diff --git a/.github/actionlint.yml b/.github/actionlint.yml deleted file mode 100644 index e83312f9..00000000 --- a/.github/actionlint.yml +++ /dev/null @@ -1,5 +0,0 @@ -paths: - .github/workflows/test-checkout-and-setup.yml: - ignore: - # We need to ignore the expected missing inputs in test-checkout-and-setup.yml - - 'missing input "is-high-risk-environment".+' diff --git a/.github/actions/check-skip-merge-queue/action.yml b/.github/actions/check-skip-merge-queue/action.yml index 4de41cf9..30ed5698 100644 --- a/.github/actions/check-skip-merge-queue/action.yml +++ b/.github/actions/check-skip-merge-queue/action.yml @@ -41,7 +41,7 @@ runs: - name: Get pull request details continue-on-error: true id: pr-details - uses: actions/github-script@v8 + uses: actions/github-script@v9 env: HEAD_REF: ${{ inputs.head-ref }} with: @@ -85,7 +85,7 @@ runs: - name: Check if pull request is up-to-date with base branch continue-on-error: true id: up-to-date - uses: actions/github-script@v8 + uses: actions/github-script@v9 env: BASE_REF: ${{ inputs.base-ref }} PR_BRANCH: ${{ steps.pr-details.outputs.pr-branch }} diff --git a/.github/actions/checkout-and-setup/action.yml b/.github/actions/checkout-and-setup/action.yml deleted file mode 100644 index 1aaeb134..00000000 --- a/.github/actions/checkout-and-setup/action.yml +++ /dev/null @@ -1,90 +0,0 @@ -name: Checkout and setup environment -description: Git checkout if not already checked out, get node_modules from cache if available, set up Node.js, run yarn install -inputs: - is-high-risk-environment: - description: 'Use a secure setup without caching (true = secure, false = optimized for speed)' - required: true - fetch-depth: - description: 'Depth of the Git history to fetch' - required: false - default: '1' - ref: - description: 'Branch, tag, or SHA to checkout' - required: false - default: '' - cache-node-modules: - description: 'Enable caching for node_modules (for the `prep-deps` job, only applies when is-high-risk-environment is false)' - required: false - default: 'false' -# The outputs are for the unit tests in `test-checkout-and-setup.yml`, and probably not useful for other workflows -outputs: - node-modules-cache-hit: - value: ${{ steps.download-node-modules.outputs.cache-hit }} - yarn-cache-hit: - value: ${{ steps.setup-node.outputs.cache-hit }} - -runs: - using: composite - steps: - # The "required: true" field is not enforced by GitHub, so we need to check it manually - - name: Enforce required input is either "true" or "false" - env: - IS_HIGH_RISK_ENVIRONMENT: ${{ inputs.is-high-risk-environment }} - run: | - if [[ "$IS_HIGH_RISK_ENVIRONMENT" == "true" ]]; then - echo 'High-risk environment detected. Disabling cache for security.' - elif [[ "$IS_HIGH_RISK_ENVIRONMENT" == "false" ]]; then - echo 'Low-risk environment detected. Enabling cache for optimized performance.' - else - echo "::error::Invalid value for 'is-high-risk-environment'. Must be 'true' (secure, no cache) or 'false' (faster, cache enabled)." - exit 1 - fi - shell: bash - - # Checkout repository only if not already checked out - - name: Checkout repository - uses: actions/checkout@v6 - if: ${{ hashFiles('.git') == '' }} - with: - fetch-depth: ${{ inputs.fetch-depth }} - ref: ${{ inputs.ref }} - - - run: corepack enable - shell: bash - - # In a low-risk environment, try to download cache of node_modules, if it exists - # On failure, will run the yarn install instead - - name: Download node_modules cache - if: ${{ inputs.is-high-risk-environment == 'false' }} - id: download-node-modules - uses: actions/cache/restore@v4 - with: - path: ./node_modules - key: node-modules-${{ github.sha }} - - - name: Set up Node.js - uses: actions/setup-node@v6 - id: setup-node - with: - node-version-file: .nvmrc - # If the node_modules cache was not found, use setup-node cache to restore the '.yarn' folder - # Notes: if this is always set to 'yarn': - # 1) Will not be secure for high-risk environment - # 2) Self-hosted runners will fail to find this cache, and then fail on the 'Post Setup environment' step - # 3) This action will run a few seconds slower, because when we restore the 'node_modules' folder from cache, there's no need to download the '.yarn' folder too - # (GHA does not allow the : ? ternary operator, you must write && ||) - cache: ${{ ( inputs.is-high-risk-environment != 