From ec691075e8c4936a69c564224e7867affdb685bd Mon Sep 17 00:00:00 2001 From: Ben Siggery <14013357+siggerzz@users.noreply.github.com> Date: Wed, 4 Sep 2024 12:56:35 +0100 Subject: [PATCH] ci(pie-monorepo): DSW-2251 Pin GitHub Actions dependencies to commit (#1766) * attempt to fix env var v2 * ci(pie-monorepo): DSW-000 pin GHA deps * disable husky * use native library * use native library * fix glob * fix runner * fix lint issues * remove linter * remove linter * fix typo * move comments to same line * move comments to same line --------- Co-authored-by: Ben Siggery --- .github/actions/amplify-teardown/action.yml | 4 ++-- .github/actions/setup-playwright/action.yml | 2 +- .github/actions/setup-repo/action.yml | 2 +- .github/project-labeler.yml | 3 +++ .github/workflows/amplify-deploy.yml | 13 ++++++----- .github/workflows/changeset-release.yml | 12 +++++------ .github/workflows/changeset-snapshot.yml | 18 ++++++++-------- .github/workflows/ci.yml | 24 ++++++++++++--------- .github/workflows/closed.yml | 4 ++-- .github/workflows/dangerjs-checks.yml | 2 +- .github/workflows/example-apps-ci.yml | 2 +- .github/workflows/install-build.yml | 2 +- .github/workflows/labeler.yml | 7 ++++-- .github/workflows/pr-title-linter.yml | 2 +- .github/workflows/test-aperture.yml | 18 ++++++++-------- 15 files changed, 62 insertions(+), 53 deletions(-) diff --git a/.github/actions/amplify-teardown/action.yml b/.github/actions/amplify-teardown/action.yml index fc8ce248a9..fe6dc7095a 100644 --- a/.github/actions/amplify-teardown/action.yml +++ b/.github/actions/amplify-teardown/action.yml @@ -31,14 +31,14 @@ runs: using: composite steps: - name: 🎟 Get GitHub App token - uses: navikt/github-app-token-generator@v1.2.0 + uses: navikt/github-app-token-generator@b96ff604b2300989cd1105e3fad09199fca56681 # v1.2.1 id: get-token with: app-id: ${{ inputs.gh-app-id }} private-key: ${{ inputs.gh-app-private-key }} - name: Delete associated GitHub environment - uses: strumwolf/delete-deployment-environment@v2.2.3 + uses: strumwolf/delete-deployment-environment@a4825dd9648c57da8437a4885c3fcad58beac69c # v3.0.0 with: # Use a JWT created with your GitHub App's private key token: ${{ steps.get-token.outputs.token }} diff --git a/.github/actions/setup-playwright/action.yml b/.github/actions/setup-playwright/action.yml index 2b1235a70c..701ecfc7d9 100644 --- a/.github/actions/setup-playwright/action.yml +++ b/.github/actions/setup-playwright/action.yml @@ -9,7 +9,7 @@ runs: id: playwright-version run: echo "PLAYWRIGHT_VERSION=`node -p "require('./package.json')['devDependencies']['@playwright/test']"`" >> $GITHUB_ENV - name: Cache playwright binaries - uses: actions/cache@v3 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: playwright-cache with: path: | diff --git a/.github/actions/setup-repo/action.yml b/.github/actions/setup-repo/action.yml index 3130841659..b367d871df 100644 --- a/.github/actions/setup-repo/action.yml +++ b/.github/actions/setup-repo/action.yml @@ -14,7 +14,7 @@ runs: steps: # Setup Node - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: ${{ inputs.node-version }} cache: "yarn" diff --git a/.github/project-labeler.yml b/.github/project-labeler.yml index 61c0636fdc..6615ea5f80 100644 --- a/.github/project-labeler.yml +++ b/.github/project-labeler.yml @@ -4,6 +4,9 @@ apps: - 'apps/**/*' +ci: +- '.github/**/*' + pie-docs: - 'apps/pie-docs/**/*' diff --git a/.github/workflows/amplify-deploy.yml b/.github/workflows/amplify-deploy.yml index 7efa4fe3e0..7e8bd3cd53 100644 --- a/.github/workflows/amplify-deploy.yml +++ b/.github/workflows/amplify-deploy.yml @@ -50,7 +50,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo @@ -65,7 +65,7 @@ jobs: # Create Github Deployment - name: Create Docs GitHub deployment if: ${{ github.event_name == 'pull_request' }} - uses: chrnorm/deployment-action@v2 + uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.0 id: deploy with: token: ${{ secrets.GITHUB_TOKEN }} @@ -79,7 +79,7 @@ jobs: # Upload zip to S3 - name: Upload to S3 id: upload-s3 - uses: hkusu/s3-upload-action@v2 + uses: hkusu/s3-upload-action@df0d0d688ce4593c477be764d08f63566dfd968e # v2.1.0 with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} @@ -138,7 +138,6 @@ jobs: --domain-name pie.design \ --sub-domain-settings '${{ env.DOMAIN_ASSOCIATIONS }}' - - name: Wait for Amplify deployment if: github.event_name == 'pull_request' run: | @@ -184,7 +183,7 @@ jobs: # If successful - name: Update deployment status (success) if: ${{ github.event_name == 'pull_request' && success() }} - uses: chrnorm/deployment-status@v2 + uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: ${{ secrets.GITHUB_TOKEN }} environment-url: https://${{ env.SUB_DOMAIN }}.pie.design/ @@ -194,9 +193,9 @@ jobs: # If it failed - name: Update deployment status (failure) if: ${{ github.event_name == 'pull_request' && failure() }} - uses: chrnorm/deployment-status@v2 + uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: ${{ secrets.GITHUB_TOKEN }} environment-url: https://${{ env.SUB_DOMAIN }}.pie.design/ deployment-id: ${{ steps.deploy.outputs.deployment_id }} - state: "failure" + state: "failure" \ No newline at end of file diff --git a/.github/workflows/changeset-release.yml b/.github/workflows/changeset-release.yml index 38fce168c8..cffc3648b2 100644 --- a/.github/workflows/changeset-release.yml +++ b/.github/workflows/changeset-release.yml @@ -28,7 +28,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 persist-credentials: false @@ -52,7 +52,7 @@ jobs: script-name: "build" - name: Check for pre.json file existence id: check_files - uses: andstor/file-existence-action@v2.0.0 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0 with: files: ".changeset/pre.json" - name: exit prerelease mode @@ -63,7 +63,7 @@ jobs: - name: Create latest release PR id: changesets-main if: contains(github.ref_name, 'main') - uses: changesets/action@v1 + uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8 with: version: yarn changeset:version publish: yarn changeset:publish @@ -78,7 +78,7 @@ jobs: run: npx changeset pre enter beta - name: Create beta release PR if: contains(github.ref_name, 'beta') - uses: changesets/action@v1 + uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8 with: version: yarn changeset:version publish: yarn changeset:publish @@ -91,7 +91,7 @@ jobs: run: npx changeset pre enter next - name: Create feature release PR if: contains(github.ref_name, 'feature') - uses: changesets/action@v1 + uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8 with: version: yarn changeset:version publish: yarn changeset:publish @@ -187,7 +187,7 @@ jobs: - name: Send a Slack notification on publish if: steps.changesets-main.outputs.published == 'true' - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 with: channel-id: ${{ secrets.RELEASE_SLACK_CHANNEL_ID }} payload: | diff --git a/.github/workflows/changeset-snapshot.yml b/.github/workflows/changeset-snapshot.yml index 246fb109a6..7251653fc9 100644 --- a/.github/workflows/changeset-snapshot.yml +++ b/.github/workflows/changeset-snapshot.yml @@ -16,19 +16,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Enforce permission requirement - uses: prince-chrismc/check-actor-permissions-action@v1 + uses: prince-chrismc/check-actor-permissions-action@ce04efab4f468664a0ae6d9cc0c14e4a4e6cd70a # v3.0.1 with: permission: write - name: Add initial reaction - uses: peter-evans/create-or-update-comment@v2 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CHANGESETS_TOKEN }} comment-id: ${{ github.event.comment.id }} reactions: eyes - name: Validate pull request - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1 id: pr_data env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} @@ -59,7 +59,7 @@ jobs: } - name: Add link to build - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: build-link env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} @@ -84,11 +84,11 @@ jobs: # issue_comment event doesn't provide access to head_ref env var. # This action provides us with the env vars we need to do a git diff. # https://github.com/actions/checkout/issues/331#issuecomment-1242708547 - - uses: xt0rted/pull-request-comment-branch@v2 + - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 id: comment-branch - - name: Checkout default branch - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # issue_comment requires us to checkout the branch # https://github.com/actions/checkout/issues/331#issuecomment-1120113003 @@ -133,7 +133,7 @@ jobs: done - name: Create and publish snapshot release - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} with: @@ -145,7 +145,7 @@ jobs: - name: Add failure comment if: failure() - uses: peter-evans/create-or-update-comment@v2 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.issue.number }} token: ${{ secrets.CHANGESETS_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f7c7234156..d139b18dbb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,7 +66,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 # Setup Repo @@ -99,7 +99,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo @@ -118,7 +118,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo @@ -159,7 +159,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo @@ -199,7 +199,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 # Setup Repo @@ -216,7 +216,8 @@ jobs: uses: ./.github/actions/run-script with: script-name: "test:browsers:ci --filter='./packages/components/*'" - - uses: actions/upload-artifact@v3 + - name: Upload Playwright Report + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() with: name: browsers-report @@ -235,7 +236,8 @@ jobs: with: script-name: "test:visual:ci --filter='{./packages/components/*}...