diff --git a/.changeset/harden-gh-actions.md b/.changeset/harden-gh-actions.md new file mode 100644 index 00000000000..a845151cc84 --- /dev/null +++ b/.changeset/harden-gh-actions.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/actions/ensure-stable-pr/action.yml b/.github/actions/ensure-stable-pr/action.yml index f8d8ac9188e..7b6aaa9c91d 100644 --- a/.github/actions/ensure-stable-pr/action.yml +++ b/.github/actions/ensure-stable-pr/action.yml @@ -8,7 +8,7 @@ runs: using: 'composite' steps: - name: Ensure the PR hasn't changed since initiating the commented command. - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: CMD: ${{ inputs.cmd }} with: diff --git a/.github/actions/init-blacksmith/action.yml b/.github/actions/init-blacksmith/action.yml index c59ae8fa7fb..4751133eb55 100644 --- a/.github/actions/init-blacksmith/action.yml +++ b/.github/actions/init-blacksmith/action.yml @@ -48,7 +48,7 @@ runs: steps: - name: Configure Turborepo id: turbo - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: # envs are required to pass inputs to the script CACHE: ${{ inputs.turbo-cache }} @@ -110,10 +110,10 @@ runs: run: echo $TURBO_ARGS - name: Install PNPM - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 - name: Setup NodeJS ${{ inputs.node-version }} - uses: useblacksmith/setup-node@v5 + uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5 with: cache: ${{ inputs.cache-enabled == 'true' && 'pnpm' || '' }} node-version: ${{ inputs.node-version }} @@ -139,7 +139,7 @@ runs: - name: Cache Playwright Binaries if: inputs.playwright-enabled == 'true' && inputs.cache-enabled == 'true' - uses: useblacksmith/cache@v5 + uses: useblacksmith/cache@71c7c918062ba3861252d84b07fe5ab2a6b467a6 # v5 id: playwright-cache with: path: ~/.cache/ms-playwright diff --git a/.github/actions/init/action.yml b/.github/actions/init/action.yml index 761647a06f9..317bb090181 100644 --- a/.github/actions/init/action.yml +++ b/.github/actions/init/action.yml @@ -48,7 +48,7 @@ runs: steps: - name: Configure Turborepo id: turbo - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: # envs are required to pass inputs to the script CACHE: ${{ inputs.turbo-cache }} @@ -110,10 +110,10 @@ runs: run: echo $TURBO_ARGS - name: Install PNPM - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 - name: Setup NodeJS ${{ inputs.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: ${{ inputs.cache-enabled == 'true' && 'pnpm' || '' }} node-version: ${{ inputs.node-version }} @@ -139,7 +139,7 @@ runs: - name: Cache Playwright Binaries if: inputs.playwright-enabled == 'true' && inputs.cache-enabled == 'true' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: playwright-cache with: path: ~/.cache/ms-playwright diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1b3ff2e2219..55bf914fcaf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ jobs: - name: Get User Permission if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }} id: checkAccess - uses: actions-cool/check-user-permission@v2 + uses: actions-cool/check-user-permission@c21884f3dda18dafc2f8b402fe807ccc9ec1aa5e # v2 with: require: write username: ${{ github.triggering_actor }} @@ -57,8 +57,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 100 # Enough for changeset status comparison, much faster than full history fetch-tags: false filter: "blob:none" @@ -109,8 +110,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" @@ -130,7 +132,7 @@ jobs: run: pnpm turbo build $TURBO_ARGS --only - name: Upload Turbo Summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ env.TURBO_SUMMARIZE == 'true' }} continue-on-error: true with: @@ -156,8 +158,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" @@ -194,7 +197,7 @@ jobs: run: pnpm turbo lint $TURBO_ARGS - name: Upload Turbo Summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ env.TURBO_SUMMARIZE == 'true' }} continue-on-error: true with: @@ -231,8 +234,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" @@ -272,7 +276,7 @@ jobs: NODE_VERSION: ${{ matrix.node-version }} - name: Upload Turbo Summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ env.TURBO_SUMMARIZE == 'true' }} continue-on-error: true with: @@ -342,8 +346,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" @@ -435,7 +440,7 @@ jobs: run: cd packages/astro && pnpm copy:components - name: Write all ENV certificates to files in integration/certs - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: INTEGRATION_CERTS: "${{secrets.INTEGRATION_CERTS}}" INTEGRATION_ROOT_CA: "${{secrets.INTEGRATION_ROOT_CA}}" @@ -483,7 +488,7 @@ jobs: - name: Upload test-results if: ${{ cancelled() || failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.sanitize.outputs.artifact-suffix }}${{ matrix.next-version && format('-next{0}', matrix.next-version) || '' }} path: test-results @@ -503,8 +508,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" diff --git a/.github/workflows/e2e-cleanups.yml b/.github/workflows/e2e-cleanups.yml index 5b619f6ae85..37bb41e184b 100644 --- a/.github/workflows/e2e-cleanups.yml +++ b/.github/workflows/e2e-cleanups.yml @@ -16,8 +16,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 0 show-progress: false diff --git a/.github/workflows/e2e-staging.yml b/.github/workflows/e2e-staging.yml index 6eb57e958f8..bb3d3772505 100644 --- a/.github/workflows/e2e-staging.yml +++ b/.github/workflows/e2e-staging.yml @@ -43,7 +43,7 @@ jobs: runs-on: 'blacksmith-8vcpu-ubuntu-2204' steps: - name: Check org membership - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const org = context.repo.owner; @@ -97,8 +97,9 @@ jobs: fi - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false ref: ${{ steps.inputs.outputs.ref }} sparse-checkout: scripts/validate-staging-instances.mjs fetch-depth: 1 @@ -173,8 +174,9 @@ jobs: fi - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false ref: ${{ steps.inputs.outputs.ref }} fetch-depth: 1 fetch-tags: false @@ -245,7 +247,7 @@ jobs: pnpm add @clerk/ui@latest - name: Write all ENV certificates to files in integration/certs - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: INTEGRATION_CERTS: '${{ secrets.INTEGRATION_CERTS }}' INTEGRATION_ROOT_CA: '${{ secrets.INTEGRATION_ROOT_CA }}' @@ -285,7 +287,7 @@ jobs: - name: Upload test-results if: ${{ cancelled() || failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.inputs.outputs.artifact-suffix }} path: test-results @@ -328,7 +330,7 @@ jobs: - name: Notify Slack on failure if: ${{ needs.integration-tests.result == 'failure' && steps.inputs.outputs.notify-slack == 'true' }} - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: | { @@ -349,7 +351,7 @@ jobs: # Uncomment when clerk_go side is ready # - name: Post commit status to clerk_go # if: ${{ steps.inputs.outputs.clerk-go-commit-sha != '' }} - # uses: actions/github-script@v7 + # uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 # with: # github-token: ${{ secrets.CLERK_COOKIE_PAT }} # script: | diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 9a6a0df15dd..d27fdec4e32 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -11,4 +11,4 @@ jobs: pull-requests: write runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }} steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6 diff --git a/.github/workflows/lock-threads.yml b/.github/workflows/lock-threads.yml index 78312e74d5d..8a450c2fad3 100644 --- a/.github/workflows/lock-threads.yml +++ b/.github/workflows/lock-threads.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 3 runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }} steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 name: Regular stale action with: days-before-issue-stale: 30 @@ -56,7 +56,7 @@ jobs: After 60 days of no activity, we'll close this PR. Keep in mind, I'm just a robot, so if I've closed this PR in error, please reply here and my human colleagues will reopen it. Thanks for being a part of the Clerk community! 🙏 - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 name: Stale action for needs-reproduction issues with: days-before-issue-stale: 7 @@ -73,7 +73,7 @@ jobs: Thanks for being a part of the Clerk community! 🙏 close-issue-message: | After 8 days without a reproduction being supplied, we are closing this issue. Keep in mind, I'm just a robot, so if I've closed this issue in error, please reply here and my human colleagues will reopen it. Likewise if a reproduction is prepared after it has been closed. - - uses: dessant/lock-threads@v4 + - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4 with: issue-inactive-days: '365' issue-comment: 'This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.' diff --git a/.github/workflows/major-version-check.yml b/.github/workflows/major-version-check.yml index 883acfe95fd..201d3e6e9b4 100644 --- a/.github/workflows/major-version-check.yml +++ b/.github/workflows/major-version-check.