From 6c3eced3e94ba35d2b7b8940b4960d016d2fc3d3 Mon Sep 17 00:00:00 2001 From: Antonis Stamatiou Date: Fri, 22 Mar 2024 14:03:24 +0200 Subject: [PATCH] feat: Upgrade Reusable GitHub Actions version (#2989) * feat: Upgrade Github Actions versions * fix: Fix supply chain scorecard * fix: Remove ubuntu-4-core instances as they are redundant * fix: Upgrade also CodeQL --- .editorconfig | 2 +- .github/workflows/build-for-pr.yml | 34 +++--- .github/workflows/ci.yaml | 40 +++---- .github/workflows/codeql-analysis.yml | 34 +++--- .github/workflows/e2e-functional-template.yml | 2 +- .github/workflows/e2e-performance.yml | 103 +++++++++--------- .github/workflows/nightly-builds.yaml | 2 +- .github/workflows/nightly-main.yml | 26 ++--- .github/workflows/nightly-rainforest.yml | 16 +-- .github/workflows/release-mas.yaml | 4 +- .github/workflows/release.yaml | 30 ++--- .github/workflows/scorecards-analysis.yml | 26 ++--- 12 files changed, 156 insertions(+), 163 deletions(-) diff --git a/.editorconfig b/.editorconfig index f27321f4..7a23650a 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,6 +1,6 @@ root = true -[*] +[*.{js|ts}] end_of_line = lf charset = utf-8 indent_style = space diff --git a/.github/workflows/build-for-pr.yml b/.github/workflows/build-for-pr.yml index ab4518c6..fa528666 100644 --- a/.github/workflows/build-for-pr.yml +++ b/.github/workflows/build-for-pr.yml @@ -14,15 +14,15 @@ env: jobs: build-linux-for-pr: - runs-on: ubuntu-latest-4-cores + runs-on: ubuntu-22.04 if: ${{ github.event.label.name == 'Build Apps for PR' }} steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -42,7 +42,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/linux - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-linux path: ./build/linux @@ -53,18 +53,18 @@ jobs: if: ${{ github.event.label.name == 'Build Apps for PR' }} steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.pull_request.head.sha }} - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" cache-dependency-path: package-lock.json - name: ci/cache-node-modules id: cache-node-modules - uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-build-node-modules-${{ hashFiles('**/package-lock.json') }} @@ -85,18 +85,18 @@ jobs: - windows-install-deps steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.pull_request.head.sha }} - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" cache-dependency-path: package-lock.json - name: ci/cache-node-modules id: cache-node-modules - uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-build-node-modules-${{ hashFiles('package-lock.json') }} @@ -129,7 +129,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/win - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-windows path: ./build/win @@ -140,11 +140,11 @@ jobs: if: ${{ github.event.label.name == 'Build Apps for PR' }} steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.pull_request.head.sha }} - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -171,7 +171,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/macos/ - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-macos path: ./build/macos/ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cf433012..4237c14e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,12 +11,12 @@ env: jobs: build-linux: - runs-on: ubuntu-latest-4-cores + runs-on: ubuntu-22.04 steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -38,13 +38,13 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/linux - name: ci/upload-test-results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: linux-test-results path: test-results.xml retention-days: 5 - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-linux path: ./build/linux @@ -54,16 +54,16 @@ jobs: runs-on: windows-2022 steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" cache-dependency-path: package-lock.json - name: ci/cache-node-modules id: cache-node-modules - uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-build-node-modules-${{ hashFiles('**/package-lock.json') }} @@ -88,16 +88,16 @@ jobs: - windows-install-deps steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" cache-dependency-path: package-lock.json - name: ci/cache-node-modules id: cache-node-modules - uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-build-node-modules-${{ hashFiles('package-lock.json') }} @@ -130,13 +130,13 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/win - name: ci/upload-test-results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: windows-test-results path: test-results.xml retention-days: 5 - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-windows