diff --git a/.github/actions/setup-java/action.yml b/.github/actions/setup-java/action.yml index aa06862153..0ed6800063 100644 --- a/.github/actions/setup-java/action.yml +++ b/.github/actions/setup-java/action.yml @@ -19,7 +19,7 @@ runs: with: maven-version: ${{ inputs.mvn-version }} - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 if: inputs.install-jdk == 'true' with: java-version: '17' diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 4424391f04..c70914d399 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -21,7 +21,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup uses: ./tools/github-actions/setup - name: Audit diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml index cf5c04c0a1..e4c925aca3 100644 --- a/.github/workflows/clean-cache.yml +++ b/.github/workflows/clean-cache.yml @@ -17,10 +17,10 @@ jobs: actions: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Clean Branch Cache if: inputs.branch || github.event.ref_type == 'branch' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: branchName: ${{ inputs.branch || github.event.ref }} hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }} diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml index a287e93837..3cf77d7bf2 100644 --- a/.github/workflows/code-check.yml +++ b/.github/workflows/code-check.yml @@ -26,8 +26,8 @@ jobs: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: base-branch: 'main' config-file: '.github/markdown-links.config.json' @@ -42,7 +42,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.affected && '0' || '1' }} - name: Setup @@ -51,7 +51,7 @@ jobs: with: install-jdk: 'true' - name: Cache Jest - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 env: hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }} with: @@ -71,7 +71,7 @@ jobs: - name: Publish tests reports if: always() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ut-reports-${{ matrix.os }} path: | @@ -83,13 +83,13 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.affected && '0' || '1' }} - name: Setup uses: ./tools/github-actions/setup - name: Cache Eslint - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: .cache/eslint key: ${{ runner.os }}-eslint-${{ hashFiles('yarn.lock') }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 688d81906a..c1be700c33 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,19 +43,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/deploy-showcase.yml b/.github/workflows/deploy-showcase.yml index e6b1ed4b0c..45f72d7054 100644 --- a/.github/workflows/deploy-showcase.yml +++ b/.github/workflows/deploy-showcase.yml @@ -31,16 +31,16 @@ jobs: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: build run: yarn nx build showcase - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: './apps/showcase/dist/browser' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4 diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 20d3dbe08b..25fbd9911a 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -32,7 +32,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: Generate doc run: yarn doc:generate @@ -43,7 +43,7 @@ jobs: run: yarn update-package ${{ inputs.docFolder }}/package.json --name ${{ inputs.packageName }} --version ${{ inputs.version }} - run: zip -q -r ${{ inputs.artifactName }}.zip "${{ inputs.docFolder }}" -x "*/node_modules/*" ".cache/*" shell: bash - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactName }}.zip @@ -57,8 +57,8 @@ jobs: name: azure-static-webapp url: ${{ steps.deploy.outputs.static_web_app_url }} steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ inputs.artifactName }} path: '.' diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 336bfbd08f..bd1f4af93f 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -22,7 +22,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - run: yarn playwright install @@ -38,7 +38,7 @@ jobs: - name: Publish tests reports if: failure() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: e2e-report path: apps/showcase/playwright-reports diff --git a/.github/workflows/it-tests.yml b/.github/workflows/it-tests.yml index f8a6beb075..853f671eac 100644 --- a/.github/workflows/it-tests.yml +++ b/.github/workflows/it-tests.yml @@ -22,7 +22,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - name: Setup verdaccio once for all tests @@ -37,7 +37,7 @@ jobs: run: zip -r verdaccio.zip ./.verdaccio shell: bash - name: Publish verdaccio storage - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: verdaccio path: verdaccio.zip @@ -59,7 +59,7 @@ jobs: ENFORCED_PACKAGE_MANAGER: ${{ matrix.packageManager }} PREPARE_TEST_ENV_TYPE: ${{ matrix.testEnvironment }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - uses: ./.github/actions/setup-java @@ -69,7 +69,7 @@ jobs: run: echo "currentMonth=$(date +'%Y-%m')" >> $GITHUB_ENV shell: bash - name: Cache test-app yarn - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: | .cache/test-app @@ -84,7 +84,7 @@ jobs: npm cache --cache=.cache/test-app/npm-cache ls | grep 127.0.0.1:4873 | xargs -d'\n' -r -n 1 npm cache --cache=.cache/test-app/npm-cache clean || true npx --yes -p replace-in-files-cli replace-in-files --regex=".*127.0.0.1:4873.