Expensify · AndrewGable · Nov 17, 2023 · Nov 17, 2023 · Nov 17, 2023 · AndrewGable
@@ -8,5 +8,5 @@ inputs:
     description: If provided, this action will only wait for a deploy matching this tag.
     required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -11,5 +11,5 @@ outputs:
     NEW_VERSION:
         description: The new semver version of the application, updated in the JS and native layers.
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'
@@ -11,5 +11,5 @@ outputs:
   HAS_DEPLOY_BLOCKERS:
     description: A true/false indicating whether or not a deploy blocker was found.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'index.js'
@@ -8,5 +8,5 @@ inputs:
         description: The new NPM version of the StagingDeployCash issue.
         required: false
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'
@@ -14,5 +14,5 @@ outputs:
     PR_LIST:
         description: Array of pull request numbers
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'
@@ -8,5 +8,5 @@ outputs:
   PREVIOUS_VERSION:
     description: The previous semver version of the application, according to the SEMVER_LEVEL provided
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -22,5 +22,5 @@ outputs:
   FORKED_REPO_URL:
     description: 'Output forked repo URL if PR includes changes from a fork'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -8,5 +8,5 @@ outputs:
   RELEASE_BODY:
     description: String body of a production release.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -10,5 +10,5 @@ outputs:
     NUMBER:
         description: StagingDeployCash issue number
 runs:
-    using: 'node16'
+    using: 'node20'
     main: 'index.js'
@@ -28,5 +28,5 @@ inputs:
         description: "Web job result ('success', 'failure', 'cancelled', or 'skipped')"
         required: true
 runs:
-    using: "node16"
+    using: "node20"
-    using: "node20"
+    using: 'node20'
-    using: "node20"
+    using: 'node20'
     main: "./index.js"
@@ -32,5 +32,5 @@ inputs:
         description: "Link for the web build"
         required: false
 runs:
-    using: "node16"
+    using: "node20"
     main: "./index.js"
@@ -11,5 +11,5 @@ inputs:
     description: The comment string we want to leave on the issue after we reopen it.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -5,5 +5,5 @@ inputs:
     description: Auth token for New Expensify Github
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -11,5 +11,5 @@ inputs:
     description: Refers to the results obtained from regression tests `.reassure/output.json`.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -9,5 +9,5 @@ inputs:
     required: false
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'
@@ -63,7 +63,7 @@ git fetch origin tag 1.0.1-0 --no-tags --shallow-exclude=1.0.0-0 # This will fet
 
 ## Security Rules 🔐
 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
-1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
+1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v4`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.
 1. If an untrusted (i.e: not maintained by GitHub) external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
     1. **Bad:** `hmarr/auto-approve-action@v2.0.0` Relies on the tag

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor != 'OSBotify' && github.actor != 'imgbot[bot]'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: authorChecklist.js
         uses: ./.github/actions/javascript/authorChecklist

@@ -10,11 +10,11 @@ jobs:
     if: github.ref == 'refs/heads/staging'
     steps:
       - name: Checkout staging branch
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
         with:
           ref: staging
           token: ${{ secrets.OS_BOTIFY_TOKEN }}
-          
+
       - uses: Expensify/App/.github/actions/composite/setupGitForOSBotifyApp@8c19d6da4a3d7ce3b15c9cd89a802187d208ecab
         id: setupGitForOSBotify
         with:

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
 
       - name: Setup NodeJS
         uses: Expensify/App/.github/actions/composite/setupNode@main

@@ -50,7 +50,7 @@ jobs:
     steps:
       - name: Checkout
         if: ${{ github.event_name == 'workflow_dispatch' }}
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
 
       - name: Check if pull request number is correct
         if: ${{ github.event_name == 'workflow_dispatch' }}
@@ -70,9 +70,8 @@ jobs:
     env:
       PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}
     steps:
-      # This action checks-out the repository, so the workflow can access it.
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
 
@@ -135,9 +134,8 @@ jobs:
       PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}
     runs-on: macos-13-xlarge
     steps:
-      # This action checks-out the repository, so the workflow can access it.
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}
 
@@ -302,7 +300,7 @@ jobs:
       PULL_REQUEST_NUMBER: ${{ github.event.number || github.event.inputs.PULL_REQUEST_NUMBER }}
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
         if: ${{ fromJSON(needs.validateActor.outputs.READY_TO_BUILD) }}
         with:
           ref: ${{ github.event.pull_request.head.sha || needs.getBranchRef.outputs.REF }}

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
 
       - name: Create help dot redirect
         env: