diff --git a/.github/actions/setup-mise/action.yml b/.github/actions/setup-mise/action.yml index b1dadb4299..e58f6db5d9 100644 --- a/.github/actions/setup-mise/action.yml +++ b/.github/actions/setup-mise/action.yml @@ -4,7 +4,7 @@ description: Install tools via mise runs: using: "composite" steps: - - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1 + - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: install: true cache: true diff --git a/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml b/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml index 3396653f33..d02ef3126a 100644 --- a/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml +++ b/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml @@ -12,7 +12,7 @@ runs: using: 'composite' steps: - name: Get previous workflow run status - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 id: run-status with: script: | diff --git a/.github/internal-actions/setup-gcloud/action.yml b/.github/internal-actions/setup-gcloud/action.yml index 426133e807..388d378535 100644 --- a/.github/internal-actions/setup-gcloud/action.yml +++ b/.github/internal-actions/setup-gcloud/action.yml @@ -4,13 +4,13 @@ runs: using: "composite" steps: - name: Auth gcloud - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: 'projects/321830142373/locations/global/workloadIdentityPools/github/providers/expo' project_id: exponentjs - name: Setup gcloud - uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2 + uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 with: version: 548.0.0 project_id: exponentjs diff --git a/.github/workflows/build-and-deploy-worker.yml b/.github/workflows/build-and-deploy-worker.yml index 87b4ef90c4..cebcb0c4f0 100644 --- a/.github/workflows/build-and-deploy-worker.yml +++ b/.github/workflows/build-and-deploy-worker.yml @@ -23,7 +23,7 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - uses: ./.github/actions/setup-mise diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 64662326a4..01d78fb188 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -18,19 +18,19 @@ jobs: name: Check CHANGELOG.md updated runs-on: ubuntu-latest steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check if CHANGELOG.md was updated id: changelog-updated - uses: tj-actions/changed-files@b1ba699b304f2083b602164e06a89b868c84f076 + uses: tj-actions/changed-files@934b2d2c7e653bb8c968afed5a0428617f09aa24 with: files: CHANGELOG.md - name: Fail if CHANGELOG.md was not updated and the "no changelog" label is absent if: steps.changelog-updated.outputs.any_changed == 'false' && !contains(github.event.pull_request.labels.*.name, 'no changelog') - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | core.setFailed('Please add a changelog entry!') - - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 + - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0 if: always() with: message-id: changelog-entry-check diff --git a/.github/workflows/codemention.yml b/.github/workflows/codemention.yml index 230f808a46..61f503960d 100644 --- a/.github/workflows/codemention.yml +++ b/.github/workflows/codemention.yml @@ -15,6 +15,6 @@ jobs: # Pinned to a commit SHA (not the v1.4.0 tag) because this runs under # pull_request_target with a write-scoped token — a re-pointed tag from # a compromised upstream account would give the attacker repo write access. - - uses: tobyhs/codemention@bb6bfb2c3ff1e6fee7ee37006bbee6d114057225 # v1.4.0 + - uses: tobyhs/codemention@14c10ab8528ed556c3b92f205e7b5aa03e7b187c # v1.5.2 with: githubToken: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index d7f27bdb0e..fe415bd80e 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-20.04 if: "${{ contains(github.event.label.name, 'incomplete issue: missing or invalid repro') }}" steps: - - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }} script: | @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-20.04 if: "${{ contains(github.event.label.name, 'incomplete issue: missing info') }}" steps: - - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }} script: | @@ -81,7 +81,7 @@ jobs: runs-on: ubuntu-20.04 if: github.event.label.name == 'issue accepted' steps: - - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }} script: | @@ -98,7 +98,7 @@ jobs: runs-on: ubuntu-20.04 if: "${{ contains(github.event.label.name, 'invalid issue: question') }}" steps: - - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }} script: | @@ -126,7 +126,7 @@ jobs: runs-on: ubuntu-20.04 if: "${{ contains(github.event.label.name, 'invalid issue: feature request') }}" steps: - - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }} script: | diff --git a/.github/workflows/move-eas-build-tag.yml b/.github/workflows/move-eas-build-tag.yml index 43cf6d3973..43e0634cff 100644 --- a/.github/workflows/move-eas-build-tag.yml +++ b/.github/workflows/move-eas-build-tag.yml @@ -29,7 +29,7 @@ jobs: INPUT_DRY_RUN: ${{ github.event.inputs.dry_run }} INPUT_STAGING_ONLY: ${{ github.event.inputs.staging_only }} steps: - - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: registry-url: "https://registry.npmjs.org/" scope: "expo" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fcabad17ca..1357378929 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup-mise - name: Install dependencies run: yarn install --immutable @@ -58,7 +58,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.EXPO_BOT_PAT }} - uses: ./.github/actions/setup-mise diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 110e8c1f1b..3b94ee62ef 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -8,7 +8,7 @@ jobs: close-issues: runs-on: ubuntu-latest steps: - - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: ascending: false operations-per-run: 300 diff --git a/.github/workflows/test-graphql.yml b/.github/workflows/test-graphql.yml index 38800d27bd..2cf339858f 100644 --- a/.github/workflows/test-graphql.yml +++ b/.github/workflows/test-graphql.yml @@ -17,7 +17,7 @@ jobs: name: Ensure GraphQL schema and generated code is up-to-date runs-on: ubuntu-latest steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup tools uses: ./.github/actions/setup-mise - run: yarn install --immutable diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml index 42c7a8aac8..7eb038067c 100644 --- a/.github/workflows/test-scripts.yml +++ b/.github/workflows/test-scripts.yml @@ -21,7 +21,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup tools uses: ./.github/actions/setup-mise - run: yarn install --immutable diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a4458e79c3..7dbd74013b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: coverage: true name: Test with Node ${{ matrix.node }} steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup tools uses: ./.github/actions/setup-mise env: @@ -66,7 +66,7 @@ jobs: working-directory: ./scripts env: YARN_ENABLE_HARDENED_MODE: ${{ matrix.coverage == true && '1' || '0' }} - - uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1 + - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 if: ${{ matrix.coverage }} with: token: ${{ secrets.CODECOV_TOKEN }} @@ -79,7 +79,7 @@ jobs: name: Notify Slack if: ${{ github.ref == 'refs/heads/main' && always() }} steps: - - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Notify Slack uses: ./.github/internal-actions/notify-slack-on-fail-or-recover with: diff --git a/.github/workflows/trigger-release.yml b/.github/workflows/trigger-release.yml index 09ff440525..50117c286f 100644 --- a/.github/workflows/trigger-release.yml +++ b/.github/workflows/trigger-release.yml @@ -22,7 +22,7 @@ jobs: INPUT_VERSION: ${{ github.event.inputs.version }} INPUT_DRY_RUN: ${{ github.event.inputs.dry_run }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main fetch-depth: 0 diff --git a/.github/workflows/worker-system-tests.yml b/.github/workflows/worker-system-tests.yml index 4e04b98c0c..095efbbfe4 100644 --- a/.github/workflows/worker-system-tests.yml +++ b/.github/workflows/worker-system-tests.yml @@ -11,7 +11,7 @@ jobs: EXPO_TOKEN: ${{ secrets.STAGING_EXPO_DEV_EXPO_SERVICES_GITHUB_ROBOT_ACCESS_TOKEN }} EXPO_STAGING: "1" steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - uses: ./.github/actions/setup-mise diff --git a/.github/workflows/worker.yml b/.github/workflows/worker.yml index 7a2f5f065f..efb2406b96 100644 --- a/.github/workflows/worker.yml +++ b/.github/workflows/worker.yml @@ -24,7 +24,7 @@ jobs: worker-checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - uses: ./.github/actions/setup-mise @@ -71,7 +71,7 @@ jobs: - deploy-worker-production if: github.ref == 'refs/heads/main' && always() && !cancelled() steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Notify Slack uses: ./.github/internal-actions/notify-slack-on-fail-or-recover