MOBILE-121: Bump GitHub Actions to supported Node runtimes

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 1
+    groups:
+      github-actions:
+        patterns: ["*"]
+    commit-message:
+      prefix: "deps"
+      include: "scope"

.github/git-release-ci.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Creates a GitHub release for a single Flutter SDK package.
+# Flutter SDK is a monorepo of independently-versioned packages, so this is
+# called once per published package (mindbox, mindbox_android, mindbox_ios,
+# mindbox_platform_interface) with that package's tag/title.
+#
+# Usage: git-release-ci.sh <tag> <title> <branch>
+tag="${1:?usage: git-release-ci.sh <tag> <title> <branch>}"
+title="${2:?usage: git-release-ci.sh <tag> <title> <branch>}"
+branch="${3:?usage: git-release-ci.sh <tag> <title> <branch>}"
+
+notes="Auto-generated release. Check more details at [Mindbox Flutter SDK Documentation](https://developers.mindbox.ru/docs/flutter-sdk)"
+
+# Idempotent: a re-run of a release must not fail on an already-published tag.
+if gh release view "$tag" >/dev/null 2>&1; then
+  echo "Release $tag already exists — skipping."
+  exit 0
+fi
+
+echo "Creating release $tag on branch $branch"
+gh release create "$tag" --target "$branch" --title "$title" --notes "$notes"

.github/workflows/analyze_and_test.yml

@@ -16,18 +16,18 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   platform_interface_flutter_test:
     name: platform_interface running analyze and tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch || github.head_ref }}
-      - uses: actions/setup-java@v1
-        with:
-          java-version: "12.x"
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: "stable"
       - name: Add publish_to tag
@@ -41,13 +41,10 @@ jobs:
     name:  android_component running analyze and tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch || github.head_ref }}
-      - uses: actions/setup-java@v1
-        with:
-          java-version: "12.x"
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: "stable"
       - name: Add publish_to tag
@@ -64,13 +61,10 @@ jobs:
     name:  ios_component running analyze and tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch || github.head_ref }}
-      - uses: actions/setup-java@v1
-        with:
-          java-version: "12.x"
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: "stable"
       - name: Add publish_to tag
@@ -87,13 +81,10 @@ jobs:
     name: example running analyze
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch || github.head_ref }}
-      - uses: actions/setup-java@v1
-        with:
-          java-version: "12.x"
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: "stable"
 
@@ -104,13 +95,10 @@ jobs:
     name:  plugin running analyze and tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch || github.head_ref }}
-      - uses: actions/setup-java@v1
-        with:
-          java-version: "12.x"
-      - uses: subosito/flutter-action@v2
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
           channel: "stable"
 

.github/workflows/distribute-develop-mission.yml

@@ -8,10 +8,14 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   call-reusable:
     if: ${{ github.event.pull_request.merged == true }}
     uses: ./.github/workflows/distribute-reusable.yml
     with:
       branch: ${{ github.base_ref }}
-    secrets: inherit
+    secrets:
+      GITLAB_TRIGGER_TOKEN: ${{ secrets.GITLAB_TRIGGER_TOKEN }}

.github/workflows/distribute-manual.yml

@@ -8,10 +8,14 @@ on:
         required: false
         default: ""
 
+permissions:
+  contents: read
+
 jobs:
   call-reusable:
     uses: ./.github/workflows/distribute-reusable.yml
     with:
       branch: ${{ github.ref_name }}     # SDK branch = current branch
       app_ref: ${{ inputs.app_ref }}     # optional override for GitLab ref
-    secrets: inherit
+    secrets:
+      GITLAB_TRIGGER_TOKEN: ${{ secrets.GITLAB_TRIGGER_TOKEN }}

.github/workflows/distribute-release-support-mission.yml

@@ -10,10 +10,14 @@ on:
       - opened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   call-reusable:
     if: ${{ startsWith(github.event.pull_request.head.ref, 'release/') }}
     uses: ./.github/workflows/distribute-reusable.yml
     with:
       branch: ${{ github.event.pull_request.head.ref }}
-    secrets: inherit
+    secrets:
+      GITLAB_TRIGGER_TOKEN: ${{ secrets.GITLAB_TRIGGER_TOKEN }}