'true' && steps.download-node-modules.outputs.cache-hit != 'true' ) && 'yarn' || '' }} - - # If the node_modules cache was not found (or it's a high-risk environment), run the yarn install - - name: Install dependencies - if: ${{ steps.download-node-modules.outputs.cache-hit != 'true'}} - run: yarn --immutable - shell: bash - - # For the 'prep-deps' job, save the node_modules cache - - name: Cache workspace - if: ${{ inputs.is-high-risk-environment == 'false' && inputs.cache-node-modules == 'true' }} - uses: actions/cache/save@v4 - with: - path: ./node_modules - key: node-modules-${{ github.sha }} diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml index d92642c1..62eac43d 100644 --- a/.github/actions/configure-keystore/action.yml +++ b/.github/actions/configure-keystore/action.yml @@ -41,7 +41,7 @@ runs: echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 with: role-to-assume: ${{ inputs.aws-role-to-assume }} aws-region: ${{ inputs.aws-region }} diff --git a/.github/actions/create-release-pr/action.yml b/.github/actions/create-release-pr/action.yml index c8c996fa..7d9c5dab 100644 --- a/.github/actions/create-release-pr/action.yml +++ b/.github/actions/create-release-pr/action.yml @@ -78,7 +78,7 @@ runs: # Step 3: Setup environment - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true @@ -151,7 +151,7 @@ runs: # Step 6: Upload commits.csv as artifact (if generated) - name: Upload commits.csv artifact if: ${{ hashFiles('commits.csv') != '' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: commits-csv path: commits.csv diff --git a/.github/actions/feature-flag-drift-slack-noti/action.yml b/.github/actions/feature-flag-drift-slack-noti/action.yml index 7d06030b..ad9a899e 100644 --- a/.github/actions/feature-flag-drift-slack-noti/action.yml +++ b/.github/actions/feature-flag-drift-slack-noti/action.yml @@ -64,7 +64,7 @@ runs: } >> "$GITHUB_OUTPUT" - name: Send Slack notification - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 with: webhook: ${{ inputs.slack-webhook }} webhook-type: incoming-webhook diff --git a/.github/actions/get-release-timelines/action.yml b/.github/actions/get-release-timelines/action.yml index 30943247..679ca2de 100644 --- a/.github/actions/get-release-timelines/action.yml +++ b/.github/actions/get-release-timelines/action.yml @@ -45,7 +45,7 @@ runs: run: ./github-tools/.github/scripts/get-release-timelines.sh - name: Upload artifact release-timelines-${{ inputs.version }}.csv - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: release-timelines-${{ inputs.version }}.csv path: release-timelines-${{ inputs.version }}.csv diff --git a/.github/actions/merge-approved-pr/action.yml b/.github/actions/merge-approved-pr/action.yml index 36eb85a5..8c6dea68 100644 --- a/.github/actions/merge-approved-pr/action.yml +++ b/.github/actions/merge-approved-pr/action.yml @@ -60,7 +60,7 @@ runs: # Fetch PR metadata (head and base branches) using the GitHub API - name: Get PR Details - uses: actions/github-script@v7 + uses: actions/github-script@v9 env: PR_NUMBER: ${{ inputs.pr-number }} with: @@ -97,7 +97,7 @@ runs: # Check if the PR has the required approval status - name: Verify Approval if: steps.verify-branches.outputs.should_skip != 'true' - uses: actions/github-script@v7 + uses: actions/github-script@v9 env: PR_NUMBER: ${{ inputs.pr-number }} with: @@ -164,7 +164,7 @@ runs: # - the version change is a valid semver bump - name: Verify a version bump if: ${{ steps.verify-branches.outputs.should_skip != 'true' && inputs.verify-version-bump == 'true' }} - uses: actions/github-script@v7 + uses: actions/github-script@v9 env: PR_NUMBER: ${{ inputs.pr-number }} with: @@ -250,7 +250,7 @@ runs: # Execute the merge if all checks pass - name: Merge PR if: steps.verify-branches.outputs.should_skip != 'true' - uses: actions/github-script@v7 + uses: actions/github-script@v9 env: PR_NUMBER: ${{ inputs.pr-number }} MERGE_METHOD: ${{ inputs.merge-method }} diff --git a/.github/actions/post-gh-rca/action.yml b/.github/actions/post-gh-rca/action.yml index eccd7b1d..75e9d25c 100644 --- a/.github/actions/post-gh-rca/action.yml +++ b/.github/actions/post-gh-rca/action.yml @@ -40,7 +40,7 @@ runs: using: composite steps: - name: Post RCA Form Link - uses: actions/github-script@v8 + uses: actions/github-script@v9 env: GOOGLE_FORM_BASE_URL: ${{ inputs.google-form-base-url }} ISSUE_LABELS: ${{ inputs.issue-labels }} diff --git a/.github/actions/pr-line-check/action.yml b/.github/actions/pr-line-check/action.yml index 29562999..a906fa34 100644 --- a/.github/actions/pr-line-check/action.yml +++ b/.github/actions/pr-line-check/action.yml @@ -90,7 +90,7 @@ runs: } >> "$GITHUB_OUTPUT" - name: Check line count limit - uses: actions/github-script@v7 + uses: actions/github-script@v9 env: LINES_CHANGED: ${{ steps.line-count.outputs.lines-changed }} ADDITIONS: ${{ steps.line-count.outputs.additions }} diff --git a/.github/actions/setup-e2e-env/action.yml b/.github/actions/setup-e2e-env/action.yml index 987e3fe9..03fd2976 100644 --- a/.github/actions/setup-e2e-env/action.yml +++ b/.github/actions/setup-e2e-env/action.yml @@ -212,7 +212,7 @@ runs: command: ${{ steps.get-corepack-command.outputs.COREPACK_COMMAND }} - name: Restore Yarn cache - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | node_modules @@ -268,7 +268,7 @@ runs: # Restore cached Ruby gems - name: Restore Bundler cache if: ${{ inputs.platform == 'ios' }} - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ios/vendor/bundle key: ${{ inputs.cache-prefix }}-bundler-${{ inputs.platform }}-${{ runner.os }}-${{ hashFiles('ios/Gemfile.lock') }} @@ -330,7 +330,7 @@ runs: - name: Restore CocoaPods specs cache if: ${{ inputs.platform == 'ios' }} id: cocoapods-specs-cache - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.cocoapods/repos key: ${{ runner.os }}-cocoapods-specs-${{ hashFiles('ios/Podfile.lock') }} diff --git a/.github/actions/stable-sync/action.yml b/.github/actions/stable-sync/action.yml index 94580607..3641d75b 100644 --- a/.github/actions/stable-sync/action.yml +++ b/.github/actions/stable-sync/action.yml @@ -63,7 +63,7 @@ runs: - name: Check if PR exists id: check-pr - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const { data: prs } = await github.rest.pulls.list({ diff --git a/.github/actions/update-release-changelog/action.yml b/.github/actions/update-release-changelog/action.yml index b1340b4d..0b618be3 100644 --- a/.github/actions/update-release-changelog/action.yml +++ b/.github/actions/update-release-changelog/action.yml @@ -47,9 +47,9 @@ runs: ref: ${{ inputs.github-tools-ref }} path: ./github-tools - # Step 3: Setup environment from github-tools + # Step 3: Setup environment - name: Checkout and setup environment - uses: ./github-tools/.github/actions/checkout-and-setup + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true diff --git a/.github/actions/upload-s3/action.yml b/.github/actions/upload-s3/action.yml index 1fde68af..bcaf9d1e 100644 --- a/.github/actions/upload-s3/action.yml +++ b/.github/actions/upload-s3/action.yml @@ -20,7 +20,7 @@ runs: using: composite steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 with: aws-region: ${{ inputs.aws-region }} role-to-assume: ${{ inputs.role-to-assume }} diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 66715b68..9932c213 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -7,11 +7,8 @@ jobs: lint: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Checkout and setup environment - uses: ./.github/actions/checkout-and-setup + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false @@ -34,11 +31,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Checkout and setup environment - uses: ./.github/actions/checkout-and-setup + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false diff --git a/.github/workflows/create-pr-feature-flag-registry-drift.yml b/.github/workflows/create-pr-feature-flag-registry-drift.yml index 62773ba5..855e8c1d 100644 --- a/.github/workflows/create-pr-feature-flag-registry-drift.yml +++ b/.github/workflows/create-pr-feature-flag-registry-drift.yml @@ -62,13 +62,13 @@ jobs: token: ${{ secrets.github-token }} - name: Download registry artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v8 with: name: ${{ inputs.registry-artifact-name }} path: ${{ inputs.registry-artifact-name }} - name: Download report artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v8 with: name: ${{ inputs.report-artifact-name }} path: ${{ inputs.report-artifact-name }} diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 0f0bed9c..9be4207c 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -22,7 +22,7 @@ jobs: pull-requests: write steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 