From 55bb1f88de4c134ab711f794dad5932229bdac0c Mon Sep 17 00:00:00 2001 From: rory Date: Fri, 17 Nov 2023 11:33:16 -0800 Subject: [PATCH 1/2] Use Node 20 for all our JavaScript GitHub Actions --- .github/actions/javascript/awaitStagingDeploys/action.yml | 2 +- .github/actions/javascript/bumpVersion/action.yml | 2 +- .github/actions/javascript/checkDeployBlockers/action.yml | 2 +- .../actions/javascript/createOrUpdateStagingDeploy/action.yml | 2 +- .github/actions/javascript/getDeployPullRequestList/action.yml | 2 +- .github/actions/javascript/getPreviousVersion/action.yml | 2 +- .github/actions/javascript/getPullRequestDetails/action.yml | 2 +- .github/actions/javascript/getReleaseBody/action.yml | 2 +- .github/actions/javascript/isStagingDeployLocked/action.yml | 2 +- .../actions/javascript/markPullRequestsAsDeployed/action.yml | 2 +- .github/actions/javascript/postTestBuildComment/action.yml | 2 +- .github/actions/javascript/reopenIssueWithComment/action.yml | 2 +- .github/actions/javascript/reviewerChecklist/action.yml | 2 +- .github/actions/javascript/validateReassureOutput/action.yml | 2 +- .github/actions/javascript/verifySignedCommits/action.yml | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/actions/javascript/awaitStagingDeploys/action.yml b/.github/actions/javascript/awaitStagingDeploys/action.yml index fdd0b940abaa..3499b4050de0 100644 --- a/.github/actions/javascript/awaitStagingDeploys/action.yml +++ b/.github/actions/javascript/awaitStagingDeploys/action.yml @@ -8,5 +8,5 @@ inputs: description: If provided, this action will only wait for a deploy matching this tag. required: false runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/bumpVersion/action.yml b/.github/actions/javascript/bumpVersion/action.yml index d092821d96ac..dc4a75d6eb71 100644 --- a/.github/actions/javascript/bumpVersion/action.yml +++ b/.github/actions/javascript/bumpVersion/action.yml @@ -11,5 +11,5 @@ outputs: NEW_VERSION: description: The new semver version of the application, updated in the JS and native layers. runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/checkDeployBlockers/action.yml b/.github/actions/javascript/checkDeployBlockers/action.yml index ce0d19f2def1..c6c7b3954c89 100644 --- a/.github/actions/javascript/checkDeployBlockers/action.yml +++ b/.github/actions/javascript/checkDeployBlockers/action.yml @@ -11,5 +11,5 @@ outputs: HAS_DEPLOY_BLOCKERS: description: A true/false indicating whether or not a deploy blocker was found. runs: - using: 'node16' + using: 'node20' main: 'index.js' diff --git a/.github/actions/javascript/createOrUpdateStagingDeploy/action.yml b/.github/actions/javascript/createOrUpdateStagingDeploy/action.yml index 870cab318d09..348c5fe89d3d 100644 --- a/.github/actions/javascript/createOrUpdateStagingDeploy/action.yml +++ b/.github/actions/javascript/createOrUpdateStagingDeploy/action.yml @@ -8,5 +8,5 @@ inputs: description: The new NPM version of the StagingDeployCash issue. required: false runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/getDeployPullRequestList/action.yml b/.github/actions/javascript/getDeployPullRequestList/action.yml index 4cbf7041a7eb..1362f207ba4a 100644 --- a/.github/actions/javascript/getDeployPullRequestList/action.yml +++ b/.github/actions/javascript/getDeployPullRequestList/action.yml @@ -14,5 +14,5 @@ outputs: PR_LIST: description: Array of pull request numbers runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/getPreviousVersion/action.yml b/.github/actions/javascript/getPreviousVersion/action.yml index 6b2221af7c40..ec81bd99e4f8 100644 --- a/.github/actions/javascript/getPreviousVersion/action.yml +++ b/.github/actions/javascript/getPreviousVersion/action.yml @@ -8,5 +8,5 @@ outputs: PREVIOUS_VERSION: description: The previous semver version of the application, according to the SEMVER_LEVEL provided runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/getPullRequestDetails/action.yml