path: ./build/win @@ -146,9 +146,9 @@ jobs: runs-on: macos-12 steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -169,13 +169,13 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/macos/ - name: ci/upload-test-results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: macos-test-results path: test-results.xml retention-days: 5 - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-macos path: ./build/macos/ @@ -193,17 +193,17 @@ jobs: pull-requests: write steps: - name: ci/download-macos-test-results - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: macos-test-results path: macos-test-results - name: ci/download-windows-test-results - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: windows-test-results path: windows-test-results - name: ci/download-linux-test-results - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: linux-test-results path: linux-test-results diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c49e5115..c71c2a6f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,12 +2,12 @@ name: "CodeQL" on: push: - branches: [ master ] + branches: [master] pull_request: # The branches below must be a subset of the branches above - branches: [ master ] + branches: [master] schedule: - - cron: '0 0 * * 0' + - cron: "0 0 * * 0" permissions: contents: read @@ -18,25 +18,23 @@ jobs: security-events: write name: Analyze runs-on: ubuntu-latest - strategy: fail-fast: false matrix: - language: [ 'javascript' ] - + language: ["javascript"] steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - config-file: ./.github/codeql/codeql-config.yml + - name: Initialize CodeQL + uses: github/codeql-action/init@423a04bb2cb7cd2643007122588f1387778f14d0 # v2.16.5 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml - # Autobuild attempts to build any compiled languages - - name: Autobuild - uses: github/codeql-action/autobuild@v2 + # Autobuild attempts to build any compiled languages + - name: Autobuild + uses: github/codeql-action/autobuild@423a04bb2cb7cd2643007122588f1387778f14d0 # v2.16.5 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@423a04bb2cb7cd2643007122588f1387778f14d0 # v2.16.5 diff --git a/.github/workflows/e2e-functional-template.yml b/.github/workflows/e2e-functional-template.yml index b5d0d08e..7b3f601b 100644 --- a/.github/workflows/e2e-functional-template.yml +++ b/.github/workflows/e2e-functional-template.yml @@ -32,7 +32,7 @@ on: default: false cmt: type: boolean - description: "True if this is Comatibility Matrix Testing" + description: "True if this is Compatibility Matrix Testing" required: false default: false outputs: diff --git a/.github/workflows/e2e-performance.yml b/.github/workflows/e2e-performance.yml index 0b24792d..88c6bf23 100644 --- a/.github/workflows/e2e-performance.yml +++ b/.github/workflows/e2e-performance.yml @@ -2,29 +2,26 @@ name: E2E Performance Tests (Desktop) on: pull_request: - branches: [ master ] + branches: [master] types: - - labeled + - labeled env: - RESULTS_PATH: e2e/performance/perf-test-report.json + RESULTS_PATH: e2e/performance/perf-test-report.json jobs: build: if: ${{ github.event.label.name == 'Run E2E Performance Tests' }} runs-on: ${{ matrix.os }} - strategy: matrix: os: [ubuntu-latest] node-version: [16] - steps: - - - name: Add start comment - uses: actions/github-script@v6 - with: - script: | + - name: Add start comment + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, @@ -32,49 +29,49 @@ jobs: body: `E2E Performance Tests started ๐ŸŽ๏ธ`, }); - - name: Set env variable for timestamp - run: echo "NOW=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV + - name: Set env variable for timestamp + run: echo "NOW=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 - with: - node-version: ${{ matrix.node-version }} - cache: 'npm' + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: ${{ matrix.node-version }} + cache: "npm" - - name: Install packages - run: sudo apt-get install libxtst-dev libpng++-dev + - name: Install packages + run: sudo apt-get install libxtst-dev libpng++-dev - - name: Install dependencies ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป - run: npm ci + - name: Install dependencies ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป + run: npm ci - - name: E2E Performance Tests for Electron ๐Ÿงช - run: ELECTRON_DISABLE_SANDBOX=1 xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e:performance + - name: E2E Performance Tests for Electron ๐Ÿงช + run: ELECTRON_DISABLE_SANDBOX=1 xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e:performance - - name: Upload