[origin/main]'" concurrency: 1 - - uses: actions/upload-artifact@v3 + - name: Upload Playwright Report + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() with: name: visual-report @@ -265,7 +267,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 # Setup Repo @@ -282,7 +284,8 @@ jobs: uses: ./.github/actions/run-script with: script-name: "test:browsers:ci --filter=pie-docs" - - uses: actions/upload-artifact@v3 + - name: Upload Playwright Report + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() with: name: browsers-report @@ -301,7 +304,8 @@ jobs: with: script-name: "test:visual:ci --filter=pie-docs" concurrency: 1 - - uses: actions/upload-artifact@v3 + - name: Upload Playwright Report + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: always() with: name: visual-report diff --git a/.github/workflows/closed.yml b/.github/workflows/closed.yml index 467414603f..c766f8765d 100644 --- a/.github/workflows/closed.yml +++ b/.github/workflows/closed.yml @@ -14,11 +14,11 @@ jobs: hasStorybookEnv: ${{ steps.list-environments.outputs.hasStorybookEnv }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: List repo environments id: list-environments - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.CHANGESETS_TOKEN }} script: | diff --git a/.github/workflows/dangerjs-checks.yml b/.github/workflows/dangerjs-checks.yml index 554cdd31aa..0ec41a6846 100644 --- a/.github/workflows/dangerjs-checks.yml +++ b/.github/workflows/dangerjs-checks.yml @@ -11,7 +11,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo diff --git a/.github/workflows/example-apps-ci.yml b/.github/workflows/example-apps-ci.yml index d7fe9c2a9f..f1211b74d5 100644 --- a/.github/workflows/example-apps-ci.yml +++ b/.github/workflows/example-apps-ci.yml @@ -61,7 +61,7 @@ jobs: steps: # Checkout the Repo - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Setup Repo - name: Setup Repo uses: ./.github/actions/setup-repo diff --git a/.github/workflows/install-build.yml b/.github/workflows/install-build.yml index cddb310e96..c864082024 100644 --- a/.github/workflows/install-build.yml +++ b/.github/workflows/install-build.yml @@ -22,7 +22,7 @@ jobs: runs-on: ${{ inputs.os }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Repo uses: ./.github/actions/setup-repo with: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 81f6e4aaa2..6c35fe59e2 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,8 +7,11 @@ jobs: categorise: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/labeler@v4 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Labeler + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: configuration-path: '.github/project-labeler.yml' repo-token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/pr-title-linter.yml b/.github/workflows/pr-title-linter.yml index 722acbe9a7..80cebe94c9 100644 --- a/.github/workflows/pr-title-linter.yml +++ b/.github/workflows/pr-title-linter.yml @@ -9,7 +9,7 @@ jobs: if: ${{ github.event.pull_request.draft == false }} runs-on: ubuntu-latest steps: - - uses: morrisoncole/pr-lint-action@v1.7.1 + - uses: morrisoncole/pr-lint-action@51f3cfabaf5d46f94e54524214e45685f0401b2a # v1.7.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" title-regex: "^[a-z]+?\\([a-z0-9-]+?\\): [A-Za-z]+?-\\d+? \\w.*|^Version Packages|^\\[Snyk\\].*" diff --git a/.github/workflows/test-aperture.yml b/.github/workflows/test-aperture.yml index 757f32f22c..432c746e17 100644 --- a/.github/workflows/test-aperture.yml +++ b/.github/workflows/test-aperture.yml @@ -20,19 +20,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Enforce permission requirement - uses: prince-chrismc/check-actor-permissions-action@v1 + uses: prince-chrismc/check-actor-permissions-action@ce04efab4f468664a0ae6d9cc0c14e4a4e6cd70a # v3.0.1 with: permission: write - name: Add initial reaction - uses: peter-evans/create-or-update-comment@v2 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: token: ${{ secrets.CHANGESETS_TOKEN }} comment-id: ${{ github.event.comment.id }} reactions: eyes - name: Validate pull request - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: pr_data env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} @@ -63,7 +63,7 @@ jobs: } - name: Add link to build - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: build-link env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} @@ -88,13 +88,13 @@ jobs: # issue_comment event doesn't provide access to head_ref env var. # This action provides us with the env vars we need to do a git diff. # https://github.com/actions/checkout/issues/331#issuecomment-1242708547 - - uses: xt0rted/pull-request-comment-branch@v2 + - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v2.0.0 id: comment-branch with: repo_token: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout default branch - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # issue_comment requires us to checkout the branch # https://github.com/actions/checkout/issues/331#issuecomment-1120113003 @@ -139,7 +139,7 @@ jobs: done - name: Create and publish snapshot release and trigger aperture - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: GITHUB_TOKEN: ${{ secrets.CHANGESETS_TOKEN }} PIE_BRANCH: ${{ steps.comment-branch.outputs.head_ref }} @@ -153,7 +153,7 @@ jobs: - name: Add failure comment if: failure() - uses: peter-evans/create-or-update-comment@v2 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: issue-number: ${{ github.event.issue.number }} token: ${{ secrets.CHANGESETS_TOKEN }}