@ -34,7 +34,7 @@ jobs: git archive --prefix ${MATERIALX_ARCHIVE}/ --output ${MATERIALX_ARCHIVE}.tar.gz ${RELEASE_TAG} - name: Sign and Upload Archives - uses: sigstore/gh-action-sigstore-python@v3.0.0 + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: | ${{ env.MATERIALX_ARCHIVE }}.zip