.github/workflows/distribute-reusable.yml

@@ -14,12 +14,15 @@ on:
       GITLAB_TRIGGER_TOKEN:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   trigger:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ inputs.branch }}
           fetch-depth: 3
@@ -29,9 +32,12 @@ jobs:
         run: |
           set -euo pipefail
           commits="$(git log -3 --pretty=format:"%s")"
-          echo "commits<<EOF" >> "$GITHUB_ENV"
-          echo "$commits"     >> "$GITHUB_ENV"
-          echo "EOF"          >> "$GITHUB_ENV"
+          delim="EOF_$(openssl rand -hex 8)"
+          {
+            echo "commits<<$delim"
+            echo "$commits"
+            echo "$delim"
+          } >> "$GITHUB_ENV"
 
       - name: Debug payload that will be sent to GitLab
         shell: bash

.github/workflows/gitleaks-secrets-validate.yml

@@ -2,18 +2,22 @@ name: Gitleaks Secrets Validate
 on:
   pull_request:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   scan:
     name: gitleaks
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.MINDBOX_GITLEAKS_LICENSE }} 

.github/workflows/manual-prepare_release_branch.yml

@@ -23,32 +23,38 @@ on:
         required: true
         default: 'master'
 
+permissions:
+  contents: read
+
 jobs:
   validate-input:
     name: Validate versions format
     runs-on: ubuntu-latest
     steps:
       - name: Check release_version matches semver
+        env:
+          V: ${{ github.event.inputs.release_version }}
         run: |
-          V=${{ github.event.inputs.release_version }}
           echo "Input release_version=$V"
           if ! [[ "$V" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc)?$ ]]; then
             echo "❌ release_version must be X.Y.Z or X.Y.Z-rc"
             exit 1
           fi
       - name: Validate Android SDK version if provided
         if: ${{ github.event.inputs.android_sdk_version != '' }}
+        env:
+          A: ${{ github.event.inputs.android_sdk_version }}
         run: |
-          A=${{ github.event.inputs.android_sdk_version }}
           echo "Input android_sdk_version=$A"
           if ! [[ "$A" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc)?$ ]]; then
             echo "❌ android_sdk_version must be X.Y.Z or X.Y.Z-rc"
             exit 1
           fi
       - name: Validate iOS SDK version if provided
         if: ${{ github.event.inputs.ios_sdk_version != '' }}
+        env:
+          I: ${{ github.event.inputs.ios_sdk_version }}
         run: |
-          I=${{ github.event.inputs.ios_sdk_version }}
           echo "Input ios_sdk_version=$I"
           if ! [[ "$I" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc)?$ ]]; then
             echo "❌ ios_sdk_version must be X.Y.Z or X.Y.Z-rc"
@@ -61,22 +67,24 @@ jobs:
     needs: validate-input
     steps:
       - name: Checkout minimal repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
       - name: Check source branch
+        env:
+          SRC: ${{ github.event.inputs.source_branch }}
         run: |
-          SRC=${{ github.event.inputs.source_branch }}
           echo "Source branch: $SRC"
-          if ! git ls-remote --heads origin "$SRC" | grep -q "$SRC"; then
+          if [ -z "$(git ls-remote --heads origin "refs/heads/$SRC")" ]; then
             echo "❌ source_branch '$SRC' does not exist"
             exit 1
           fi
       - name: Check target branch
+        env:
+          DST: ${{ github.event.inputs.target_branch }}
         run: |
-          DST=${{ github.event.inputs.target_branch }}
           echo "Target branch: $DST"
-          if ! git ls-remote --heads origin "$DST" | grep -q "$DST"; then
+          if [ -z "$(git ls-remote --heads origin "refs/heads/$DST")" ]; then
             echo "❌ target_branch '$DST' does not exist"
             exit 1
           fi
@@ -85,11 +93,13 @@ jobs:
     name: Create release branch & bump versions
     runs-on: ubuntu-latest
     needs: validate-branches
+    permissions:
+      contents: write
     outputs:
       release_branch: ${{ steps.bump.outputs.release_branch }}
     steps:
       - name: Checkout source branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.event.inputs.source_branch }}
           fetch-depth: 0
@@ -101,12 +111,13 @@ jobs:
 