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Check for major changesets id: check_major - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const prNumber = context.payload?.pull_request?.number || context.payload?.issue?.number; @@ -74,7 +74,7 @@ jobs: - name: Check if major version bump is allowed if: steps.check_major.outputs.has_major_changeset == 'true' id: check_approval - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const prNumber = context.payload?.pull_request?.number || context.payload?.issue?.number; diff --git a/.github/workflows/mobile-e2e.yml b/.github/workflows/mobile-e2e.yml index 7f4fb9bf074..5c75f37af06 100644 --- a/.github/workflows/mobile-e2e.yml +++ b/.github/workflows/mobile-e2e.yml @@ -41,17 +41,20 @@ jobs: working-directory: . steps: - name: Checkout @clerk/javascript - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Checkout clerk-expo-quickstart - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false repository: clerk/clerk-expo-quickstart ref: ${{ inputs.quickstart_ref }} path: clerk-expo-quickstart - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: pnpm @@ -95,7 +98,7 @@ jobs: echo "user_id=$user_id" >> "$GITHUB_OUTPUT" - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -106,7 +109,7 @@ jobs: echo "$HOME/.maestro/bin" >> "$GITHUB_PATH" - name: Run Android e2e - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 env: CLERK_TEST_EMAIL: ${{ steps.user.outputs.email }} CLERK_TEST_PASSWORD: ${{ steps.user.outputs.password }} @@ -126,7 +129,7 @@ jobs: - name: Upload Maestro artifacts on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: maestro-android path: ~/.maestro/tests @@ -146,17 +149,20 @@ jobs: timeout-minutes: 60 steps: - name: Checkout @clerk/javascript - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Checkout clerk-expo-quickstart - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false repository: clerk/clerk-expo-quickstart ref: ${{ inputs.quickstart_ref }} path: clerk-expo-quickstart - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: pnpm @@ -200,7 +206,7 @@ jobs: echo "user_id=$user_id" >> "$GITHUB_OUTPUT" - name: Cache SPM - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/Library/Developer/Xcode/DerivedData key: spm-${{ hashFiles('packages/expo/package.json') }} @@ -226,7 +232,7 @@ jobs: - name: Upload Maestro artifacts on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: maestro-ios path: ~/.maestro/tests diff --git a/.github/workflows/nightly-checks.yml b/.github/workflows/nightly-checks.yml index de115551d09..61ad42c4b23 100644 --- a/.github/workflows/nightly-checks.yml +++ b/.github/workflows/nightly-checks.yml @@ -19,8 +19,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" @@ -108,7 +109,7 @@ jobs: # Upload test artifacts if tests failed - name: Upload Test Artifacts if: steps.integration_tests.outputs.exit_code != '0' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-artifacts-${{ matrix.test-name }} path: | @@ -119,7 +120,7 @@ jobs: - name: Report Status if: always() - uses: ravsamhq/notify-slack-action@v1 + uses: ravsamhq/notify-slack-action@4ed28566c2bdcdaee6dca2b46b9666d01b4ed8a4 # v1 with: status: ${{ steps.integration_tests.outputs.exit_code == '0' && 'success' || 'failure' }} notify_when: "failure" diff --git a/.github/workflows/pr-title-linter.yml b/.github/workflows/pr-title-linter.yml index 72527862b27..1a727777d5d 100644 --- a/.github/workflows/pr-title-linter.yml +++ b/.github/workflows/pr-title-linter.yml @@ -20,8 +20,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false show-progress: false sparse-checkout: | commitlint.config.ts diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml index ea9edb40032..600320b11eb 100644 --- a/.github/workflows/release-preflight.yml +++ b/.github/workflows/release-preflight.yml @@ -19,8 +19,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 100 fetch-tags: false filter: 'blob:none' @@ -91,7 +92,7 @@ jobs: - name: Upload preflight artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-preflight-artifacts path: .release-artifacts/ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc19631b937..ce10319a293 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,7 +42,7 @@ jobs: GITHUB_CONTEXT: ${{ toJson(github) }} - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 show-progress: false @@ -69,7 +69,7 @@ jobs: - name: Create Release PR id: changesets - uses: changesets/action@v1 + uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1 with: commit: "ci(repo): Version packages" title: "ci(repo): Version packages" @@ -84,7 +84,7 @@ jobs: - name: Trigger workflows on related repos if: steps.changesets.outputs.published == 'true' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: result-encoding: string retries: 3 @@ -125,7 +125,7 @@ jobs: - name: Recover downstream notifications if: always() && steps.changesets.conclusion == 'failure' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: result-encoding: string retries: 3 @@ -206,7 +206,7 @@ jobs: - name: Send commit log to Slack id: slack if: steps.changesets.outputs.published == 'true' - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: ${{ steps.notification.outputs.payload }} env: @@ -215,7 +215,7 @@ jobs: - name: Notify Slack on failure if: ${{ always() && steps.changesets.outcome == 'failure' }} - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: | { @@ -243,8 +243,9 @@ jobs: id-token: write steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: 'blob:none' @@ -279,7 +280,7 @@ jobs: - name: Trigger workflows on related repos if: steps.publish.outcome == 'success' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: result-encoding: string retries: 3 @@ -314,7 +315,7 @@ jobs: - name: Notify Slack on failure if: ${{ always() && steps.publish.outcome == 'failure' }} - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: | { @@ -345,7 +346,7 @@ jobs: steps: - name: Limit action to Clerk members - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: result-encoding: string retries: 3 @@ -365,7 +366,7 @@ jobs: } - name: Validate PR source and freshness - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: result-encoding: string retries: 3 @@ -390,7 +391,7 @@ jobs: } - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: refs/pull/${{ github.event.issue.number }}/head persist-credentials: false @@ -412,7 +413,7 @@ jobs: - name: Extract snapshot name id: extract-snapshot-name - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const match = context.payload.comment.body.match(/!snapshot (.*)/) @@ -440,7 +441,7 @@ jobs: - name: Package info if: steps.version-packages.outputs.success == '1' id: package-info - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const fs = require("fs"); @@ -467,14 +468,14 @@ jobs: - name: Update Comment if: steps.version-packages.outputs.success == '1' - uses: peter-evans/create-or-update-comment@v3.0.0 + uses: peter-evans/create-or-update-comment@3383acd359705b10cb1eeef05c0e88c056ea4666 # v3.0.0 with: comment-id: ${{ github.event.comment.id }} reactions: heart - name: Minimize previous snapshot comments if: steps.version-packages.outputs.success == '1' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const { data: comments } = await github.rest.issues.listComments({ @@ -503,7 +504,7 @@ jobs: - name: Create snapshot release comment if: steps.version-packages.outputs.success == '1' - uses: peter-evans/create-or-update-comment@v3.0.0 + uses: peter-evans/create-or-update-comment@3383acd359705b10cb1eeef05c0e88c056ea4666 # v3.0.0 with: issue-number: ${{ github.event.issue.number }} body: | @@ -532,8 +533,9 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: + persist-credentials: false fetch-depth: 1 fetch-tags: false filter: "blob:none" diff --git a/.github/workflows/validate-renovate-config.yml b/.github/workflows/validate-renovate-config.yml index 66457fdf58a..c1ae544ba42 100644 --- a/.github/workflows/validate-renovate-config.yml +++ b/.github/workflows/validate-renovate-config.yml @@ -14,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Validate Renovate Config run: npx --yes --package renovate@43.150.0 renovate-config-validator diff --git a/renovate.json5 b/renovate.json5 index 958e91715ce..f5e2f0030b1 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -23,6 +23,8 @@ "packages/upgrade/src/__tests__/fixtures/**", ], includePaths: [ + ".github/actions/**", + ".github/workflows/**", "package.json", "packages/**", "pnpm-workspace.yaml", @@ -1433,6 +1435,32 @@ "major", ], }, + { + matchManagers: [ + "github-actions", + ], + pinDigests: true, + groupName: "GitHub Actions", + groupSlug: "github-actions", + matchUpdateTypes: [ + "patch", + "minor", + "digest", + ], + semanticCommitScope: "repo", + automerge: false, + }, + { + matchManagers: [ + "github-actions", + ], + matchUpdateTypes: [ + "major", + ], + groupName: "GitHub Actions (major)", + groupSlug: "github-actions-major", + semanticCommitScope: "repo", + }, ], postUpdateOptions: [ "pnpmDedupe", diff --git a/scripts/renovate-config-generator.mjs b/scripts/renovate-config-generator.mjs index 3172bf3e571..5cd9ae09594 100644 --- a/scripts/renovate-config-generator.mjs +++ b/scripts/renovate-config-generator.mjs @@ -103,6 +103,22 @@ const defaultRules = [ groupName: 'Remix monorepo', matchUpdateTypes: ['patch', 'minor', 'major'], }, + { + matchManagers: ['github-actions'], + pinDigests: true, + groupName: 'GitHub Actions', + groupSlug: 'github-actions', + matchUpdateTypes: ['patch', 'minor', 'digest'], + semanticCommitScope: 'repo', + automerge: false, + }, + { + matchManagers: ['github-actions'], + matchUpdateTypes: ['major'], + groupName: 'GitHub Actions (major)', + groupSlug: 'github-actions-major', + semanticCommitScope: 'repo', + }, ]; const getPackageNames = async () => { @@ -187,7 +203,13 @@ const renovateConfig = { 'integration/templates/**', 'packages/upgrade/src/__tests__/fixtures/**', ], - includePaths: ['package.json', 'packages/**', 'pnpm-workspace.yaml'], + includePaths: [ + '.github/actions/**', + '.github/workflows/**', + 'package.json', + 'packages/**', + 'pnpm-workspace.yaml', + ], major: { dependencyDashboardApproval: true }, minimumReleaseAge: '3 days', nvm: { enabled: false },