artifact to Github - uses: actions/upload-artifact@v3 - with: - name: perf-test-report.json - path: ${{ env.RESULTS_PATH }} - if-no-files-found: error - retention-days: 14 + - name: Upload artifact to Github + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: perf-test-report.json + path: ${{ env.RESULTS_PATH }} + if-no-files-found: error + retention-days: 14 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERFORMANCE_TESTS_PUT_BUCKET }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERFORMANCE_TESTS_PUT_BUCKET }} - aws-region: ${{ secrets.AWS_REGION_PERFORMANCE_TESTS_PUT_BUCKET }} - mask-aws-account-id: true + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PERFORMANCE_TESTS_PUT_BUCKET }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PERFORMANCE_TESTS_PUT_BUCKET }} + aws-region: ${{ secrets.AWS_REGION_PERFORMANCE_TESTS_PUT_BUCKET }} + mask-aws-account-id: true - - name: Upload report to S3 - run: aws s3 cp ${{ env.RESULTS_PATH }} s3://${{ secrets.AWS_BUCKET_PERFORMANCE_TESTS }}/${{ github.head_ref }}-${{ github.sha }}-${{ env.NOW }}.json + - name: Upload report to S3 + run: aws s3 cp ${{ env.RESULTS_PATH }} s3://${{ secrets.AWS_BUCKET_PERFORMANCE_TESTS }}/${{ github.head_ref }}-${{ github.sha }}-${{ env.NOW }}.json - - name: Add results in PR comment - uses: actions/github-script@v6 - with: - script: | + - name: Add results in PR comment + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | const fs = require('fs'); const {generateCommentBodyPerformanceTest} = require('./e2e/utils/pr-e2e-durations-report.js'); const fileContents = fs.readFileSync('${{ env.RESULTS_PATH }}'); @@ -85,9 +82,15 @@ jobs: body: generateCommentBodyPerformanceTest(fileContents), }); - - name: Remove "Run E2E Performance Tests" label - if: always() - uses: actions-ecosystem/action-remove-labels@v1 - with: - labels: | - Run E2E Performance Tests + - name: Remove "Run E2E Performance Tests" label + if: always() + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + continue-on-error: true # Label might have been removed manually + with: + script: | + github.rest.issues.removeLabel({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + name: 'Run E2E Performance Tests', + }); diff --git a/.github/workflows/nightly-builds.yaml b/.github/workflows/nightly-builds.yaml index c1aa51e0..1b501074 100644 --- a/.github/workflows/nightly-builds.yaml +++ b/.github/workflows/nightly-builds.yaml @@ -12,7 +12,7 @@ jobs: tag: ${{ steps.tag-creation.outputs.tag }} steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: nightly/patch-version uses: ./.github/actions/patch-nightly-version - name: nightly/create-nightly-build-tag diff --git a/.github/workflows/nightly-main.yml b/.github/workflows/nightly-main.yml index 87e71d93..b18690e7 100644 --- a/.github/workflows/nightly-main.yml +++ b/.github/workflows/nightly-main.yml @@ -28,11 +28,11 @@ jobs: runs-on: ubuntu-22.04 steps: - name: ci/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: ci/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -52,7 +52,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/linux - name: ci/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-nightly-main path: ./build @@ -62,11 +62,11 @@ jobs: runs-on: windows-2022 steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -102,7 +102,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/win-release - name: nightly/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-nightly-main path: ./build @@ -120,11 +120,11 @@ jobs: CSC_LINK: ${{ secrets.MM_DESKTOP_MAC_APP_STORE_CSC_LINK }} steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -150,11 +150,11 @@ jobs: - mac-app-store-preflight steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -182,7 +182,7 @@ jobs: - name: nightly/rename-arm64-to-m1 run: rename 's/arm64/m1/' ./build/macos-release/$(jq -r .version package.json)/* - name: nightly/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-nightly-main path: ./build @@ -198,7 +198,7 @@ jobs: - build-linux steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-aws-credentials @@ -208,7 +208,7 @@ jobs: aws-access-key-id: ${{ secrets.MM_DESKTOP_RELEASE_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.MM_DESKTOP_RELEASE_AWS_SECRET_ACCESS_KEY }} - name: nightly/download-builds - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: build-nightly-main path: build diff --git a/.github/workflows/nightly-rainforest.yml b/.github/workflows/nightly-rainforest.yml index 5c65a1da..66547225 100644 --- a/.github/workflows/nightly-rainforest.yml +++ b/.github/workflows/nightly-rainforest.yml @@ -30,11 +30,11 @@ jobs: runs-on: windows-2022 steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -70,7 +70,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/win - name: nightly/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-rainforest path: ./build @@ -80,11 +80,11 @@ jobs: runs-on: macos-12 steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -112,7 +112,7 @@ jobs: - name: nightly/rename-arm64-to-m1 run: rename 's/arm64/m1/' ./build/macos/$(jq -r .version package.json)/* - name: nightly/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build-rainforest path: ./build @@ -125,7 +125,7 @@ jobs: - build-msi-installer steps: - name: nightly/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.REFERENCE }} - name: nightly/setup-aws-credentials @@ -135,7 +135,7 @@ jobs: aws-access-key-id: ${{ secrets.MM_DESKTOP_DAILY_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.MM_DESKTOP_DAILY_AWS_SECRET_ACCESS_KEY }} - name: nightly/download-builds - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: build-rainforest path: build diff --git a/.github/workflows/release-mas.yaml b/.github/workflows/release-mas.yaml index e7ecde8d..71005d8d 100644 --- a/.github/workflows/release-mas.yaml +++ b/.github/workflows/release-mas.yaml @@ -26,9 +26,9 @@ jobs: CSC_LINK: ${{ secrets.MM_DESKTOP_MAC_APP_STORE_CSC_LINK }} steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9c795858..783a055e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/notify-channel run: | jq --null-input \ @@ -30,14 +30,14 @@ jobs: curl -i -H "Content-Type: application/json" -X POST -d @/tmp/webhook-data.json ${{ secrets.MM_DESKTOP_RELEASE_WEBHOOK_URL }} || echo "NOFICATION FAILED! check logs as this will succeed intentionally" build-linux: - runs-on: ubuntu-latest-4-cores + runs-on: ubuntu-22.04 needs: - begin-notification steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -59,7 +59,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/linux - name: release/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build path: ./build @@ -71,9 +71,9 @@ jobs: - begin-notification steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -110,7 +110,7 @@ jobs: bash -x ./scripts/patch_updater_yml.sh bash -x ./scripts/cp_artifacts.sh release ./build/win-release - name: release/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build path: ./build @@ -122,9 +122,9 @@ jobs: - begin-notification steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/setup-node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version-file: "package.json" cache: "npm" @@ -154,7 +154,7 @@ jobs: - name: release/rename-arm64-to-m1 run: rename 's/arm64/m1/' ./build/macos-release/$(jq -r .version package.json)/* - name: release/upload-build - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: build path: ./build @@ -174,7 +174,7 @@ jobs: aws-access-key-id: ${{ secrets.MM_DESKTOP_RELEASE_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.MM_DESKTOP_RELEASE_AWS_SECRET_ACCESS_KEY }} - name: release/download-builds - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 - name: release/setup-files-for-aws run: | mkdir -p ./aws-s3-dist @@ -188,9 +188,9 @@ jobs: - upload-to-s3 steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: release/download-builds - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 - name: release/setup-files-for-github-release run: | mkdir -p ./ghr-dist @@ -211,7 +211,7 @@ jobs: - github-release steps: - name: release/checkout-repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: release/notify-channel diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 230ebd9f..67ea5291 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -3,9 +3,9 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - - cron: '44 7 * * 5' + - cron: "44 7 * * 5" push: - branches: [ master ] + branches: [master] # Declare default permissions as read only. permissions: read-all @@ -15,34 +15,26 @@ jobs: name: Scorecards analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. + # Needed if using Code scanning alerts security-events: write - actions: read - contents: read - + # Needed for GitHub OIDC token if publish_results is true + id-token: write steps: - name: "Checkout code" - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@v2.2.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. publish_results: true # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif @@ -50,6 +42,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + uses: github/codeql-action/upload-sarif@423a04bb2cb7cd2643007122588f1387778f14d0 # v2.16.5 with: sarif_file: results.sarif