diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index a2d04b039fb..548c1dd47aa 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -13,29 +13,23 @@ on: - 'NOTICE' jobs: - validation: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: gradle/actions/wrapper-validation@v4 - build: runs-on: ubuntu-latest timeout-minutes: 90 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Copy CI gradle.properties run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 - name: Quality - Spotless run: ./gradlew spotlessCheck diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 715baf44cb3..b2e4ebf18e5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,23 +16,25 @@ jobs: security-events: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 + with: + cache-read-only: true - - uses: github/codeql-action/init@v3 + - uses: github/codeql-action/init@36b4953ccc146c80e767661afed94af92787aa99 # v3.27.7 with: languages: java - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@6b4953ccc146c80e767661afed94af92787aa99 # v3.27.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@6b4953ccc146c80e767661afed94af92787aa99 # v3.27.7 diff --git a/.github/workflows/gradle-cache.yml b/.github/workflows/gradle-cache.yml index 86b913abb35..415025bd179 100644 --- a/.github/workflows/gradle-cache.yml +++ b/.github/workflows/gradle-cache.yml @@ -18,15 +18,14 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 - with: - gradle-home-cache-cleanup: true + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 - run: ./gradlew assembleDebug diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml index 3b3c12e0abb..79aba1eecd8 100644 --- a/.github/workflows/markdown.yml +++ b/.github/workflows/markdown.yml @@ -10,18 +10,18 @@ jobs: markdown_quality: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Copy CI gradle.properties run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 - name: Quality - Spotless Markdown Check run: ./gradlew spotlessMarkdownCheck diff --git a/.github/workflows/needinfo-stale.yml b/.github/workflows/needinfo-stale.yml index d71c052bba4..c8b8e5582c2 100644 --- a/.github/workflows/needinfo-stale.yml +++ b/.github/workflows/needinfo-stale.yml @@ -14,7 +14,7 @@ jobs: pull-requests: write steps: - name: Close old issues with the needinfo tag - uses: dwieeb/needs-reply@v2 + uses: imhoffd/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-label: "status: needs information" diff --git a/.github/workflows/shippable_builds.yml b/.github/workflows/shippable_builds.yml index 2213be36218..663eca38de4 100644 --- a/.github/workflows/shippable_builds.yml +++ b/.github/workflows/shippable_builds.yml @@ -36,7 +36,7 @@ jobs: outputs: releaseEnv: ${{ steps.releaseEnv.outputs.result }} steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: releaseEnv with: result-encoding: string @@ -65,7 +65,7 @@ jobs: releaseType: ${{ vars.RELEASE_TYPE }} steps: - name: Show Environment - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: dump env: matrixInclude: ${{ vars.MATRIX_INCLUDE }} @@ -160,7 +160,7 @@ jobs: steps: - name: Triggering Actor Link id: actorLink - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: userMap: ${{ vars.MATRIX_NOTIFY_USER_MAP }} with: @@ -175,7 +175,7 @@ jobs: - name: Notify Build Start if: ${{ vars.MATRIX_NOTIFY_ROOM }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -206,7 +206,7 @@ jobs: steps: - name: Checkout repository if: ${{ contains(matrix.releaseTarget, 'github') || needs.dump_config.outputs.releaseType == 'daily' }} - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -215,14 +215,14 @@ jobs: shell: bash run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 if: ${{ contains(matrix.releaseTarget, 'github') || needs.dump_config.outputs.releaseType == 'daily' }} with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 if: ${{ contains(matrix.releaseTarget, 'github') || needs.dump_config.outputs.releaseType == 'daily' }} with: cache-disabled: "${{ contains(fromJSON('[\"beta\", \"release\"]'), needs.dump_config.outputs.releaseType) }}" @@ -396,7 +396,7 @@ jobs: - name: Summary if: ${{ contains(matrix.releaseTarget, 'github') || needs.dump_config.outputs.releaseType == 'daily' }} - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: bump_sha: ${{ steps.commit.outputs.sha }} applicationId: ${{ steps.appinfo.outputs.APPLICATION_ID }} @@ -449,7 +449,7 @@ jobs: cat $GITHUB_OUTPUT - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ steps.sha.outputs.app_sha }} @@ -457,13 +457,13 @@ jobs: shell: bash run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: - distribution: temurin - java-version: 17 + distribution: 'temurin' + java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 with: cache-disabled: "${{ contains(fromJSON('[\"beta\", \"release\"]'), needs.dump_config.outputs.releaseType) }}" add-job-summary: on-failure @@ -546,7 +546,7 @@ jobs: ls -l ${UPLOAD_PATH}/ - name: Upload unsigned - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 env: UPLOAD_PATH: "uploads" with: @@ -566,7 +566,7 @@ jobs: env: RELEASE_TYPE: ${{ needs.dump_config.outputs.releaseType }} steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: unsigned-${{ matrix.appName }}-${{ matrix.packageFormat }}-${{ matrix.packageFlavor }} path: uploads/ @@ -595,7 +595,7 @@ jobs: rm -f uploads/*.jks - name: Upload signed - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: signed-${{ matrix.appName }}-${{ matrix.packageFormat }}-${{ matrix.packageFlavor }} if-no-files-found: error @@ -610,7 +610,7 @@ jobs: runs-on: ubuntu-latest environment: notify_matrix steps: - - uses: kewisch/action-matrix-notify@v1 + - uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -682,12 +682,12 @@ jobs: cat $GITHUB_OUTPUT - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ steps.shanotes.outputs.app_sha }} - name: Download Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: signed-${{ matrix.appName }}-${{ matrix.packageFormat }}-${{ matrix.packageFlavor }} path: "uploads/" @@ -748,7 +748,7 @@ jobs: ls -l uploads/${PKG_FILE_PRETTY} - name: App Token Generate - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 if: ${{ contains(matrix.releaseTarget, 'github') && vars.RELEASER_APP_CLIENT_ID }} id: app-token with: @@ -804,7 +804,7 @@ jobs: - name: Publish to Google Play id: publish_play - uses: r0adkll/upload-google-play@v1 + uses: r0adkll/upload-google-play@935ef9c68bb393a8e6116b1575626a7f5be3a7fb # v1.1.3 if: ${{ !inputs.skipGooglePlay && contains(matrix.releaseTarget, 'play') && matrix.playTargetTrack }} with: serviceAccountJsonPlainText: ${{ secrets.PLAY_STORE_ACCOUNT }} @@ -876,41 +876,41 @@ jobs: - name: Auth to GCS for FTP if: ${{ !inputs.skipFtp && contains(matrix.releaseTarget, 'ftp') && matrix.packageFormat == 'apk' }} - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: service_account: ${{ steps.ftp_destination.outputs.SERVICE_ACCOUNT }} workload_identity_provider: ${{ steps.ftp_destination.outputs.WORKLOAD_IDENTITY_PROVIDER }} - name: GCS Upload of APK Package to FTP if: ${{ !inputs.skipFtp && contains(matrix.releaseTarget, 'ftp') && matrix.packageFormat == 'apk' }} - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 with: path: uploads/${{ steps.rename.outputs.PKG_FILE }} destination: ${{ steps.ftp_destination.outputs.FTP_DESTINATION }} - name: GCS Upload of APK Package to FTP Nightly Latest if: ${{ !inputs.skipFtp && contains(matrix.releaseTarget, 'ftp') && matrix.packageFormat == 'apk' && needs.dump_config.outputs.releaseType == 'daily'}} - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 with: path: uploads/${{ steps.rename.outputs.PKG_FILE }} destination: ${{ steps.ftp_destination.outputs.FTP_DESTINATION_NIGHTLY_LATEST }} - name: GCS Upload of Source Tar to FTP if: ${{ !inputs.skipFtp && contains(matrix.releaseTarget, 'ftp') && matrix.packageFormat == 'apk' }} - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 with: path: uploads/${{ steps.ftp_destination.outputs.FTP_TAR_FILENAME }} destination: ${{ steps.ftp_destination.outputs.FTP_DESTINATION }} - name: GCS Upload of Source Tar to FTP Nightly Latest if: ${{ !inputs.skipFtp && contains(matrix.releaseTarget, 'ftp') && matrix.packageFormat == 'apk' && needs.dump_config.outputs.releaseType == 'daily'}} - uses: google-github-actions/upload-cloud-storage@v2 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 with: path: uploads/${{ steps.ftp_destination.outputs.FTP_TAR_FILENAME }} destination: ${{ steps.ftp_destination.outputs.FTP_DESTINATION_NIGHTLY_LATEST }} - name: Summary - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: summary env: tagName: ${{ steps.pkginfo.outputs.TAG_NAME }} @@ -984,7 +984,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Info - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: info env: needs: ${{ toJSON(needs) }} @@ -1001,7 +1001,7 @@ jobs: - name: Notify Failure if: ${{ vars.MATRIX_NOTIFY_ROOM && contains(needs.*.result, 'failure') }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -1012,7 +1012,7 @@ jobs: - name: Notify Cancelled if: ${{ vars.MATRIX_NOTIFY_ROOM && !contains(needs.*.result, 'failure') && contains(needs.*.result, 'cancelled') }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -1023,7 +1023,7 @@ jobs: - name: Notify Success (Beta/Release) if: "${{ vars.MATRIX_NOTIFY_ROOM && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && contains(fromJSON('[\"beta\", \"release\"]'), needs.dump_config.outputs.releaseType) }}" - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -1034,7 +1034,7 @@ jobs: - name: Thunderbird Publish URL (Beta/Release) if: ${{ vars.MATRIX_NOTIFY_ROOM && needs.publish_release.outputs.thunderbird_release_url && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -1044,7 +1044,7 @@ jobs: - name: K-9 Mail Publish URL (Beta/Release) if: ${{ vars.MATRIX_NOTIFY_ROOM && needs.publish_release.outputs.k9mail_release_url && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} @@ -1054,7 +1054,7 @@ jobs: - name: Notify Success (Daily) if: ${{ vars.MATRIX_NOTIFY_ROOM && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') && needs.dump_config.outputs.releaseType == 'daily' && steps.last_status.outputs.last_status == 'failure' }} - uses: kewisch/action-matrix-notify@v1 + uses: kewisch/action-matrix-notify@3c45d89acd032c84b955b54c8a9001833ac91d17 # v1 with: matrixHomeserver: ${{ vars.MATRIX_NOTIFY_HOMESERVER }} matrixRoomId: ${{ vars.MATRIX_NOTIFY_ROOM }} diff --git a/.github/workflows/uplift-merges.yml b/.github/workflows/uplift-merges.yml index 8f1f8b73a80..29769c32aad 100644 --- a/.github/workflows/uplift-merges.yml +++ b/.github/workflows/uplift-merges.yml @@ -17,7 +17,7 @@ jobs: contents: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0