       - name: Create branch and update versions
         id: bump
+        env:
+          VERSION: ${{ github.event.inputs.release_version }}
+          AND_VER: ${{ github.event.inputs.android_sdk_version }}
+          IO_VER: ${{ github.event.inputs.ios_sdk_version }}
+          SRC: ${{ github.event.inputs.source_branch }}
         run: |
           set -euo pipefail
-          VERSION="${{ github.event.inputs.release_version }}"
-          AND_VER="${{ github.event.inputs.android_sdk_version }}"
-          IO_VER="${{ github.event.inputs.ios_sdk_version }}"
-          SRC="${{ github.event.inputs.source_branch }}"
           REL="release/$VERSION"
 
           echo "Parameters before fallback: AND_VER=$AND_VER, IO_VER=$IO_VER"
@@ -222,10 +233,12 @@ jobs:
                   mindbox_ios/ios/mindbox_ios/Package.swift
 
           git commit -m "Bump SDK versions: Flutter=$VERSION, Android=$AND_VER, iOS=$IO_VER"
-          echo "release_branch=$REL" >> $GITHUB_OUTPUT
+          echo "release_branch=$REL" >> "$GITHUB_OUTPUT"
 
       - name: Push release branch
-        run: git push --set-upstream origin ${{ steps.bump.outputs.release_branch }}
+        env:
+          REL: ${{ steps.bump.outputs.release_branch }}
+        run: git push --set-upstream origin "$REL"
 
   create_pull_request:
     name: Create Pull Request
@@ -238,20 +251,21 @@ jobs:
           SRC: ${{ needs.bump_and_branch.outputs.release_branch }}
           DST: ${{ github.event.inputs.target_branch }}
           REPO: ${{ github.repository }}
+          RELEASE_VERSION: ${{ github.event.inputs.release_version }}
+          AND_VER: ${{ github.event.inputs.android_sdk_version }}
+          IO_VER: ${{ github.event.inputs.ios_sdk_version }}
         run: |
-          AND_VER=${{ github.event.inputs.android_sdk_version }}
-          IO_VER=${{ github.event.inputs.ios_sdk_version }}
-          [ -z "$AND_VER" ] && AND_VER="${{ github.event.inputs.release_version }}"
-          [ -z "$IO_VER" ]  && IO_VER="${{ github.event.inputs.release_version }}"
-
+          [ -z "$AND_VER" ] && AND_VER="$RELEASE_VERSION"
+          [ -z "$IO_VER" ]  && IO_VER="$RELEASE_VERSION"
+
           BODY=$(
-            printf 'Automated PR: merge `%s` into `%s`\n\n**Versions:**\n- Flutter SDK: `%s`\n- Android SDK: `%s`\n- iOS SDK: `%s`' \
-              "$SRC" "$DST" "${{ github.event.inputs.release_version }}" "$AND_VER" "$IO_VER"
+            printf "Automated PR: merge \`%s\` into \`%s\`\n\n**Versions:**\n- Flutter SDK: \`%s\`\n- Android SDK: \`%s\`\n- iOS SDK: \`%s\`" \
+              "$SRC" "$DST" "$RELEASE_VERSION" "$AND_VER" "$IO_VER"
           )
 
           gh pr create \
             --repo "$REPO" \
             --base "$DST" \
             --head "$SRC" \
-            --title "Release ${{ github.event.inputs.release_version }}" \
+            --title "Release $RELEASE_VERSION" \
             --body "$BODY"