3f140ad0..5babeca4 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Download actionlint id: download-actionlint @@ -19,7 +19,6 @@ jobs: - name: Lint workflow files env: EXECUTABLE: ${{ steps.download-actionlint.outputs.executable }} - # We need to ignore the expected missing inputs in test-checkout-and-setup.yml run: | "$EXECUTABLE" -color shell: bash diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 990b6da8..a71f61c2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,17 +15,12 @@ jobs: name: Build, lint, and test uses: ./.github/workflows/build-lint-test.yml - test-checkout-and-setup: - name: Test checkout-and-setup - uses: ./.github/workflows/test-checkout-and-setup.yml - all-jobs-completed: name: All jobs completed runs-on: ubuntu-latest needs: - lint-workflows - build-lint-test - - test-checkout-and-setup outputs: PASSED: ${{ steps.set-output.outputs.PASSED }} steps: @@ -59,7 +54,7 @@ jobs: IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }} runs-on: ubuntu-latest steps: - - uses: MetaMask/action-is-release@v1 + - uses: MetaMask/action-is-release@v2 id: is-release publish-release: diff --git a/.github/workflows/post-relay-subsidy-balance.yml b/.github/workflows/post-relay-subsidy-balance.yml index 13e1b6e0..8170cfc7 100644 --- a/.github/workflows/post-relay-subsidy-balance.yml +++ b/.github/workflows/post-relay-subsidy-balance.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version-file: .nvmrc @@ -47,7 +47,7 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Send Slack notification - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 with: webhook: '${{ secrets.SLACK_RELAY_SUBSIDY_BALANCE_TRACKER_WEBHOOK_URL }}' webhook-type: incoming-webhook diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 405ed732..f5570a80 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -54,7 +54,7 @@ jobs: outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Determine whether this PR is from a fork id: is-fork run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT" @@ -83,7 +83,7 @@ jobs: needs: react-to-comment runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Check out pull request run: gh pr checkout "${PR_NUMBER}" @@ -92,7 +92,7 @@ jobs: PR_NUMBER: ${{ github.event.issue.number }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true @@ -147,7 +147,7 @@ jobs: - name: Upload build artifacts (monorepo) if: ${{ inputs.is-monorepo }} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v7 with: name: preview-build-artifacts include-hidden-files: true @@ -163,7 +163,7 @@ jobs: - name: Upload build artifacts (polyrepo) if: ${{ !inputs.is-monorepo }} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v7 with: name: preview-build-artifacts include-hidden-files: true @@ -183,12 +183,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true - name: Restore build artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v8 with: name: preview-build-artifacts diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index be4cdd34..50a8a55e 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -24,7 +24,7 @@ jobs: name: Announce release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: name-hash name: Get Slack name and hash shell: bash @@ -47,7 +47,7 @@ jobs: echo "FINAL_TEXT=$FINAL_TEXT" >> "$GITHUB_OUTPUT" - name: Post to a Slack channel if: inputs.slack-subteam != '' - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 with: payload: | { @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: # This is to guarantee that the most recent tag is fetched, which we # need for updating the shorthand major version tag. diff --git a/.github/workflows/stable-sync.yml b/.github/workflows/stable-sync.yml index 4bd9f48e..b848dadd 100644 --- a/.github/workflows/stable-sync.yml +++ b/.github/workflows/stable-sync.yml @@ -26,7 +26,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 + - name: Stable sync uses: ./.github/actions/stable-sync with: diff --git a/.github/workflows/test-add-team-label.yml b/.github/workflows/test-add-team-label.yml index b2134097..c9db41bd 100644 --- a/.github/workflows/test-add-team-label.yml +++ b/.github/workflows/test-add-team-label.