ci(pie-monorepo): DSW-2251 Pin GitHub Actions dependencies to commit (#…

…1766) * attempt to fix env var v2 * ci(pie-monorepo): DSW-000 pin GHA deps * disable husky * use native library * use native library * fix glob * fix runner * fix lint issues * remove linter * remove linter * fix typo * move comments to same line * move comments to same line --------- Co-authored-by: Ben Siggery <[email protected]>
justeattakeaway · Sep 4, 2024 · ec69107 · ec69107
1 parent 8c1c66f
commit ec69107
Show file tree

Hide file tree

Showing 15 changed files with 62 additions and 53 deletions.
diff --git a/.github/actions/amplify-teardown/action.yml b/.github/actions/amplify-teardown/action.yml
@@ -31,14 +31,14 @@ runs:
   using: composite
   steps:
   - name: 🎟 Get GitHub App token
-    uses: navikt/[email protected].0        
+    uses: navikt/github-app-token-generator@b96ff604b2300989cd1105e3fad09199fca56681 # v1.2.1 
     id: get-token
     with:
       app-id: ${{ inputs.gh-app-id }}
       private-key: ${{ inputs.gh-app-private-key }}
 
   - name: Delete associated GitHub environment
-    uses: strumwolf/delete-deployment-environment@v2.2.3
+    uses: strumwolf/delete-deployment-environment@a4825dd9648c57da8437a4885c3fcad58beac69c # v3.0.0
     with:
       # Use a JWT created with your GitHub App's private key
       token: ${{ steps.get-token.outputs.token }}

diff --git a/.github/actions/setup-playwright/action.yml b/.github/actions/setup-playwright/action.yml
@@ -9,7 +9,7 @@ runs:
         id: playwright-version
         run: echo "PLAYWRIGHT_VERSION=`node -p "require('./package.json')['devDependencies']['@playwright/test']"`" >> $GITHUB_ENV
       - name: Cache playwright binaries
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: playwright-cache
         with:
           path: |

diff --git a/.github/actions/setup-repo/action.yml b/.github/actions/setup-repo/action.yml
@@ -14,7 +14,7 @@ runs:
   steps:
       # Setup Node
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: ${{ inputs.node-version }}
           cache: "yarn"

diff --git a/.github/project-labeler.yml b/.github/project-labeler.yml
@@ -4,6 +4,9 @@
 apps:
 - 'apps/**/*'
 
+ci:
+- '.github/**/*'
+
 pie-docs:
 - 'apps/pie-docs/**/*'
 

diff --git a/.github/workflows/amplify-deploy.yml b/.github/workflows/amplify-deploy.yml
@@ -50,7 +50,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo
@@ -65,7 +65,7 @@ jobs:
       # Create Github Deployment
       - name: Create Docs GitHub deployment
         if: ${{ github.event_name == 'pull_request' }}
-        uses: chrnorm/deployment-action@v2
+        uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.0
         id: deploy
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -79,7 +79,7 @@ jobs:
       # Upload zip to S3
       - name: Upload to S3
         id: upload-s3
-        uses: hkusu/s3-upload-action@v2
+        uses: hkusu/s3-upload-action@df0d0d688ce4593c477be764d08f63566dfd968e # v2.1.0
         with:
           aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
@@ -138,7 +138,6 @@ jobs:
             --domain-name pie.design \
             --sub-domain-settings '${{ env.DOMAIN_ASSOCIATIONS }}'
 
-
       - name: Wait for Amplify deployment
         if: github.event_name == 'pull_request'
         run: |
@@ -184,7 +183,7 @@ jobs:
       # If successful
       - name: Update deployment status (success)
         if: ${{ github.event_name == 'pull_request' && success() }}
-        uses: chrnorm/deployment-status@v2
+        uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           environment-url: https://${{ env.SUB_DOMAIN }}.pie.design/
@@ -194,9 +193,9 @@ jobs:
       # If it failed
       - name: Update deployment status (failure)
         if: ${{ github.event_name == 'pull_request' && failure() }}
-        uses: chrnorm/deployment-status@v2
+        uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           environment-url: https://${{ env.SUB_DOMAIN }}.pie.design/
           deployment-id: ${{ steps.deploy.outputs.deployment_id }}
-          state: "failure"
+          state: "failure"
diff --git a/.github/workflows/changeset-release.yml b/.github/workflows/changeset-release.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
     # Checkout the Repo
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
         persist-credentials: false
@@ -52,7 +52,7 @@ jobs:
         script-name: "build"
     - name: Check for pre.json file existence
       id: check_files
-      uses: andstor/file-existence-action@v2.0.0
+      uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
       with:
         files: ".changeset/pre.json"
     - name: exit prerelease mode
@@ -63,7 +63,7 @@ jobs:
     - name: Create latest release PR
       id: changesets-main
       if: contains(github.ref_name, 'main')
-      uses: changesets/action@v1
+      uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8
       with:
         version: yarn changeset:version
         publish: yarn changeset:publish
@@ -78,7 +78,7 @@ jobs:
       run: npx changeset pre enter beta
     - name: Create beta release PR
       if: contains(github.ref_name, 'beta')
-      uses: changesets/action@v1
+      uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8
       with:
         version: yarn changeset:version
         publish: yarn changeset:publish
@@ -91,7 +91,7 @@ jobs:
       run: npx changeset pre enter next
     - name: Create feature release PR
       if: contains(github.ref_name, 'feature')
-      uses: changesets/action@v1
+      uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8
       with:
         version: yarn changeset:version
         publish: yarn changeset:publish
@@ -187,7 +187,7 @@ jobs:
 
     - name: Send a Slack notification on publish
       if: steps.changesets-main.outputs.published == 'true'
-      uses: slackapi/slack-github-action@v1.24.0
+      uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
       with:
         channel-id: ${{ secrets.RELEASE_SLACK_CHANNEL_ID }}
         payload: |

diff --git a/.github/workflows/changeset-snapshot.yml b/.github/workflows/changeset-snapshot.yml
@@ -16,19 +16,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Enforce permission requirement
-        uses: prince-chrismc/check-actor-permissions-action@v1
+        uses: prince-chrismc/check-actor-permissions-action@ce04efab4f468664a0ae6d9cc0c14e4a4e6cd70a # v3.0.1
         with:
           permission: write
 
       - name: Add initial reaction
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.CHANGESETS_TOKEN }}
           comment-id: ${{ github.event.comment.id }}
           reactions: eyes
 
       - name: Validate pull request
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
         id: pr_data
         env:
           GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }}
@@ -59,7 +59,7 @@ jobs:
             }
 
       - name: Add link to build
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: build-link
         env:
           GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }}
@@ -84,11 +84,11 @@ jobs:
        # issue_comment event doesn't provide access to head_ref env var.
        # This action provides us with the env vars we need to do a git diff.
        # https://github.com/actions/checkout/issues/331#issuecomment-1242708547
-      - uses: xt0rted/pull-request-comment-branch@v2
+      - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0
         id: comment-branch
 
-      - name: Checkout default branch
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # issue_comment requires us to checkout the branch
       # https://github.com/actions/checkout/issues/331#issuecomment-1120113003
@@ -133,7 +133,7 @@ jobs:
             done
 
       - name: Create and publish snapshot release
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }}
         with:
@@ -145,7 +145,7 @@ jobs:
 
       - name: Add failure comment
         if: failure()
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           issue-number: ${{ github.event.issue.number }}
           token: ${{ secrets.CHANGESETS_TOKEN }}

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -66,7 +66,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       # Setup Repo
@@ -99,7 +99,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo
@@ -118,7 +118,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo
@@ -159,7 +159,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo
@@ -199,7 +199,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       # Setup Repo
@@ -216,7 +216,8 @@ jobs:
         uses: ./.github/actions/run-script
         with:
           script-name: "test:browsers:ci --filter='./packages/components/*'"
-      - uses: actions/upload-artifact@v3
+      - name: Upload Playwright Report
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: always()
         with:
           name: browsers-report
@@ -235,7 +236,8 @@ jobs:
         with:
           script-name: "test:visual:ci --filter='{./packages/components/*}...[origin/main]'"
           concurrency: 1
-      - uses: actions/upload-artifact@v3
+      - name: Upload Playwright Report
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: always()
         with:
           name: visual-report
@@ -265,7 +267,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       # Setup Repo
@@ -282,7 +284,8 @@ jobs:
         uses: ./.github/actions/run-script
         with:
           script-name: "test:browsers:ci --filter=pie-docs"
-      - uses: actions/upload-artifact@v3
+      - name: Upload Playwright Report
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         if: always()
         with:
           name: browsers-report
@@ -301,7 +304,8 @@ jobs:
         with:
           script-name: "test:visual:ci --filter=pie-docs"
           concurrency: 1
-      - uses: actions/upload-artifact@v3
+      - name: Upload Playwright Report
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         if: always()
         with:
           name: visual-report

diff --git a/.github/workflows/closed.yml b/.github/workflows/closed.yml
@@ -14,11 +14,11 @@ jobs:
       hasStorybookEnv: ${{ steps.list-environments.outputs.hasStorybookEnv }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: List repo environments
         id: list-environments
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.CHANGESETS_TOKEN }}
           script: |

diff --git a/.github/workflows/dangerjs-checks.yml b/.github/workflows/dangerjs-checks.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo

diff --git a/.github/workflows/example-apps-ci.yml b/.github/workflows/example-apps-ci.yml
@@ -61,7 +61,7 @@ jobs:
     steps:
       # Checkout the Repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # Setup Repo
       - name: Setup Repo
         uses: ./.github/actions/setup-repo

diff --git a/.github/workflows/install-build.yml b/.github/workflows/install-build.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ${{ inputs.os }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Repo
         uses: ./.github/actions/setup-repo
         with:

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -7,8 +7,11 @@ jobs:
   categorise:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/labeler@v4
+    - name: Checkout
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: Labeler
+      uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
       with:
         configuration-path: '.github/project-labeler.yml'
         repo-token: '${{ secrets.GITHUB_TOKEN }}'

diff --git a/.github/workflows/pr-title-linter.yml b/.github/workflows/pr-title-linter.yml
@@ -9,7 +9,7 @@ jobs:
     if: ${{ github.event.pull_request.draft == false }}
     runs-on: ubuntu-latest
     steps:
-      - uses: morrisoncole/[email protected]
+      - uses: morrisoncole/pr-lint-action@51f3cfabaf5d46f94e54524214e45685f0401b2a # v1.7.1
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           title-regex: "^[a-z]+?\\([a-z0-9-]+?\\): [A-Za-z]+?-\\d+? \\w.*|^Version Packages|^\\[Snyk\\].*"