diff --git a/.github/tests/crowdin-workflow.test.ts b/.github/tests/crowdin-workflow.test.ts index fc5b9a2b9..66da2810e 100644 --- a/.github/tests/crowdin-workflow.test.ts +++ b/.github/tests/crowdin-workflow.test.ts @@ -28,7 +28,7 @@ interface CrowdinConfig { const workflowPath = fileURLToPath(new URL('../workflows/i18n-crowdin.yml', import.meta.url)); const crowdinConfigPath = fileURLToPath(new URL('../../crowdin.yml', import.meta.url)); -const crowdinActionRef = 'crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706'; +const crowdinActionRef = 'crowdin/github-action@52aa776766211d83d975df51f3b9c53c2f8ba35f'; function loadCrowdinWorkflowStep(): WorkflowStep { const workflow = yaml.parse(readFileSync(workflowPath, 'utf8')) as WorkflowDefinition; diff --git a/.github/tests/github-action-pins.ts b/.github/tests/github-action-pins.ts index 621c0a526..dc386ce45 100644 --- a/.github/tests/github-action-pins.ts +++ b/.github/tests/github-action-pins.ts @@ -1,6 +1,6 @@ export const expectedActionPins = new Map([ - ['actions/cache', 'actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4'], - ['actions/checkout', 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2'], + ['actions/cache', 'actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5'], + ['actions/checkout', 'actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3'], [ 'actions/dependency-review-action', 'actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0', diff --git a/.github/workflows/ci-verify.yml b/.github/workflows/ci-verify.yml index a6e70679f..930aa098a 100644 --- a/.github/workflows/ci-verify.yml +++ b/.github/workflows/ci-verify.yml @@ -59,12 +59,12 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 with: version: v1.25.2 advanced-security: true @@ -88,7 +88,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 @@ -133,21 +133,21 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - name: Autobuild - uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: /language:${{ matrix.language }} @@ -168,7 +168,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -299,7 +299,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -323,7 +323,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -343,7 +343,7 @@ jobs: run: npx biome check . - name: Setup Qlty - uses: qltysh/qlty-action/install@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0 + uses: qltysh/qlty-action/install@fd52dc852530a708d68c3b7342f8d33d1df4cd55 # v2.2.1 - name: Qlty check (all plugins, enforced) run: ./scripts/qlty-check-gate.sh all @@ -380,7 +380,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -472,7 +472,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -517,7 +517,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -609,7 +609,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -702,7 +702,7 @@ jobs: - name: Upload ZAP SARIF if: always() && hashFiles('artifacts/zap/zap-baseline.sarif') != '' - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: artifacts/zap/zap-baseline.sarif category: zap-baseline @@ -807,7 +807,7 @@ jobs: id: nuclei_scan if: always() continue-on-error: true - uses: projectdiscovery/nuclei-action@32a91c0da7be14c07b0ade6c14fa0f6e78d97c9c # v3.1.0 + uses: projectdiscovery/nuclei-action@cc153d0541e1adf8a42bbe31c0a4fb2376147538 # v3.1.1 with: version: v3.8.0 args: >- @@ -910,7 +910,7 @@ jobs: - name: Upload Nuclei SARIF to code scanning if: always() && steps.nuclei_sarif.outputs.upload == 'true' - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: artifacts/dast/nuclei-report.sarif category: nuclei @@ -1002,7 +1002,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -1020,7 +1020,7 @@ jobs: # so an untrusted PR can't poison main's chromium binary. - name: Cache Playwright browsers # zizmor: ignore[cache-poisoning] - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cache/ms-playwright key: ${{ runner.os }}-playwright-${{ github.ref_name }}-${{ hashFiles('e2e/package-lock.json') }} @@ -1094,7 +1094,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -1216,7 +1216,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/e2e-playwright.yml b/.github/workflows/e2e-playwright.yml index 72a458c07..01e7c4370 100644 --- a/.github/workflows/e2e-playwright.yml +++ b/.github/workflows/e2e-playwright.yml @@ -58,7 +58,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 @@ -97,7 +97,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/i18n-crowdin.yml b/.github/workflows/i18n-crowdin.yml index 98e128999..e9dc87d23 100644 --- a/.github/workflows/i18n-crowdin.yml +++ b/.github/workflows/i18n-crowdin.yml @@ -31,10 +31,10 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2 + - uses: crowdin/github-action@52aa776766211d83d975df51f3b9c53c2f8ba35f # v2.16.3 with: user: auto upload_sources: true diff --git a/.github/workflows/quality-mutation-monthly.yml b/.github/workflows/quality-mutation-monthly.yml index 8996a0a1c..ccfacba71 100644 --- a/.github/workflows/quality-mutation-monthly.yml +++ b/.github/workflows/quality-mutation-monthly.yml @@ -189,7 +189,7 @@ jobs: - name: Checkout id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 continue-on-error: true with: persist-credentials: false @@ -201,7 +201,7 @@ jobs: - name: Checkout (retry) if: steps.checkout.outcome == 'failure' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -220,7 +220,7 @@ jobs: command: cd ${{ matrix.package }} && npm ci - name: Restore Stryker incremental cache - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ matrix.package }}/${{ matrix.incremental_file }} # Append the run number so every run writes a fresh cache entry @@ -285,7 +285,7 @@ jobs: - name: Checkout id: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 continue-on-error: true with: persist-credentials: false @@ -297,7 +297,7 @@ jobs: - name: Checkout (retry) if: steps.checkout.outcome == 'failure' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/release-cut.yml b/.github/workflows/release-cut.yml index 20d28751c..05b12f430 100644 --- a/.github/workflows/release-cut.yml +++ b/.github/workflows/release-cut.yml @@ -63,7 +63,7 @@ jobs: fi - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: true diff --git a/.github/workflows/security-grype.yml b/.github/workflows/security-grype.yml index 061e59648..4785492f8 100644 --- a/.github/workflows/security-grype.yml +++ b/.github/workflows/security-grype.yml @@ -44,7 +44,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -66,7 +66,7 @@ jobs: # Code scanning uploads need a public repo or GHAS. Drydock is public, # so this runs; the guard keeps the job green on a fork/private mirror. if: always() && github.event.repository.visibility == 'public' - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ steps.grype-deps.outputs.sarif }} category: grype-deps @@ -98,7 +98,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -139,7 +139,7 @@ jobs: - name: Upload Grype SARIF to code scanning if: always() && github.event.repository.visibility == 'public' - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ steps.grype.outputs.sarif }} category: grype-image diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml index c56114673..052ec6c38 100644 --- a/.github/workflows/security-scorecard.yml +++ b/.github/workflows/security-scorecard.yml @@ -43,7 +43,7 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -57,6 +57,6 @@ jobs: publish_results: true - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: results.sarif