Merge branch 'main' into docs/data/add-backward-compatibility

Author: samet-akcay

.github/actions/code-quality/pre-commit/action.yaml

@@ -69,15 +69,15 @@ runs:
   steps:
     # Set up Python environment with caching
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
       with:
         python-version: ${{ inputs.python-version }}
         cache: pip # Enable pip caching
         cache-dependency-path: .pre-commit-config.yaml
 
     # Set up Node.js for JavaScript-related hooks
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -92,7 +92,7 @@ runs:
     - name: Cache pre-commit hooks
       if: inputs.cache == 'true'
       id: pre-commit-cache
-      uses: actions/cache@v3
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
       with:
         path: ~/.cache/pre-commit
         # Cache key includes Python and Node versions to ensure correct environment

.github/actions/pytest/action.yaml

@@ -94,7 +94,7 @@ runs:
   steps:
     # Set up Python with pip caching
     - name: Set up Python environment
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
       with:
         python-version: ${{ inputs.python-version }}
         cache: ${{ inputs.enable-cache == 'true' && 'pip' || '' }}
@@ -186,7 +186,7 @@ runs:
 
     - name: Upload test results
       if: always() && steps.test-execution.outcome == 'failure'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: pytest-results-${{ inputs.test-type }}
         path: pytest_output.log

.github/actions/security/bandit/action.yaml

@@ -88,7 +88,7 @@ runs:
   using: composite
   steps:
     - name: Set up Python
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: "3.10"
 
@@ -101,7 +101,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: |
           **/*.py
@@ -163,13 +163,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('bandit-report.*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: bandit-results
         path: bandit-report.*
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('bandit-report.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
       with:
         sarif_file: bandit-report.sarif

.github/actions/security/clamav/action.yaml

@@ -168,7 +168,7 @@ runs:
       # Upload results
     - name: Upload reports
       if: hashFiles('security-results/clamav*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: clamav-results
         path: security-results/clamav

.github/actions/security/semgrep/action.yaml

@@ -91,7 +91,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: |
           **/*.*
@@ -170,13 +170,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('security-results/semgrep/*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: semgrep-results
         path: security-results/semgrep
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('security-results/semgrep/semgrep-results.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
       with:
         sarif_file: security-results/semgrep/semgrep-results.sarif

.github/actions/security/trivy/action.yaml

@@ -111,7 +111,7 @@ runs:
       uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
 
     - name: Cache Trivy vulnerability database
-      uses: actions/cache@v3
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
       with:
         path: ~/.cache/trivy
         key: trivy-db-${{ runner.os }}-${{ hashFiles('**/trivy-db/**') }}
@@ -220,13 +220,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('security-results/trivy/*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: trivy-results
         path: security-results/trivy
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('security-results/trivy/trivy-results.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
       with:
         sarif_file: security-results/trivy/trivy-results.sarif

.github/actions/security/zizmor/action.yaml

@@ -51,7 +51,8 @@ inputs:
   zizmor-version:
     description: "Zizmor version"
     required: false
-    default: "1.9.0"
+    # renovate: datasource=github-releases depName=zizmorcore/zizmor
+    default: 1.11.0
 
 outputs:
   scan_result:
@@ -65,7 +66,7 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+      uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
       with:
         enable-cache: true
         activate-environment: true
@@ -75,7 +76,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: .github/**
 
@@ -136,13 +137,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('zizmor-report.*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: zizmor-results
         path: zizmor-report.*
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('zizmor-report.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1
       with:
         sarif_file: zizmor-report.sarif

.github/dependabot.yml

@@ -0,0 +1,101 @@
+// Dependency Update Configuration
+//
+// See https://docs.renovatebot.com/configuration-options/
+// See https://json5.org/ for JSON5 syntax
+
+// [!] While updating the Renovate config, test changes on your own fork.
+//  1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork.
+//  2. Enable the Renovate GitHub app in your GitHub account.
+//     Verify that Renovate is activated in the repository settings within the Renovate Dashboard.
+//     To enable the dashboard set `dependencyDashboard` to true
+//  3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate.
+//  4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts.
+//  5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR,
+//     and include links in the description to share details about the testing you've conducted.
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["* * * * 0"], // weekly
+  },
+
+  extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"],
+  // https://docs.renovatebot.com/presets-default/#gitsignoff
+  // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests
+
+  // if necessary, add supported releases branches here
+  // it is possible to enable/disable specific upgrades per branch with
+  // `matchBaseBranches` in specific rule
+  baseBranches: ["main"],
+
+  enabledManagers: ["github-actions", "pep621", "custom.regex"],
+
+  // Set limit to 10
+  ignorePresets: [":prHourlyLimit2"],
+  prHourlyLimit: 10,
+
+  packageRules: [
+    // weekly dependencies upgrades
+    {
+      enabled: true,
+      matchManagers: ["pep621"],
+      schedule: ["* * * * 0"], // weekly
+    },
+
+    // Python version is upgraded manually
+    {
+      enabled: false,
+      matchDatasources: ["python-version"],
+      matchDepNames: ["python"],
+      matchDepTypes: ["requires-python"],
+    },
+
+    // disable open-clip-torch upgrades as
+    // open-clip-torch throws error on v2.26.1
+    {
+      enabled: false,
+      matchDatasources: ["pypi"],
+      matchDepNames: ["open-clip-torch"],
+      matchDepTypes: ["project.optional-dependencies"],
+    },
+
+    // Group GitHub Actions updates
+    {
+      enabled: true,
+      separateMajorMinor: false,
+      groupName: "GitHub Actions",
+      matchManagers: ["github-actions"],
+      matchPackagePatterns: ["*"],
+      schedule: ["* * 1 * *"], // every month
+    },
+
+    // Python version used in GitHub Actions is updated manually
+    {
+      enabled: false,
+      matchDatasources: ["github-releases"],
+      matchDepNames: ["python"],
+      matchDepTypes: ["uses-with"],
+    },
+  ],
+
+  // is used to upgrade Zizmor version
+  customManagers: [
+    {
+      fileMatch: ["^\\.github/actions/security/zizmor/[^/]+\\.ya?ml$"],
+      //   https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
+      matchStrings: [
+        "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+.+default: (?<currentValue>.*)",
+      ],
+    },
+  ],
+
+  // Enable security upgrades
+  vulnerabilityAlerts: {
+    enabled: true,
+  },
+  osvVulnerabilityAlerts: true,
+  dependencyDashboard: true,
+}

.github/renovate.json5

@@ -78,10 +78,10 @@ jobs:
     outputs:
       artifact-name: ${{ steps.set-artifact-name.outputs.name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
           python-version: ${{ inputs.python-version }}
       - name: Build package
@@ -96,13 +96,13 @@ jobs:
       - name: Set artifact name
         id: set-artifact-name
         run: echo "name=dist-$(date +%s)" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ steps.set-artifact-name.outputs.name }}
           path: dist/
           retention-days: 5
       - name: Cache pip dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
         with:
           path: |
             ~/.cache/pip
@@ -111,7 +111,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pip-
       - name: Cache build artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
         with:
           path: |
             dist/