From 1df8a7d059c8a852709b6c936812f9bfdb3d3d8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Garamv=C3=B6lgyi?= Date: Wed, 7 Jan 2026 12:03:41 +0100 Subject: [PATCH 1/2] chore: dependabot --- .github/dependabot.yml | 2 ++ .github/workflows/contracts.yml | 22 +++++++++++----------- .github/workflows/docker-release.yml | 6 +++--- .github/workflows/zizmor.yml | 4 ++-- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600..6cc00712 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml index 852f693f..f576347f 100644 --- a/.github/workflows/contracts.yml +++ b/.github/workflows/contracts.yml @@ -29,13 +29,13 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: recursive persist-credentials: false - name: Install Foundry - uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 + uses: foundry-rs/foundry-toolchain@8b0419c685ef46cb79ec93fbdc131174afceb730 # v1.6.0 with: version: nightly @@ -52,7 +52,7 @@ jobs: run: echo "::set-output name=dir::$(yarn cache dir)" - name: Cache yarn dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) with: path: ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -62,7 +62,7 @@ jobs: - name: Cache node_modules id: npm_cache - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: node_modules key: node_modules-${{ hashFiles('yarn.lock') }} @@ -84,7 +84,7 @@ jobs: run : lcov --rc branch_coverage=1 --remove ./lcov.info -o ./lcov.info.pruned 'src/mocks/*' 'src/test/*' 'scripts/*' 'node_modules/*' 'lib/*' --ignore-errors unused,unused - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -98,7 +98,7 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: recursive persist-credentials: false @@ -113,7 +113,7 @@ jobs: run: echo "::set-output name=dir::$(yarn cache dir)" - name: Cache yarn dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) with: path: ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -123,7 +123,7 @@ jobs: - name: Cache node_modules id: npm_cache - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: node_modules key: node_modules-${{ hashFiles('yarn.lock') }} @@ -147,7 +147,7 @@ jobs: security-events: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: submodules: recursive persist-credentials: false @@ -158,7 +158,7 @@ jobs: - run: yarn install --frozen-lockfile - - uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 + - uses: foundry-rs/foundry-toolchain@8b0419c685ef46cb79ec93fbdc131174afceb730 # v1.6.0 with: version: nightly @@ -186,7 +186,7 @@ jobs: --json slither-report.json \ --markdown-root slither-report.md - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@v6 with: name: slither-static-analysis path: | diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 910ff605..63ee35f6 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: true persist-credentials: false @@ -21,7 +21,7 @@ jobs: run: git submodule update --init --recursive - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Setup Node.js environment uses: actions/setup-node@v6 @@ -33,7 +33,7 @@ jobs: run: npm install - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: cache-binary: false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index fff3b69d..cd43ca53 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -18,12 +18,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 + uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6 - name: Run zizmor run: uvx zizmor --format sarif . > results.sarif From 94023fd049f589e274c9cd12686498faaf744bcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Garamv=C3=B6lgyi?= Date: Wed, 7 Jan 2026 12:09:40 +0100 Subject: [PATCH 2/2] pin all --- .github/workflows/contracts.yml | 24 ++++++++++++------------ .github/workflows/docker-release.yml | 4 ++-- .github/workflows/zizmor.yml | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml index f576347f..3c19c634 100644 --- a/.github/workflows/contracts.yml +++ b/.github/workflows/contracts.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive persist-credentials: false @@ -43,7 +43,7 @@ jobs: uses: hrishikesh-kadam/setup-lcov@6c1aa0cc9e1c02f9f58f01ac599f1064ccc83470 # v1 - name: Install Node.js 18 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '18' @@ -52,7 +52,7 @@ jobs: run: echo "::set-output name=dir::$(yarn cache dir)" - name: Cache yarn dependencies - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) with: path: ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -62,7 +62,7 @@ jobs: - name: Cache node_modules id: npm_cache - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: node_modules key: node_modules-${{ hashFiles('yarn.lock') }} @@ -98,13 +98,13 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive persist-credentials: false - name: Install Node.js 18 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '18' @@ -113,7 +113,7 @@ jobs: run: echo "::set-output name=dir::$(yarn cache dir)" - name: Cache yarn dependencies - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) with: path: ${{ steps.yarn-cache-dir-path.outputs.dir }} @@ -123,7 +123,7 @@ jobs: - name: Cache node_modules id: npm_cache - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: node_modules key: node_modules-${{ hashFiles('yarn.lock') }} @@ -147,12 +147,12 @@ jobs: security-events: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '18' @@ -165,7 +165,7 @@ jobs: - name: Build contracts run: forge build --build-info --out out --evm-version cancun - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.11' @@ -186,7 +186,7 @@ jobs: --json slither-report.json \ --markdown-root slither-report.md - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: slither-static-analysis path: | diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 63ee35f6..5617927e 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: true persist-credentials: false @@ -24,7 +24,7 @@ jobs: uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '21' package-manager-cache: false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index cd43ca53..b006ab05 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false