Committing changes

.github/workflows/auto_release.yml

@@ -12,9 +12,11 @@ jobs:
     steps:
     - name: Lookup default branch name
       id: lookup_default_branch
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         result-encoding: string
         script: |
           const repo = await github.rest.repos.get({
@@ -28,9 +30,11 @@ jobs:
 
     - name: Lookup HEAD commit on default branch
       id: lookup_default_branch_head
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         result-encoding: string
         script: |
           const branch = await github.rest.repos.getBranch({
@@ -50,9 +54,11 @@ jobs:
     steps:
     - name: Check for 'no_release' label on PR
       id: check_for_norelease_label
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
             const labels = await github.rest.issues.listLabelsOnIssue({
               owner: context.payload.repository.owner.login,
@@ -91,9 +97,11 @@ jobs:
     steps:
     - name: Get Open PRs
       id: get_open_pr_list
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         # find all open PRs that are targetting the default branch (i.e. main/master)
         # return their titles, so they can parsed later to determine if they are
         # Dependabot PRs and whether we should wait for them to be auto-merged before
@@ -115,9 +123,11 @@ jobs:
 
     - name: Get 'pending_release' PRs
       id: get_release_pending_pr_list
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           const repoWithOwner = `${context.payload.repository.owner.login}/${context.payload.repository.name}`;
           const pulls = await github.rest.search.issuesAndPullRequests({
@@ -148,7 +158,7 @@ jobs:
         EOF
         echo "is_release_pending : ${{ steps.get_release_pending_pr_list.outputs.is_release_pending }}"
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
     - name: Read pr-autoflow configuration
       id: get_pr_autoflow_config
       uses: endjin/pr-autoflow/actions/read-configuration@v4
@@ -157,8 +167,10 @@ jobs:
 
     - name: Check Human PR
       id: is_human_pr
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           return context.payload.pull_request.user.login != 'dependabot[bot]' && context.payload.pull_request.user.login != 'dependjinbot[bot]'
   
@@ -173,8 +185,10 @@ jobs:
 
     - name: Set Ready for Release
       id: set_ready_for_release
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           return ( '${{ steps.is_human_pr.outputs.result }}' == 'true' || '${{ steps.watch_dependabot_prs.outputs.is_complete }}' == 'True') && '${{ steps.get_release_pending_pr_list.outputs.is_release_pending }}' == 'true'
 
@@ -193,11 +207,11 @@ jobs:
     if: |
       needs.check_ready_to_release.outputs.ready_to_release == 'true'
     steps:
-    - uses: actions/setup-dotnet@v1
+    - uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3    # v4.0.0
       with:
         dotnet-version: '6.x'
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       with:
         # ensure we are creating the release tag on the default branch
         ref: ${{ needs.lookup_default_branch.outputs.branch_name }}
@@ -214,15 +228,17 @@ jobs:
 
     - name: Generate token
       id: generate_token
-      uses: tibdex/github-app-token@v1
+      uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58   # v1.9
       with:
         app_id: ${{ secrets.ENDJIN_BOT_APP_ID }}
         private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }}
 
     - name: Create SemVer tag
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ steps.generate_token.outputs.token }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           const uri_path = '/repos/' + context.payload.repository.owner.login + '/' + context.payload.repository.name + '/git/refs'
           const tag = await github.request(('POST ' + uri_path), {
@@ -234,9 +250,11 @@ jobs:
 
     - name: Remove 'release_pending' label from PRs
       id: remove_pending_release_labels
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: '${{ steps.generate_token.outputs.token }}'
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
           core.info('PRs to unlabel: ${{ needs.check_ready_to_release.outputs.pending_release_pr_list }}')
           const pr_list = JSON.parse('${{ needs.check_ready_to_release.outputs.pending_release_pr_list }}')

.github/workflows/dependabot_approve_and_label.yml

@@ -23,7 +23,7 @@ jobs:
       is_auto_release_candidate: ${{ steps.parse_dependabot_pr_autorelease.outputs.is_interesting_package }}
       semver_increment: ${{ steps.parse_dependabot_pr_automerge.outputs.semver_increment }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       - name: Read pr-autoflow configuration
         id: get_pr_autoflow_config
         uses: endjin/pr-autoflow/actions/read-configuration@v4
@@ -79,9 +79,11 @@ jobs:
         if: |
           needs.evaluate_dependabot_pr.outputs.is_auto_merge_candidate == 'True' &&
           (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch')
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
+          retries: 6  # final retry should wait 64 seconds
+          retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
           script: |
             await github.rest.pulls.update({
               owner: context.payload.repository.owner.login,
@@ -97,9 +99,11 @@ jobs:
     steps:
     - name: Check for 'no_release' label on PR
       id: check_for_norelease_label
-      uses: actions/github-script@v6
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
+        retries: 6  # final retry should wait 64 seconds
+        retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
         script: |
             const labels = await github.rest.issues.listLabelsOnIssue({
               owner: context.payload.repository.owner.login,
@@ -129,7 +133,7 @@ jobs:
       #       the usual 'Action' secrets as this workflow is triggered by Dependabot.
       - name: Generate token
         id: generate_token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58   # v1.9
         with:
           app_id: ${{ secrets.DEPENDJINBOT_APP_ID }}
           private_key: ${{ secrets.DEPENDJINBOT_PRIVATE_KEY }}
@@ -150,9 +154,11 @@ jobs:
             (github.actor != 'dependabot[bot]' && github.actor != 'dependjinbot[bot]') ||
             needs.evaluate_dependabot_pr.outputs.is_auto_release_candidate == 'True'
           )
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea   # v7.0.1
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
+          retries: 6  # final retry should wait 64 seconds
+          retry-exempt-status-codes: 400,401,404,422    # GH will raise rate limits with 403 & 429 status codes
           script: |
             await github.rest.issues.addLabels({
               owner: context.payload.repository.owner.login,