From eab0003ed050f2c226321c4b327ef7541d1aa091 Mon Sep 17 00:00:00 2001 From: Joshua Li Date: Mon, 23 Mar 2026 12:44:24 -0700 Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs --- .../actions/install-dependencies/action.yml | 2 +- .github/actions/install-playwright/action.yml | 4 +- .github/actions/restore-cache/action.yml | 4 +- .github/workflows/auto-release.yml | 6 +- .github/workflows/build.yml | 152 +++++++++--------- .github/workflows/canary.yml | 14 +- .github/workflows/changelog-preview.yml | 2 +- .github/workflows/ci-metadata.yml | 6 +- .github/workflows/cleanup-pr-caches.yml | 2 +- .github/workflows/clear-cache.yml | 4 +- .github/workflows/codeql-analysis.yml | 8 +- .../create-issue-for-unreferenced-prs.yml | 2 +- .../workflows/enforce-license-compliance.yml | 2 +- .github/workflows/external-contributors.yml | 6 +- .github/workflows/flaky-test-detector.yml | 10 +- .github/workflows/gitflow-merge-conflict.yml | 2 +- .github/workflows/gitflow-sync-develop.yml | 8 +- .github/workflows/issue-package-label.yml | 10 +- .github/workflows/pr-stale-notifier.yml | 2 +- .github/workflows/release-comment-issues.yml | 2 +- .github/workflows/release-size-info.yml | 2 +- .github/workflows/release.yml | 4 +- .github/workflows/triage-issue.yml | 4 +- 23 files changed, 129 insertions(+), 129 deletions(-) diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml index cfa664b1d219..273ac065a89d 100644 --- a/.github/actions/install-dependencies/action.yml +++ b/.github/actions/install-dependencies/action.yml @@ -15,7 +15,7 @@ runs: shell: bash - name: Check dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: cache_dependencies with: path: ${{ env.CACHED_DEPENDENCY_PATHS }} diff --git a/.github/actions/install-playwright/action.yml b/.github/actions/install-playwright/action.yml index 8ca47ce04081..07112b6373c8 100644 --- a/.github/actions/install-playwright/action.yml +++ b/.github/actions/install-playwright/action.yml @@ -18,7 +18,7 @@ runs: working-directory: ${{ inputs.cwd }} - name: Restore cached playwright binaries - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: playwright-cache with: path: | @@ -43,7 +43,7 @@ runs: # Only store cache on develop branch - name: Store cached playwright binaries - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 if: github.event_name == 'push' && github.ref == 'refs/heads/develop' with: path: | diff --git a/.github/actions/restore-cache/action.yml b/.github/actions/restore-cache/action.yml index 7e7a3971cd7e..080f065ee887 100644 --- a/.github/actions/restore-cache/action.yml +++ b/.github/actions/restore-cache/action.yml @@ -11,13 +11,13 @@ runs: steps: - name: Check dependency cache id: dep-cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ env.CACHED_DEPENDENCY_PATHS }} key: ${{ inputs.dependency_cache_key }} - name: Restore build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build-output diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 241900f4b6ff..4f17a2302deb 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -24,13 +24,13 @@ jobs: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 # https://github.com/actions-ecosystem/action-regex-match - - uses: actions-ecosystem/action-regex-match@v2 + - uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2 id: version-regex with: # Parse version from head branch @@ -46,7 +46,7 @@ jobs: echo "version=$version" >> $GITHUB_OUTPUT - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 69523f544f2f..2246f5cfdd05 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,18 +83,18 @@ jobs: (needs.job_get_metadata.outputs.is_gitflow_sync == 'false' && needs.job_get_metadata.outputs.has_gitflow_label == 'false' && needs.job_get_metadata.outputs.changed_any_code == 'true') steps: - name: Check out base commit (${{ github.event.pull_request.base.sha }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.base.sha }} - name: 'Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' @@ -103,7 +103,7 @@ jobs: id: install_dependencies - name: Check for Affected Nx Projects - uses: dkhunt27/action-nx-affected-list@v6.1 + uses: dkhunt27/action-nx-affected-list@49c7295522987f433e781ed7f47c55a2274d7259 # v6.1 id: checkForAffected if: github.event_name == 'pull_request' with: @@ -111,7 +111,7 @@ jobs: head: ${{ env.HEAD_COMMIT }} - name: NX cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 # Disable cache when: # - on release branches # - when PR has `ci-skip-cache` label or on nightly builds @@ -130,7 +130,7 @@ jobs: run: yarn build - name: Upload build artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: build-output path: ${{ env.CACHED_BUILD_PATHS }} @@ -190,11 +190,11 @@ jobs: needs.job_get_metadata.outputs.is_release == 'true' steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -219,11 +219,11 @@ jobs: needs.job_get_metadata.outputs.is_base_branch == 'true' || needs.job_get_metadata.outputs.is_release == 'true' steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -248,11 +248,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -271,11 +271,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Check that yarn.lock is stable @@ -290,12 +290,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' @@ -313,11 +313,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -335,11 +335,11 @@ jobs: if: needs.job_get_metadata.outputs.is_release == 'true' steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -351,7 +351,7 @@ jobs: run: yarn build:tarball - name: Archive artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ github.sha }} retention-days: 90 @@ -370,17 +370,17 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out base commit (${{ github.event.pull_request.base.sha }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.base.sha }} - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -399,7 +399,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} @@ -411,15 +411,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Set up Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - name: Restore caches uses: ./.github/actions/restore-cache with: @@ -436,15 +436,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Set up Deno - uses: denoland/setup-deno@v2.0.3 + uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3 with: deno-version: v2.1.5 - name: Restore caches @@ -468,16 +468,16 @@ jobs: node: [18, 20, 22, 24] steps: - name: Check out base commit (${{ github.event.pull_request.base.sha }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.base.sha }} - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node }} - name: Restore caches @@ -500,7 +500,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} name: ${{ matrix.node }} @@ -562,11 +562,11 @@ jobs: steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -588,7 +588,7 @@ jobs: format(' --shard={0}/{1}', matrix.shard, matrix.shards) || '' }} - name: Upload Playwright Traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() with: name: @@ -601,7 +601,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} directory: dev-packages/browser-integration-tests @@ -629,11 +629,11 @@ jobs: steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -654,7 +654,7 @@ jobs: yarn test:loader - name: Upload Playwright Traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() with: name: playwright-traces-job_browser_loader_tests-${{ matrix.bundle}} @@ -663,7 +663,7 @@ jobs: retention-days: 7 - name: Parse and Upload Coverage - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main if: cancelled() == false continue-on-error: true with: @@ -678,11 +678,11 @@ jobs: timeout-minutes: 5 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -716,11 +716,11 @@ jobs: typescript: '3.8' steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node }} - name: Restore caches @@ -740,7 +740,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} directory: dev-packages/node-integration-tests @@ -766,11 +766,11 @@ jobs: typescript: '3.8' steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node }} - name: Restore caches @@ -790,7 +790,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} directory: dev-packages/node-core-integration-tests @@ -804,11 +804,11 @@ jobs: timeout-minutes: 15 steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -832,11 +832,11 @@ jobs: node: [18, 20, 22, 24] steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node }} - name: Restore caches @@ -859,7 +859,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: directory: packages/remix token: ${{ secrets.GITHUB_TOKEN }} @@ -880,16 +880,16 @@ jobs: matrix-optional: ${{ steps.matrix-optional.outputs.matrix }} steps: - name: Check out base commit (${{ github.event.pull_request.base.sha }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.base.sha }} - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Restore caches @@ -897,7 +897,7 @@ jobs: with: dependency_cache_key: ${{ needs.job_build.outputs.dependency_cache_key }} - name: NX cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: .nxcache key: nx-Linux-${{ github.ref }}-${{ env.HEAD_COMMIT }} @@ -908,7 +908,7 @@ jobs: run: yarn build:tarball - name: Stores tarballs in cache - uses: actions/cache/save@v5 + uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ${{ github.workspace }}/packages/*/*.tgz key: ${{ env.BUILD_CACHE_TARBALL_KEY }} @@ -950,28 +950,28 @@ jobs: matrix: ${{ fromJson(needs.job_e2e_prepare.outputs.matrix) }} steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 with: version: 9.15.9 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'dev-packages/e2e-tests/test-applications/${{ matrix.test-application }}/package.json' - name: Set up Bun if: contains(fromJSON('["node-exports-test-app","nextjs-16-bun"]'), matrix.test-application) - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - name: Set up AWS SAM if: matrix.test-application == 'aws-serverless' - uses: aws-actions/setup-sam@v2 + uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133 # v2 with: use-installer: true token: ${{ secrets.GITHUB_TOKEN }} - name: Set up Deno if: matrix.test-application == 'deno' - uses: denoland/setup-deno@v2.0.3 + uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3 with: deno-version: v2.1.5 - name: Restore caches @@ -980,7 +980,7 @@ jobs: dependency_cache_key: ${{ needs.job_build.outputs.dependency_cache_key }} - name: Restore tarball cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 id: restore-tarball-cache with: path: ${{ github.workspace }}/packages/*/*.tgz @@ -1030,7 +1030,7 @@ jobs: SENTRY_E2E_WORKSPACE_ROOT: ${{ github.workspace }} - name: Upload Playwright Traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() with: name: playwright-traces-job_e2e_playwright_tests-${{ matrix.test-application}} @@ -1044,7 +1044,7 @@ jobs: node ./scripts/normalize-e2e-test-dump-transaction-events.js - name: Upload E2E Test Event Dumps - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() with: name: E2E Test Dump (${{ matrix.label || matrix.test-application }}) @@ -1056,7 +1056,7 @@ jobs: - name: Parse and Upload Coverage if: cancelled() == false continue-on-error: true - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: directory: dev-packages/e2e-tests token: ${{ secrets.GITHUB_TOKEN }} @@ -1090,14 +1090,14 @@ jobs: steps: - name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }}) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 with: version: 9.15.9 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'dev-packages/e2e-tests/test-applications/${{ matrix.test-application }}/package.json' - name: Restore caches @@ -1106,7 +1106,7 @@ jobs: dependency_cache_key: ${{ needs.job_build.outputs.dependency_cache_key }} - name: Restore tarball cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 id: restore-tarball-cache with: path: ${{ github.workspace }}/packages/*/*.tgz @@ -1157,7 +1157,7 @@ jobs: node ./scripts/normalize-e2e-test-dump-transaction-events.js - name: Upload E2E Test Event Dumps - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() with: name: E2E Test Dump (${{ matrix.label || matrix.test-application }}) diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index f9c74b5f344f..2ec0c97dfbd5 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -31,15 +31,15 @@ jobs: timeout-minutes: 30 steps: - name: Check out current commit - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Check canary cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ${{ env.CACHED_BUILD_PATHS }} key: canary-${{ env.HEAD_COMMIT }} @@ -123,19 +123,19 @@ jobs: steps: - name: Check out current commit - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.HEAD_COMMIT }} - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 with: version: 9.15.9 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'dev-packages/e2e-tests/test-applications/${{ matrix.test-application }}/package.json' - name: Restore canary cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ${{ env.CACHED_BUILD_PATHS }} key: canary-${{ env.HEAD_COMMIT }} diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index b1a0e4f25b05..d74a64f67dc0 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -15,5 +15,5 @@ permissions: jobs: changelog-preview: - uses: getsentry/craft/.github/workflows/changelog-preview.yml@2.24.1 + uses: getsentry/craft/.github/workflows/changelog-preview.yml@013a7b2113c2cac0ff32d5180cfeaefc7c9ce5b6 # 2.24.1 secrets: inherit diff --git a/.github/workflows/ci-metadata.yml b/.github/workflows/ci-metadata.yml index c4fca988d724..df99f3f2b8d2 100644 --- a/.github/workflows/ci-metadata.yml +++ b/.github/workflows/ci-metadata.yml @@ -40,7 +40,7 @@ jobs: pull-requests: read steps: - name: Check out current commit - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.head_commit }} # We need to check out not only the fake merge commit between the PR and the base branch which GH creates, but @@ -58,7 +58,7 @@ jobs: # Most changed packages are determined in job_build via Nx - name: Determine changed packages - uses: dorny/paths-filter@v3.0.1 + uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1 id: changed with: filters: | @@ -69,7 +69,7 @@ jobs: - name: Get PR labels id: pr-labels - uses: mydea/pr-labels-action@fn/bump-node20 + uses: mydea/pr-labels-action@8e1ae01b5f5abf97ff6b6838aaead9dad67ae752 # fn/bump-node20 outputs: commit_label: '${{ env.COMMIT_SHA }}: ${{ env.COMMIT_MESSAGE }}' diff --git a/.github/workflows/cleanup-pr-caches.yml b/.github/workflows/cleanup-pr-caches.yml index eb65d9a642c1..dbeb73c6a89d 100644 --- a/.github/workflows/cleanup-pr-caches.yml +++ b/.github/workflows/cleanup-pr-caches.yml @@ -14,7 +14,7 @@ jobs: contents: read steps: - name: Check out code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Cleanup run: | diff --git a/.github/workflows/clear-cache.yml b/.github/workflows/clear-cache.yml index 3c76486cdbe2..944f01f89aa1 100644 --- a/.github/workflows/clear-cache.yml +++ b/.github/workflows/clear-cache.yml @@ -23,10 +23,10 @@ jobs: name: Delete all caches runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 00e6203b6b55..ff77d43cea26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,11 +46,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@256d634097be96e792d6764f9edaefc4320557b1 # v4 with: config-file: ./.github/codeql/codeql-config.yml queries: security-extended @@ -63,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@256d634097be96e792d6764f9edaefc4320557b1 # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions @@ -77,4 +77,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@256d634097be96e792d6764f9edaefc4320557b1 # v4 diff --git a/.github/workflows/create-issue-for-unreferenced-prs.yml b/.github/workflows/create-issue-for-unreferenced-prs.yml index 0a833715d854..7df87218db14 100644 --- a/.github/workflows/create-issue-for-unreferenced-prs.yml +++ b/.github/workflows/create-issue-for-unreferenced-prs.yml @@ -27,7 +27,7 @@ jobs: && !startsWith(github.event.pull_request.head.ref, 'dependabot/') steps: - name: Check PR Body and Title for Issue Reference - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const pr = context.payload.pull_request; diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml index 0f186ad9a7a0..ab20798a929e 100644 --- a/.github/workflows/enforce-license-compliance.yml +++ b/.github/workflows/enforce-license-compliance.yml @@ -20,6 +20,6 @@ jobs: runs-on: ubuntu-24.04 steps: - name: 'Enforce License Compliance' - uses: getsentry/action-enforce-license-compliance@main + uses: getsentry/action-enforce-license-compliance@48236a773346cb6552a7bda1ee370d2797365d87 # main with: fossa_api_key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/external-contributors.yml b/.github/workflows/external-contributors.yml index 64a6f82478e5..ab2dc8646979 100644 --- a/.github/workflows/external-contributors.yml +++ b/.github/workflows/external-contributors.yml @@ -20,9 +20,9 @@ jobs: && github.event.pull_request.author_association != 'OWNER' && endsWith(github.event.pull_request.user.login, '[bot]') == false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' @@ -37,7 +37,7 @@ jobs: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 with: app-id: ${{ vars.GITFLOW_APP_ID }} private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }} diff --git a/.github/workflows/flaky-test-detector.yml b/.github/workflows/flaky-test-detector.yml index 6afed7df214b..f63de6fd3819 100644 --- a/.github/workflows/flaky-test-detector.yml +++ b/.github/workflows/flaky-test-detector.yml @@ -30,9 +30,9 @@ jobs: if: ${{ github.base_ref != 'master' && github.ref != 'refs/heads/master' }} steps: - name: Check out current branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' cache: 'yarn' @@ -40,7 +40,7 @@ jobs: run: yarn install --ignore-engines --frozen-lockfile - name: NX cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: .nxcache key: nx-Linux-${{ github.ref }}-${{ env.HEAD_COMMIT }} @@ -55,7 +55,7 @@ jobs: browsers: 'chromium' - name: Determine changed tests - uses: dorny/paths-filter@v3.0.1 + uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1 id: changed with: list-files: json @@ -71,7 +71,7 @@ jobs: TEST_RUN_COUNT: 'AUTO' - name: Upload Playwright Traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: failure() && steps.test.outcome == 'failure' with: name: playwright-test-results diff --git a/.github/workflows/gitflow-merge-conflict.yml b/.github/workflows/gitflow-merge-conflict.yml index 8b31d07afd6a..ac34a9e11897 100644 --- a/.github/workflows/gitflow-merge-conflict.yml +++ b/.github/workflows/gitflow-merge-conflict.yml @@ -16,7 +16,7 @@ jobs: issues: write steps: - name: Check for merge conflicts with retry - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const initialDelay = 60_000; // Wait 1 minute before first check to let CI start diff --git a/.github/workflows/gitflow-sync-develop.yml b/.github/workflows/gitflow-sync-develop.yml index 1ff55f46a008..200b38f76c67 100644 --- a/.github/workflows/gitflow-sync-develop.yml +++ b/.github/workflows/gitflow-sync-develop.yml @@ -23,11 +23,11 @@ jobs: contents: write steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 with: app-id: ${{ vars.GITFLOW_APP_ID }} private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }} @@ -35,7 +35,7 @@ jobs: # https://github.com/marketplace/actions/github-pull-request-action - name: Create Pull Request id: open-pr - uses: repo-sync/pull-request@v2 + uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2 with: source_branch: ${{ env.SOURCE_BRANCH }} destination_branch: ${{ env.TARGET_BRANCH }} @@ -53,7 +53,7 @@ jobs: # https://github.com/marketplace/actions/auto-approve - name: Auto approve PR if: steps.open-pr.outputs.pr_number != '' - uses: hmarr/auto-approve-action@v4 + uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4 with: pull-request-number: ${{ steps.open-pr.outputs.pr_number }} review-message: 'Auto approved automated PR' diff --git a/.github/workflows/issue-package-label.yml b/.github/workflows/issue-package-label.yml index 323b17219b1a..94a3df241ec4 100644 --- a/.github/workflows/issue-package-label.yml +++ b/.github/workflows/issue-package-label.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Get used package from issue body # https://github.com/actions-ecosystem/action-regex-match - uses: actions-ecosystem/action-regex-match@v2 + uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2 id: packageName with: # Parse used package from issue body @@ -21,7 +21,7 @@ jobs: - name: Map package to issue label # https://github.com/kanga333/variable-mapper - uses: kanga333/variable-mapper@v0.3.0 + uses: kanga333/variable-mapper@3681b75f5c6c00162721168fb91ab74925eaebcb # v0.3.0 id: packageLabel if: steps.packageName.outputs.match != '' with: @@ -131,13 +131,13 @@ jobs: - name: Add package label if applicable # Note: We only add the label if the issue is still open if: steps.packageLabel.outputs.label != '' - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 with: labels: ${{ steps.packageLabel.outputs.label }} - name: Map additional to issue label # https://github.com/kanga333/variable-mapper - uses: kanga333/variable-mapper@v0.3.0 + uses: kanga333/variable-mapper@3681b75f5c6c00162721168fb91ab74925eaebcb # v0.3.0 id: additionalLabel if: steps.packageName.outputs.match != '' with: @@ -157,6 +157,6 @@ jobs: - name: Add additional label if applicable # Note: We only add the label if the issue is still open if: steps.additionalLabel.outputs.label != '' - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 with: labels: ${{ steps.additionalLabel.outputs.label }} diff --git a/.github/workflows/pr-stale-notifier.yml b/.github/workflows/pr-stale-notifier.yml index 2b5761936773..02c3cba4d20c 100644 --- a/.github/workflows/pr-stale-notifier.yml +++ b/.github/workflows/pr-stale-notifier.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Warn and close stale PRs - uses: actions/stale@v10 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: -1 diff --git a/.github/workflows/release-comment-issues.yml b/.github/workflows/release-comment-issues.yml index dfb782b1b6d8..d6fb956f3754 100644 --- a/.github/workflows/release-comment-issues.yml +++ b/.github/workflows/release-comment-issues.yml @@ -29,7 +29,7 @@ jobs: && !contains(steps.get_version.outputs.version, '-alpha.') && !contains(steps.get_version.outputs.version, '-rc.') - uses: getsentry/release-comment-issues-gh-action@v1 + uses: getsentry/release-comment-issues-gh-action@52e08022ca721e701515ede89edd224b63b180eb # v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} version: ${{ steps.get_version.outputs.version }} diff --git a/.github/workflows/release-size-info.yml b/.github/workflows/release-size-info.yml index a1f75303d1ff..6d0d766f0c5b 100644 --- a/.github/workflows/release-size-info.yml +++ b/.github/workflows/release-size-info.yml @@ -26,7 +26,7 @@ jobs: - name: Update Github Release if: steps.get_version.outputs.version != '' - uses: getsentry/size-limit-release@v2 + uses: getsentry/size-limit-release@b6d9970a501a058679fa727e8297104ebf513dee # v2 with: github_token: ${{ secrets.GITHUB_TOKEN }} version: ${{ steps.get_version.outputs.version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d966e35e9671..bffde9e2ffd1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,12 +27,12 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: 'package.json' - name: Prepare release diff --git a/.github/workflows/triage-issue.yml b/.github/workflows/triage-issue.yml index 9e5467329b62..f0407a4eef08 100644 --- a/.github/workflows/triage-issue.yml +++ b/.github/workflows/triage-issue.yml @@ -48,13 +48,13 @@ jobs: echo "Processing issue #$ISSUE_NUM in CI mode" - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: develop - name: Run Claude triage id: triage - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@18c2b94d83ba2647c1a5e025edb06441c4a7b46e # v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ secrets.GITHUB_TOKEN }}