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Test if: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/test-checkout-and-setup.yml b/.github/workflows/test-checkout-and-setup.yml deleted file mode 100644 index 990e5a48..00000000 --- a/.github/workflows/test-checkout-and-setup.yml +++ /dev/null @@ -1,189 +0,0 @@ -name: Test checkout-and-setup - -on: - workflow_call: - -jobs: - prep-deps: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: false - cache-node-modules: true - - test-high-risk-after-prep-deps: - runs-on: ubuntu-latest - needs: prep-deps - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: true - - - name: Ensure node_modules cache was not used - if: ${{ steps.checkout-and-setup.outputs.node-modules-cache-hit }} - run: exit 1 - - - name: Ensure .yarn cache was not used - if: ${{ steps.checkout-and-setup.outputs.yarn-cache-hit }} - run: exit 1 - - test-low-risk-after-prep-deps: - runs-on: ubuntu-latest - needs: prep-deps - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: false - - - name: Ensure node_modules cache was used - if: ${{ !steps.checkout-and-setup.outputs.node-modules-cache-hit }} - run: exit 1 - - - name: Ensure .yarn cache was not used - if: ${{ steps.checkout-and-setup.outputs.yarn-cache-hit }} - run: exit 1 - - test-high-risk-without-prep-deps: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: true - - - name: Ensure node_modules cache was not used - if: ${{ steps.checkout-and-setup.outputs.node-modules-cache-hit }} - run: exit 1 - - - name: Ensure .yarn cache was not used - if: ${{ steps.checkout-and-setup.outputs.yarn-cache-hit }} - run: exit 1 - - test-low-risk-without-prep-deps: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: false - - - name: Ensure node_modules cache was not used - if: ${{ steps.checkout-and-setup.outputs.node-modules-cache-hit }} - run: exit 1 - - - name: Ensure .yarn cache was used - if: ${{ !steps.checkout-and-setup.outputs.yarn-cache-hit }} - run: exit 1 - - test-high-risk-string: - runs-on: ubuntu-latest - needs: prep-deps - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: 'true' - - test-low-risk-string: - runs-on: ubuntu-latest - needs: prep-deps - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: 'false' - - test-no-input: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - continue-on-error: true - uses: ./.github/actions/checkout-and-setup - - - name: Ensure previous step failed - if: ${{ steps.checkout-and-setup.outcome == 'success' }} - run: exit 1 - - test-bad-input-string: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - continue-on-error: true - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: 'foo' - - - name: Ensure previous step failed - if: ${{ steps.checkout-and-setup.outcome == 'success' }} - run: exit 1 - - test-bad-input-number: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Checkout and setup environment - id: checkout-and-setup - continue-on-error: true - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: 1 - - - name: Ensure previous step failed - if: ${{ steps.checkout-and-setup.outcome == 'success' }} - run: exit 1 - - test-do-not-checkout-twice: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - ref: 1299bb1de0c6974ae6d0a32c7e8897fe168239ac # The commit hash when checkout-and-setup was first created - - - name: Store initial head SHA - run: echo "INITIAL_SHA=$(git rev-parse HEAD)" >> "$GITHUB_ENV" - - - name: Checkout and setup environment - id: checkout-and-setup - uses: ./.github/actions/checkout-and-setup - with: - is-high-risk-environment: false - ref: main - - - name: Store new head SHA - run: echo "NEW_SHA=$(git rev-parse HEAD)" >> "$GITHUB_ENV" - - - name: Make sure the Git HEAD did not change - if: ${{ env.NEW_SHA != env.INITIAL_SHA }} - run: exit 1 diff --git a/.github/workflows/test-get-release-timelines.yml b/.github/workflows/test-get-release-timelines.yml index 3135f90c..c1def4ac 100644 --- a/.github/workflows/test-get-release-timelines.yml +++ b/.github/workflows/test-get-release-timelines.yml @@ -14,7 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 + - name: Add team label uses: ./.github/actions/get-release-timelines with: diff --git a/.github/workflows/upload-yarn-binary.yml b/.github/workflows/upload-yarn-binary.yml index 45fdae21..561dc661 100644 --- a/.github/workflows/upload-yarn-binary.yml +++ b/.github/workflows/upload-yarn-binary.yml @@ -22,7 +22,7 @@ jobs: download_url: ${{ steps.output-url.outputs.download_url }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Download yarn.js binary run: |