*" --replacement="" ".cache/test-app/npm-cache/_cacache/index-v5/**/*" shell: bash - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 name: Download verdaccio storage prepared in the previous job with: name: verdaccio @@ -117,14 +117,14 @@ jobs: shell: bash - name: Publish generated tests environment on failure if: failure() && steps.it-tests.conclusion == 'failure' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: it-tests-${{ matrix.os }}-${{ matrix.packageManager }} path: it-tests.zip - name: Publish tests reports if: always() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: it-reports-${{ matrix.os }}-${{ matrix.packageManager }} path: 'packages/**/dist-test/it-report.xml' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1645039fe9..7d5deac6cc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} NX_SKIP_NX_CACHE: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - uses: ./.github/actions/setup-java with: @@ -40,7 +40,7 @@ jobs: nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }} isPreRelease: ${{ contains( steps.newVersion.outputs.nextVersionTag, '-' ) || github.event_name == 'pull_request' || github.event_name == 'merge_group'}} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: New Version if: github.event_name != 'merge_group' diff --git a/.github/workflows/md-external-links-check.yml b/.github/workflows/md-external-links-check.yml index 18ddfcf11d..e8658cd901 100644 --- a/.github/workflows/md-external-links-check.yml +++ b/.github/workflows/md-external-links-check.yml @@ -10,8 +10,8 @@ jobs: markdown-link-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: use-quiet-mode: 'yes' base-branch: 'main' @@ -21,7 +21,7 @@ jobs: needs: [markdown-link-check] if: failure() steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create an issue uses: JasonEtco/create-an-issue@v2 env: diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml index 47360f2a96..7726561571 100644 --- a/.github/workflows/pr-labels.yml +++ b/.github/workflows/pr-labels.yml @@ -10,7 +10,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup @@ -19,7 +19,7 @@ jobs: run: | LABELS="$(yarn pr-labels --target="${{ github.base_ref || github.ref_name }}")" echo "LABELS=$LABELS" >> $GITHUB_ENV - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: env.LABELS != '[]' continue-on-error: true with: diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml index f12af1cdeb..84aeb89514 100644 --- a/.github/workflows/publish-pr.yml +++ b/.github/workflows/publish-pr.yml @@ -16,7 +16,7 @@ jobs: nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }} steps: - name: get logs from workflow run - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | let download = await github.rest.actions.downloadWorkflowRunAttemptLogs({ @@ -53,7 +53,7 @@ jobs: checks: write steps: - name: Update triggering workflow - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: PUBLISH_RESULT: ${{ needs.publish-packages-pr.result }} with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c29857d942..3e162ccbc2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -60,7 +60,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 ref: ${{ inputs.gitRef }} @@ -89,7 +89,7 @@ jobs: APP_PATH: 'apps/github-cascading-app/dist' environment: 'cascading-app' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 - uses: ./tools/github-actions/download-build-output @@ -124,7 +124,7 @@ jobs: packages: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 - uses: ./tools/github-actions/download-build-output @@ -140,7 +140,7 @@ jobs: CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }} - name: Expose Chrome extension artifact if: '!inputs.prerelease' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: chrome-extension path: apps/chrome-devtools/chrome-extension.zip diff --git a/.renovaterc.json b/.renovaterc.json index 6e7f4b3dbf..73e64790fa 100644 --- a/.renovaterc.json +++ b/.renovaterc.json @@ -8,6 +8,7 @@ "group:recommended", "group:test", "group:linters", + "helpers:pinGitHubActionDigestsToSemver", "schedule:nonOfficeHours" ], "ignorePaths": [ diff --git a/tools/github-actions/download-build-output/action.yml b/tools/github-actions/download-build-output/action.yml index 560306c0fa..daedd0bc5d 100644 --- a/tools/github-actions/download-build-output/action.yml +++ b/tools/github-actions/download-build-output/action.yml @@ -9,14 +9,14 @@ inputs: runs: using: 'composite' steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 if: github.event_name != 'workflow_run' with: name: ${{ inputs.artifactName }} path: '.' - name: 'Download artifact' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: github.event_name == 'workflow_run' with: script: | diff --git a/tools/github-actions/setup/action.yml b/tools/github-actions/setup/action.yml index 4a63e8a791..af8e165eb1 100644 --- a/tools/github-actions/setup/action.yml +++ b/tools/github-actions/setup/action.yml @@ -4,14 +4,14 @@ description: 'Setup for Otter Library' runs: using: "composite" steps: - - uses: actions/setup-node@v4 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 - name: Enable Corepack shell: bash run: corepack enable - name: Cache dependencies - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: | ~/.cache/ms-playwright diff --git a/tools/github-actions/upload-build-output/action.yml b/tools/github-actions/upload-build-output/action.yml index bd00c7664a..61178cd887 100644 --- a/tools/github-actions/upload-build-output/action.yml +++ b/tools/github-actions/upload-build-output/action.yml @@ -11,7 +11,7 @@ runs: steps: - run: zip -q -r ${{ inputs.artifactName }}.zip . -i "apps/*/dist/*" "packages/*/dist/*" -x "*/node_modules/*" ".cache/*" shell: bash - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactName }}.zip