diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index 3f91262b..d6930d37 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: webiny/action-conventional-commits@faccb24fc2550dd15c0390d944379d2d8ed9690e # v1.3.1 + - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index 8a558666..fd848f16 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -43,7 +43,7 @@ jobs: exit 1 - name: Checkout app - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -58,7 +58,7 @@ jobs: run: composer install --no-dev - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: 'package.json' @@ -68,7 +68,7 @@ jobs: TESTING=true npm run build --if-present - name: Save context - uses: buildjet/cache/save@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: key: cypress-context-${{ github.run_id }} path: ./ @@ -88,7 +88,7 @@ jobs: steps: - name: Restore context - uses: buildjet/cache/restore@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: fail-on-cache-miss: true key: cypress-context-${{ github.run_id }} @@ -99,7 +99,7 @@ jobs: id: versions - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.node-version }} @@ -107,16 +107,16 @@ jobs: run: npm i -g 'npm@${{ steps.versions.outputs.package-manager-version }}' - name: Run ${{ startsWith(matrix.containers, 'component') && 'component' || 'E2E' }} cypress tests - uses: cypress-io/github-action@783cb3f07983868532cabaedaa1e6c00ff4786a8 # v7.1.9 + uses: cypress-io/github-action@948d67d3074f1bbb6379c8bdbb04e95d2f8e593f # v7.4.0 with: - record: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env] - parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env] + record: ${{ secrets.CYPRESS_RECORD_KEY && true }} + parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} # cypress run type component: ${{ startsWith(matrix.containers, 'component') }} group: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_GROUP }} # cypress env - ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }} # zizmor: ignore[secrets-outside-env] - tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }} # zizmor: ignore[secrets-outside-env] + ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }} + tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }} env: # Needs to be prefixed with CYPRESS_ CYPRESS_BRANCH: ${{ env.BRANCH }} @@ -125,12 +125,12 @@ jobs: # Needed for some specific code workarounds TESTING: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} # zizmor: ignore[secrets-outside-env] + CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} CYPRESS_BUILD_ID: ${{ github.sha }}-${{ github.run_number }} CYPRESS_GROUP: Run ${{ startsWith(matrix.containers, 'component') && 'component' || 'E2E' }} - name: Upload snapshots - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: snapshots_${{ matrix.containers }} diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index cd3a6486..1bd39eee 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -27,7 +27,7 @@ jobs: if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest permissions: - # for hmarr/auto-approve-action to approve PRs + # for auto-approve step to work pull-requests: write # for alexwilson/enable-github-automerge-action to approve PRs contents: write @@ -44,15 +44,51 @@ jobs: with: repo-token: ${{ secrets.GITHUB_TOKEN }} - # GitHub actions bot approve - - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + - name: Dependabot metadata + id: metadata if: startsWith(steps.branchname.outputs.branch, 'dependabot/') + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Check for ignored dependencies in the PR + id: validate + if: startsWith(steps.branchname.outputs.branch, 'dependabot/') + env: + IGNORE_PATTERN: ${{ env.IGNORE_PATTERN }} + DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }} + run: | + if [[ -z ${IGNORE_PATTERN} ]]; then + echo "ignore=false" >> "$GITHUB_OUTPUT" + elif [[ -z ${DEPENDENCY_NAMES} ]]; then + echo "ignore=false" >> "$GITHUB_OUTPUT" + elif [[ ${DEPENDENCY_NAMES} =~ ${IGNORE_PATTERN} ]]; then + echo "ignore=true" >> "$GITHUB_OUTPUT" + fi + + - name: GitHub actions bot approve + id: auto_approve + if: ${{ + startsWith(steps.branchname.outputs.branch, 'dependabot/') + && steps.validate.outputs.ignore != 'true' + }} + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 - if: startsWith(steps.branchname.outputs.branch, 'dependabot/') + uses: alexwilson/enable-github-automerge-action@2c32e18a76e0726ffe7a573bfff2d42a20885126 # 3.0.0 + if: ${{ + startsWith(steps.branchname.outputs.branch, 'dependabot/') + && steps.auto_approve.conclusion == 'success' + && (github.event.action == 'opened' || github.event.action == 'reopened') + && ( + steps.metadata.outputs.update-type == 'version-update:semver-patch' + || (fromJSON(env.ALLOW_MINOR) && steps.metadata.outputs.update-type == 'version-update:semver-minor') + || (fromJSON(env.ALLOW_MAJOR) && steps.metadata.outputs.update-type == 'version-update:semver-major') + ) + }} with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 2f9a81d5..7e73a123 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -23,7 +23,7 @@ jobs: name: Build and deploy steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -32,9 +32,10 @@ jobs: id: versions - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.node-version }} + package-manager-cache: false - name: Set up npm run: npm i -g 'npm@${{ steps.versions.outputs.package-manager-version }}' @@ -50,7 +51,7 @@ jobs: - name: Deploy # Only deploy on release if: github.event.release - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 + uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./dist/doc diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index 9c510e77..8fe6b01f 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -39,7 +39,7 @@ jobs: id: versions - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.node-version }} @@ -60,7 +60,7 @@ jobs: run: npm run test:coverage --if-present - name: Collect coverage - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 with: files: ./coverage/lcov.info env: diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 9cf2269e..a8e32b87 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -6,12 +6,14 @@ # SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors # SPDX-License-Identifier: MIT -name: Node +# TODO: Remove this after a grace period of 6 months to give everyone the chance to switch to the new workflow name +# TODO: To be removed end of 2026. +name: No-op please switch to npm-build.yml on: pull_request permissions: - contents: read + contents: none concurrency: group: node-${{ github.head_ref || github.run_id }} @@ -24,7 +26,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -33,7 +35,7 @@ jobs: id: versions - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.node-version }} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 10495b4b..cb087d62 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -33,9 +33,10 @@ jobs: id: versions - name: Set up node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.node-version }} + package-manager-cache: false registry-url: https://registry.npmjs.org - name: Set up npm diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 18ba6497..2f4b2f2f 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false