diff --git a/.github/actions/docker-tags/action.yml b/.github/actions/docker-tags/action.yml index 1a563aade..a0b8e4243 100644 --- a/.github/actions/docker-tags/action.yml +++ b/.github/actions/docker-tags/action.yml @@ -46,8 +46,9 @@ runs: id: tags env: BRANCH_NAME_INPUT: ${{ github.event.inputs.branch_name }} + EVENT_NAME: ${{ github.event_name }} run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then BRANCH_NAME="${BRANCH_NAME_INPUT}" else BRANCH_NAME="${GITHUB_REF##*/}" diff --git a/.github/workflows/binance-lev-tier-update.yml b/.github/workflows/binance-lev-tier-update.yml index bf24ec1bf..500e2140b 100644 --- a/.github/workflows/binance-lev-tier-update.yml +++ b/.github/workflows/binance-lev-tier-update.yml @@ -6,20 +6,25 @@ on: # on demand workflow_dispatch: +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + permissions: contents: read jobs: auto-update: + name: "Auto Update Binance Leverage Tiers" runs-on: ubuntu-latest environment: name: develop steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b29e941fa..b342cc304 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ on: concurrency: group: "${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}" cancel-in-progress: true -permissions: - repository-projects: read +permissions: {} + jobs: tests: name: "Tests and Linting" @@ -28,12 +28,12 @@ jobs: python-version: ["3.11", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: ${{ matrix.python-version }} @@ -178,12 +178,12 @@ jobs: name: "Mypy Version Check" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 with: python-version: "3.12" @@ -196,11 +196,11 @@ jobs: name: "Pre-commit checks" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 @@ -209,7 +209,7 @@ jobs: name: "Documentation build" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -218,7 +218,7 @@ jobs: ./tests/test_docs.sh - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -241,12 +241,12 @@ jobs: name: "Tests and Linting - Online tests" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -275,6 +275,7 @@ jobs: # Notify only once - when CI completes (and after deploy) in case it's successful notify-complete: + name: "Notify CI Completion" needs: [ build, build-linux-online @@ -282,8 +283,6 @@ jobs: runs-on: ubuntu-22.04 # Discord notification can't handle schedule events if: github.event_name != 'schedule' && github.repository == 'freqtrade/freqtrade' - permissions: - repository-projects: read steps: - name: Check user permission @@ -321,12 +320,12 @@ jobs: with: jobs: ${{ toJSON(needs) }} - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" @@ -336,7 +335,7 @@ jobs: python -m build --sdist --wheel - name: Upload artifacts 📦 - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0 with: name: freqtrade-build path: | @@ -349,7 +348,7 @@ jobs: python -m build --sdist --wheel ft_client - name: Upload artifacts 📦 - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.1.0 with: name: freqtrade-client-build path: | @@ -365,15 +364,15 @@ jobs: name: testpypi url: https://test.pypi.org/p/freqtrade permissions: - id-token: write + id-token: write # Needed for pypa/gh-action-pypi-publish steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Download artifact 📦 - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: freqtrade*-build path: dist @@ -394,15 +393,15 @@ jobs: name: pypi url: https://pypi.org/p/freqtrade permissions: - id-token: write + id-token: write # Needed for pypa/gh-action-pypi-publish steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Download artifact 📦 - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: freqtrade*-build path: dist @@ -420,7 +419,7 @@ jobs: if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'release') && github.repository == 'freqtrade/freqtrade' uses: ./.github/workflows/docker-build.yml permissions: - packages: write + packages: write # Needed to push package versions contents: read secrets: DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} @@ -434,6 +433,6 @@ jobs: # Only run on push, schedule, or release events if: (github.event_name == 'push' || github.event_name == 'schedule') && github.repository == 'freqtrade/freqtrade' permissions: - packages: write + packages: write # Needed to delete package versions with: package_name: 'freqtrade' diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 33272efa6..83c110eec 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -11,6 +11,9 @@ on: # disable permissions for all of the available permissions permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: build-docs: @@ -19,12 +22,12 @@ jobs: name: Deploy Docs through mike runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: true - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.12' diff --git a/.github/workflows/devcontainer-build.yml b/.github/workflows/devcontainer-build.yml index 485ff30ed..65296d89c 100644 --- a/.github/workflows/devcontainer-build.yml +++ b/.github/workflows/devcontainer-build.yml @@ -17,14 +17,17 @@ concurrency: group: "${{ github.workflow }}" cancel-in-progress: true +permissions: + contents: read jobs: build-and-push: + name: "Build and Push Devcontainer Image" permissions: - packages: write + packages: write # Needed to push package versions runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - name: Login to GitHub Container Registry diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index e105c9d21..e6240a837 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -17,6 +17,10 @@ on: default: 'develop' type: string +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: contents: read @@ -33,7 +37,7 @@ jobs: if: github.repository == 'freqtrade/freqtrade' steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -159,14 +163,14 @@ jobs: deploy-arm: name: "Deploy Docker ARM64" permissions: - packages: write + packages: write # Needed to push package versions needs: [ deploy-docker ] # Only run on 64bit machines runs-on: [self-hosted, linux, ARM64] if: github.repository == 'freqtrade/freqtrade' steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/docker-update-readme.yml b/.github/workflows/docker-update-readme.yml index 7f3a75280..939794a44 100644 --- a/.github/workflows/docker-update-readme.yml +++ b/.github/workflows/docker-update-readme.yml @@ -4,14 +4,19 @@ on: branches: - stable +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + # disable permissions for all of the available permissions permissions: {} jobs: dockerHubDescription: + name: "Update Docker Hub Description" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/packages-cleanup.yml b/.github/workflows/packages-cleanup.yml index 9d31504e9..76b252df4 100644 --- a/.github/workflows/packages-cleanup.yml +++ b/.github/workflows/packages-cleanup.yml @@ -25,20 +25,26 @@ on: default: true type: boolean +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + env: PACKAGE_NAME: "freqtrade" +permissions: {} + jobs: deploy-docker: name: "Delete Packages" runs-on: ubuntu-24.04 if: github.repository == 'freqtrade/freqtrade' permissions: - packages: write + packages: write # Needed to delete package versions steps: - name: "Delete untagged Package Versions" - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 with: package-name: ${{ inputs.package_name || env.PACKAGE_NAME }} package-type: 'container' diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 31a0f8c5a..28bc6473e 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -9,15 +9,20 @@ on: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: auto-update: + name: Auto-update pre-commit hooks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml deleted file mode 100644 index cec2469b8..000000000 --- a/.github/workflows/zizmor.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: GitHub Actions Security Analysis with zizmor 🌈 - -on: - push: - branches: - - develop - - stable - pull_request: - branches: - - develop - - stable - -permissions: {} - -jobs: - zizmor: - name: Run zizmor 🌈 - runs-on: ubuntu-latest - permissions: - security-events: write - # contents: read # only needed for private repos - # actions: read # only needed for private repos - steps: - - name: Checkout repository - uses: actions/checkout@v6.0.1 - with: - persist-credentials: false - - - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 diff --git a/.github/workflows/zizmor_action.yml b/.github/workflows/zizmor_action.yml new file mode 100644 index 000000000..7baf065cf --- /dev/null +++ b/.github/workflows/zizmor_action.yml @@ -0,0 +1,34 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - develop + - stable + pull_request: + branches: + - develop + - stable + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + # contents: read # Only needed for private repos. Needed to clone the repo. + # actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 09b08f0cc..9ae864090 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,6 +83,6 @@ repos: # Ensure github actions remain safe - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.19.0 + rev: v1.20.0 hooks: - id: zizmor