b/.github/actions/javascript/getPullRequestDetails/action.yml index ed2c60f018a1..d931d101b5da 100644 --- a/.github/actions/javascript/getPullRequestDetails/action.yml +++ b/.github/actions/javascript/getPullRequestDetails/action.yml @@ -22,5 +22,5 @@ outputs: FORKED_REPO_URL: description: 'Output forked repo URL if PR includes changes from a fork' runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/getReleaseBody/action.yml b/.github/actions/javascript/getReleaseBody/action.yml index c221acbdaae2..e4a451ccda8d 100644 --- a/.github/actions/javascript/getReleaseBody/action.yml +++ b/.github/actions/javascript/getReleaseBody/action.yml @@ -8,5 +8,5 @@ outputs: RELEASE_BODY: description: String body of a production release. runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/isStagingDeployLocked/action.yml b/.github/actions/javascript/isStagingDeployLocked/action.yml index 9e5e50b26452..395a081a7620 100644 --- a/.github/actions/javascript/isStagingDeployLocked/action.yml +++ b/.github/actions/javascript/isStagingDeployLocked/action.yml @@ -10,5 +10,5 @@ outputs: NUMBER: description: StagingDeployCash issue number runs: - using: 'node16' + using: 'node20' main: 'index.js' diff --git a/.github/actions/javascript/markPullRequestsAsDeployed/action.yml b/.github/actions/javascript/markPullRequestsAsDeployed/action.yml index 7015293d2bb8..f0ca77bdbf00 100644 --- a/.github/actions/javascript/markPullRequestsAsDeployed/action.yml +++ b/.github/actions/javascript/markPullRequestsAsDeployed/action.yml @@ -28,5 +28,5 @@ inputs: description: "Web job result ('success', 'failure', 'cancelled', or 'skipped')" required: true runs: - using: "node16" + using: "node20" main: "./index.js" diff --git a/.github/actions/javascript/postTestBuildComment/action.yml b/.github/actions/javascript/postTestBuildComment/action.yml index 07829dfab8cd..00c826badf9f 100644 --- a/.github/actions/javascript/postTestBuildComment/action.yml +++ b/.github/actions/javascript/postTestBuildComment/action.yml @@ -32,5 +32,5 @@ inputs: description: "Link for the web build" required: false runs: - using: "node16" + using: "node20" main: "./index.js" diff --git a/.github/actions/javascript/reopenIssueWithComment/action.yml b/.github/actions/javascript/reopenIssueWithComment/action.yml index 0a163e6651f0..3dfcba9b0c35 100644 --- a/.github/actions/javascript/reopenIssueWithComment/action.yml +++ b/.github/actions/javascript/reopenIssueWithComment/action.yml @@ -11,5 +11,5 @@ inputs: description: The comment string we want to leave on the issue after we reopen it. required: true runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/reviewerChecklist/action.yml b/.github/actions/javascript/reviewerChecklist/action.yml index 24fe815dcc6a..d8c1e6620b77 100644 --- a/.github/actions/javascript/reviewerChecklist/action.yml +++ b/.github/actions/javascript/reviewerChecklist/action.yml @@ -5,5 +5,5 @@ inputs: description: Auth token for New Expensify Github required: true runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/validateReassureOutput/action.yml b/.github/actions/javascript/validateReassureOutput/action.yml index 1b4488757e9c..4fd53e838fb5 100644 --- a/.github/actions/javascript/validateReassureOutput/action.yml +++ b/.github/actions/javascript/validateReassureOutput/action.yml @@ -11,5 +11,5 @@ inputs: description: Refers to the results obtained from regression tests `.reassure/output.json`. required: true runs: - using: 'node16' + using: 'node20' main: './index.js' diff --git a/.github/actions/javascript/verifySignedCommits/action.yml b/.github/actions/javascript/verifySignedCommits/action.yml index 1a641cddb391..a724220eba32 100644 --- a/.github/actions/javascript/verifySignedCommits/action.yml +++ b/.github/actions/javascript/verifySignedCommits/action.yml @@ -9,5 +9,5 @@ inputs: required: false runs: - using: 'node16' + using: 'node20' main: './index.js' From 457fcce2d12dac579254d4cd7881e1e5280ea6ca Mon Sep 17 00:00:00 2001 From: rory Date: Fri, 17 Nov 2023 11:42:15 -0800 Subject: [PATCH 2/2] Use actions/checkout v4 everywhere --- .github/workflows/README.md | 2 +- .github/workflows/authorChecklist.yml | 2 +- .github/workflows/deploy.yml | 4 ++-- .github/workflows/deployExpensifyHelp.yml | 2 +- .github/workflows/testBuild.yml | 10 ++++------ .github/workflows/updateHelpDotRedirects.yml | 2 +- 6 files changed, 10 insertions(+), 12 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index c904a459d1c0..d4340e5a55f7 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -63,7 +63,7 @@ git fetch origin tag 1.0.1-0 --no-tags --shallow-exclude=1.0.0-0 # This will fet ## Security Rules 🔐 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`. -1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) +1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v4`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`. 1. If an untrusted (i.e: not maintained by GitHub) external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example: 1. **Bad:** `hmarr/auto-approve-action@v2.0.0` Relies on the tag diff --git a/.github/workflows/authorChecklist.yml b/.github/workflows/authorChecklist.yml index 740e7b3a5e69..ecb0b87a6416 100644 --- a/.github/workflows/authorChecklist.yml +++ b/.github/workflows/authorChecklist.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest if: github.actor != 'OSBotify' && github.actor != 'imgbot[bot]' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: authorChecklist.js uses: ./.github/actions/javascript/authorChecklist diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4aa1a6a27d1a..6b32ac2e2616 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,11 +10,11 @@ jobs: if: github.ref == 'refs/heads/staging' steps: - name: Checkout staging branch - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 with: ref: staging token: ${{ secrets.OS_BOTIFY_TOKEN }} - + - uses: Expensify/App/.github/actions/composite/setupGitForOSBotifyApp@8c19d6da4a3d7ce3b15c9cd89a802187d208ecab id: setupGitForOSBotify with: diff --git a/.github/workflows/deployExpensifyHelp.yml b/.github/workflows/deployExpensifyHelp.yml index 4a53e75354c6..7b9b7479f496 100644 --- a/.github/workflows/deployExpensifyHelp.yml +++ b/.github/workflows/deployExpensifyHelp.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 - name: Setup NodeJS uses: Expensify/App/.github/actions/composite/setupNode@main diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml index 1f266c59d0d1..4725ca6c86ce 100644 --- a/.github/workflows/testBuild.yml +++ b/.github/workflows/testBuild.yml @@ -50,7 +50,7 @@ jobs: steps: - name: Checkout if: ${{ github.event_name == 'workflow_dispatch' }} - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 - name: Check if pull request number is correct if: ${{ github.event_name == 'workflow_dispatch' }} @@ -70,9 +70,8 @@ jobs: env: PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }} steps: - # This action checks-out the repository, so the workflow can access it. - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }} @@ -135,9 +134,8 @@ jobs: PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }} runs-on: macos-13-xlarge steps: - # This action checks-out the repository, so the workflow can access it. - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }} @@ -302,7 +300,7 @@ jobs: PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }} steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }} with: ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }} diff --git a/.github/workflows/updateHelpDotRedirects.yml b/.github/workflows/updateHelpDotRedirects.yml index 531b8a3812fd..af24d5f17db4 100644 --- a/.github/workflows/updateHelpDotRedirects.yml +++ b/.github/workflows/updateHelpDotRedirects.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@v4 - name: Create help dot redirect env: