tiagojcperez / maestro-cli / 27371646928
100%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 69
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 99.874% (+0.009%) from 99.865%
27371646928

push

github

web-flow 
ci: pin all GitHub Actions to commit SHAs (#8)

Replace mutable version-tag refs (@vN) and the @release/v1 branch ref with
full-length commit SHAs across all six workflows, each annotated with a
`# vX.Y.Z` trailing comment for readability. Dependabot keeps both the SHA
and the comment current via the existing weekly github-actions group, so
automation is unchanged.

This supersedes Dependabot PR #7: the 7 tag bumps it proposed are folded in
here at the pinned SHAs. It also permanently clears Codacy's recurring
HIGH RISK supply-chain warnings, which fire on every tag-based actions PR
and block merges via the branch's required_conversation_resolution rule.
And it aligns the Actions ecosystem with the immutability posture already
applied to Python CI tooling (.github/requirements-ci.txt pip constraints).

Pinned actions (target version in the trailing comment):
- actions/checkout                       -> v6.0.3
- actions/setup-python                   -> v6.2.0
- actions/setup-java            v4       -> v5.2.0
- actions/upload-artifact       v5       -> v7.0.1
- actions/download-artifact     v5       -> v8.0.1
- github/codeql-action          v3       -> v4.36.2
- codecov/codecov-action        v5       -> v7.0.0
- codecov/test-results-action            -> v1.2.1
- coverallsapp/github-action             -> v2.3.7
- codacy/codacy-coverage-reporter-action -> v1.3.0
- peter-evans/create-pull-request v7     -> v8.1.1
- SonarSource/sonarqube-scan-action v6   -> v8.2.0
- pypa/gh-action-pypi-publish @release/v1 -> v1.14.0 (OIDC publish step)

upload-artifact v7 + download-artifact v8 are the current latest of each
(they version independently); download v8 explicitly supports upload v7's
direct-upload, so the same-run handoff in publish.yml is unaffected.

The disabled paid-engines example in real-engine.yml keeps plain @v6 tags
(illustrative, inside a comment block). Also refreshes the now-stale
sonarcloud.yml comment (v6 / Scanner CLI 7.x -> v8 / Scanner CLI 8.... (continued)

23730 of 23760 relevant lines covered (99.87%)

1.0 hits per line

Jobs
ID Job ID Ran Files Coverage
1 27371646928.1 69
99.87
 GitHub Action Run
Source Files on build 27371646928