diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 0d892e7f..11c63f9b 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: fetch-depth: 1 diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index cf119f44..c1883100 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -26,7 +26,7 @@ jobs: actions: read # Required for Claude to read CI results on PRs steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: fetch-depth: 1 diff --git a/.github/workflows/database-migrations.yml b/.github/workflows/database-migrations.yml index d41b1cf4..dd309f79 100644 --- a/.github/workflows/database-migrations.yml +++ b/.github/workflows/database-migrations.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -67,7 +67,7 @@ jobs: - name: Comment on PR if: steps.check_migrations.outputs.has_migrations == 'true' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -96,7 +96,7 @@ jobs: - name: Warn if no migrations if: steps.check_migrations.outputs.has_migrations == 'false' continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -126,7 +126,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -150,7 +150,7 @@ jobs: - name: Notify on failure if: failure() continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 34374ad2..909d1d64 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -36,13 +36,13 @@ jobs: # timeout-minutes: 10 # steps: # - name: Harden Runner - # uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.10.2 + # uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.10.2 # with: # egress-policy: audit # disable-sudo: true # # - name: Checkout Repository - # uses: actions/checkout@v5 + # uses: actions/checkout@v6 # with: # persist-credentials: false # @@ -71,12 +71,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.10.2 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.10.2 with: egress-policy: audit - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: persist-credentials: false @@ -86,7 +86,7 @@ jobs: bun-version: latest - name: Cache dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }} @@ -138,7 +138,7 @@ jobs: - name: Upload security reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: security-audit-reports path: | @@ -150,7 +150,7 @@ jobs: if: | steps.audit.outputs.snyk_audit_failed == 'true' || steps.audit.outputs.osv_scan_failed == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const fs = require('fs'); @@ -191,12 +191,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.10.2 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.10.2 with: egress-policy: audit - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: persist-credentials: false @@ -237,7 +237,7 @@ jobs: - name: Upload license report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: license-compliance-report path: | @@ -247,7 +247,7 @@ jobs: - name: Comment on license issues if: steps.license-scan.outputs.license_check_failed == 'true' || steps.license-scan.outputs.compliance_failed == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const comment = `## ⚖️ License Compliance Alert @@ -281,12 +281,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.10.2 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.10.2 with: egress-policy: audit - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Generate SBOM uses: anchore/sbom-action@v0 @@ -295,7 +295,7 @@ jobs: output-file: sbom.spdx.json - name: Upload SBOM - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: sbom path: sbom.spdx.json diff --git a/.github/workflows/merge_dependabot.yml b/.github/workflows/merge_dependabot.yml index 410bc6e2..c5964cb5 100644 --- a/.github/workflows/merge_dependabot.yml +++ b/.github/workflows/merge_dependabot.yml @@ -30,7 +30,7 @@ jobs: compatibility-score: ${{ steps.metadata.outputs.compatibility-score }} steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit disable-sudo: true @@ -38,7 +38,7 @@ jobs: - name: Fetch metadata id: metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -53,12 +53,12 @@ jobs: security-events: write steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false @@ -69,7 +69,7 @@ jobs: bun-version: latest - name: Cache dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }} @@ -149,7 +149,7 @@ jobs: steps.typecheck.outputs.typecheck_failed == 'true' || steps.audit.outputs.audit_failed == 'true' || steps.license.outputs.license_failed == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const failures = []; @@ -184,7 +184,7 @@ jobs: reason: ${{ steps.eligibility.outputs.reason }} steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit @@ -256,12 +256,12 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - name: Wait for CI checks - uses: lewagon/wait-on-check-action@v1.4.0 + uses: lewagon/wait-on-check-action@v1.7.0 with: ref: ${{ github.event.pull_request.head.sha }} check-regexp: ^(?!Auto-merge|Dependabot|claude-review|claude|Claude|Security Scan).*$ @@ -281,13 +281,13 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@v3 if: vars.DEPENDABOT_APP_ID != '' continue-on-error: true with: @@ -325,12 +325,12 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit - name: Add comment for manual review - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const updateType = '${{ needs.metadata.outputs.update-type }}'; diff --git a/.github/workflows/migrate-database.yml b/.github/workflows/migrate-database.yml index 4a3a78c1..5ff7cde1 100644 --- a/.github/workflows/migrate-database.yml +++ b/.github/workflows/migrate-database.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -55,7 +55,7 @@ jobs: - name: Comment on PR if: always() continue-on-error: true - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const status = '${{ job.status }}' === 'success' ? '✅' : '❌'; @@ -78,7 +78,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 094dc825..f10400ea 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2