From 3c75b00c8f2aff5be86ea11a4986c255010daa90 Mon Sep 17 00:00:00 2001 From: Tomasz Janiczek Date: Wed, 16 Jul 2025 13:54:28 +0200 Subject: [PATCH 1/2] chore: pin github actions to specific commit --- .github/workflows/check-repro.yml | 15 +++++++++++++- .github/workflows/publish-each-pr.yml | 12 +++++------ .github/workflows/semantic-pr.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/triage.yaml | 30 ++++++++++++++++++--------- .github/workflows/updates.yml | 10 ++++----- .github/workflows/versions.yml | 2 +- 7 files changed, 48 insertions(+), 25 deletions(-) diff --git a/.github/workflows/check-repro.yml b/.github/workflows/check-repro.yml index b8441de54a..fb062cf11f 100644 --- a/.github/workflows/check-repro.yml +++ b/.github/workflows/check-repro.yml @@ -10,10 +10,23 @@ jobs: if: ${{ github.event.label.name == 'bug' }} runs-on: ubuntu-latest steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | + if (context.eventName === 'issue_comment') { + const actor = context.actor; + const { data: collaborators } = await github.rest.repos.listCollaborators({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + + const isCollaborator = collaborators.some(collaborator => collaborator.login === actor); + if (!isCollaborator) { + console.log(`Actor ${actor} is not a collaborator, skipping workflow`); + return; + } + } const user = context.payload.sender.login; const body = context.payload.comment ? context.payload.comment.body diff --git a/.github/workflows/publish-each-pr.yml b/.github/workflows/publish-each-pr.yml index c3eb3afddd..662957ea4b 100644 --- a/.github/workflows/publish-each-pr.yml +++ b/.github/workflows/publish-each-pr.yml @@ -8,22 +8,22 @@ jobs: if: github.event.pull_request.head.repo.full_name == 'callstack/react-native-paper' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .nvmrc - name: Setup Expo - uses: expo/expo-github-action@v7 + uses: expo/expo-github-action@d300b960e9f91a8c59b2aaca92e89ad70b0785ac # v7 with: eas-version: latest token: ${{ secrets.EXPO_TOKEN }} - name: Restore dependencies id: yarn-cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: '**/node_modules' key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}-${{ hashFiles('**/package.json', '!node_modules/**') }} @@ -40,7 +40,7 @@ jobs: - name: Cache dependencies if: steps.yarn-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: '**/node_modules' key: ${{ steps.yarn-cache.outputs.cache-primary-key }} @@ -55,7 +55,7 @@ jobs: run: echo "EXPO_CONFIG=$(npx expo config --json)" >> $GITHUB_OUTPUT - name: Comment on PR - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index f936f98248..a57d704ddd 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -6,7 +6,7 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v4.5.0 + - uses: amannn/action-semantic-pull-request@91682d0665e8bfa4d6e4d735b8e5b8f95e8bb40e # v4.5.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a7a1d98fd4..3bd5d1ca26 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -8,7 +8,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 diff --git a/.github/workflows/triage.yaml b/.github/workflows/triage.yaml index 43e1b424b4..eb139b7d50 100644 --- a/.github/workflows/triage.yaml +++ b/.github/workflows/triage.yaml @@ -8,20 +8,30 @@ jobs: runs-on: ubuntu-latest if: github.event.label.name == 'needs more info' steps: - - uses: actions/checkout@master - - uses: actions/github@v1.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: - args: comment "Hey! Thanks for opening the issue. Can you provide more information about the issue? Please fill the issue template when opening the issue without deleting any section. We need all the information we can, to be able to help. Make sure to at least provide - Current behaviour, Expected behaviour, A way to reproduce the issue with minimal code (link to [snack.expo.dev](https://snack.expo.dev)) or a repo on GitHub, and the information about your environment (such as the platform of the device, versions of all the packages etc.)." + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: "Hey! Thanks for opening the issue. Can you provide more information about the issue? Please fill the issue template when opening the issue without deleting any section. We need all the information we can, to be able to help. Make sure to at least provide - Current behaviour, Expected behaviour, A way to reproduce the issue with minimal code (link to [snack.expo.dev](https://snack.expo.dev)) or a repo on GitHub, and the information about your environment (such as the platform of the device, versions of all the packages etc.)." + }) needs-repro: runs-on: ubuntu-latest if: github.event.label.name == 'needs repro' steps: - - uses: actions/checkout@master - - uses: actions/github@v1.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: - args: comment "Hey! Thanks for opening the issue. Can you provide a minimal repro which demonstrates the issue? Posting a snippet of your code in the issue is useful, but it's not usually straightforward to run. A repro will help us debug the issue faster. Please try to keep the repro as small as possible. The easiest way to provide a repro is on [snack.expo.dev](https://snack.expo.dev). If it's not possible to repro it on [snack.expo.dev](https://snack.expo.dev), then you can also provide the repro in a GitHub repository." + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: "Hey! Thanks for opening the issue. Can you provide a minimal repro which demonstrates the issue? Posting a snippet of your code in the issue is useful, but it's not usually straightforward to run. A repro will help us debug the issue faster. Please try to keep the repro as small as possible. The easiest way to provide a repro is on [snack.expo.dev](https://snack.expo.dev). If it's not possible to repro it on [snack.expo.dev](https://snack.expo.dev), then you can also provide the repro in a GitHub repository." + }) diff --git a/.github/workflows/updates.yml b/.github/workflows/updates.yml index e88911e4a3..fa753fd5bf 100644 --- a/.github/workflows/updates.yml +++ b/.github/workflows/updates.yml @@ -10,15 +10,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .nvmrc - name: Setup Expo - uses: expo/expo-github-action@v7 + uses: expo/expo-github-action@d300b960e9f91a8c59b2aaca92e89ad70b0785ac # v7 with: expo-version: latest eas-version: latest @@ -26,7 +26,7 @@ jobs: - name: Restore dependencies id: yarn-cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: '**/node_modules' key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}-${{ hashFiles('**/package.json', '!node_modules/**') }} @@ -43,7 +43,7 @@ jobs: - name: Cache dependencies if: steps.yarn-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: '**/node_modules' key: ${{ steps.yarn-cache.outputs.cache-primary-key }} diff --git a/.github/workflows/versions.yml b/.github/workflows/versions.yml index de72bc68c9..3eba941372 100644 --- a/.github/workflows/versions.yml +++ b/.github/workflows/versions.yml @@ -8,7 +8,7 @@ jobs: if: ${{ github.event.label.name == 'bug' }} runs-on: ubuntu-latest steps: - - uses: react-navigation/check-versions-action@v1.1.0 + - uses: react-navigation/check-versions-action@deac0a1055b7b2c4b8f0b7a5b726d4b7c96d0c8e # v1.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} required-packages: | From 142dc173a32a3b25b5a942f925aeee9cceaeab6a Mon Sep 17 00:00:00 2001 From: Tomasz Janiczek Date: Wed, 16 Jul 2025 14:21:47 +0200 Subject: [PATCH 2/2] update shas --- .github/workflows/semantic-pr.yml | 2 +- .github/workflows/versions.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index a57d704ddd..632323c6a5 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -6,7 +6,7 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@91682d0665e8bfa4d6e4d735b8e5b8f95e8bb40e # v4.5.0 + - uses: amannn/action-semantic-pull-request@91682d013dea3ff257520b9b68c9cb93ced4fe9b # v4.5.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/versions.yml b/.github/workflows/versions.yml index 3eba941372..b07ebd8b70 100644 --- a/.github/workflows/versions.yml +++ b/.github/workflows/versions.yml @@ -8,7 +8,7 @@ jobs: if: ${{ github.event.label.name == 'bug' }} runs-on: ubuntu-latest steps: - - uses: react-navigation/check-versions-action@deac0a1055b7b2c4b8f0b7a5b726d4b7c96d0c8e # v1.1.0 + - uses: react-navigation/check-versions-action@deac0a153b834fdda425028be69b2cf786dacc31 # v1.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} required-packages: |