From e64a042f0c2911fbd835927cfc5feb57a2532db6 Mon Sep 17 00:00:00 2001 From: Matt Fiddaman Date: Tue, 11 Nov 2025 23:26:07 +0000 Subject: [PATCH] fix github action version resolution (#6114) * pin to sha * note --- .github/actions/setup/action.yml | 8 ++++---- .../workflows/ai-generated-release-notes.yml | 2 +- .github/workflows/autofix.yml | 2 +- .github/workflows/build.yml | 18 +++++++++--------- .github/workflows/check.yml | 12 ++++++------ .github/workflows/codeql.yml | 2 +- .github/workflows/count-points.yml | 2 +- .github/workflows/docker-edge.yml | 16 ++++++++-------- .github/workflows/docker-release.yml | 18 +++++++++--------- .github/workflows/e2e-test.yml | 14 +++++++------- .github/workflows/electron-master.yml | 10 +++++----- .github/workflows/electron-pr.yml | 6 +++--- .github/workflows/generate-release-pr.yml | 4 ++-- .../workflows/i18n-string-extract-master.yml | 4 ++-- .../issues-close-feature-requests.yml | 6 +++--- .../workflows/issues-feature-implemented.yml | 4 ++-- .../workflows/issues-remove-help-wanted.yml | 2 +- .github/workflows/netlify-release.yml | 2 +- .../workflows/publish-nightly-npm-packages.yml | 8 ++++---- .github/workflows/publish-npm-packages.yml | 8 ++++---- .github/workflows/release-notes.yml | 2 +- .github/workflows/size-compare.yml | 12 ++++++------ .github/workflows/stale.yml | 6 +++--- .github/workflows/vrt-update-apply.yml | 10 +++++----- .github/workflows/vrt-update-generate.yml | 6 +++--- upcoming-release-notes/6114.md | 6 ++++++ 26 files changed, 98 insertions(+), 92 deletions(-) create mode 100644 upcoming-release-notes/6114.md diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index b5ac0f151b..d47904e1c3 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -15,7 +15,7 @@ runs: using: composite steps: - name: Install node - uses: actions/setup-node@v6 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 22 - name: Install yarn @@ -27,7 +27,7 @@ runs: run: echo "version=$(node -v)" >> "$GITHUB_OUTPUT" shell: bash - name: Cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache with: path: ${{ format('{0}/**/node_modules', inputs.working-directory) }} @@ -36,7 +36,7 @@ runs: run: mkdir -p ${{ format('{0}/.lage', inputs.working-directory) }} shell: bash - name: Cache Lage - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ format('{0}/.lage', inputs.working-directory) }} key: lage-${{ runner.os }}-${{ github.sha }} @@ -48,7 +48,7 @@ runs: shell: bash if: steps.cache.outputs.cache-hit != 'true' - name: Download translations - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: repository: actualbudget/translations path: ${{ inputs.working-directory }}/packages/desktop-client/locale diff --git a/.github/workflows/ai-generated-release-notes.yml b/.github/workflows/ai-generated-release-notes.yml index 2d113a1041..f9441d676c 100644 --- a/.github/workflows/ai-generated-release-notes.yml +++ b/.github/workflows/ai-generated-release-notes.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index f31087b341..c91175d12a 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -15,7 +15,7 @@ jobs: autofix: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Format code diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9115af08d..5900ff5e4f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: api: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -31,7 +31,7 @@ jobs: - name: Create package tgz run: cd packages/api && yarn pack && mv package.tgz actual-api.tgz - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-api path: packages/api/actual-api.tgz @@ -39,7 +39,7 @@ jobs: crdt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -49,7 +49,7 @@ jobs: - name: Create package tgz run: cd packages/crdt && yarn pack && mv package.tgz actual-crdt.tgz - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-crdt path: packages/crdt/actual-crdt.tgz @@ -57,18 +57,18 @@ jobs: web: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Build Web run: yarn build:browser - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-web path: packages/desktop-client/build - name: Upload Build Stats - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: build-stats path: packages/desktop-client/build-stats @@ -76,7 +76,7 @@ jobs: server: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -84,7 +84,7 @@ jobs: - name: Build Server run: yarn workspace @actual-app/sync-server build - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: sync-server path: packages/sync-server/build diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 10e64f08c7..b28bc76180 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -14,7 +14,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -24,7 +24,7 @@ jobs: typecheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -34,7 +34,7 @@ jobs: validate-cli: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -46,7 +46,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup with: @@ -58,8 +58,8 @@ jobs: if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 22 - name: Check migrations diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index aff04d833f..18231c46a6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/count-points.yml b/.github/workflows/count-points.yml index 0837c9ed44..6ef96fdc81 100644 --- a/.github/workflows/count-points.yml +++ b/.github/workflows/count-points.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Count points diff --git a/.github/workflows/docker-edge.yml b/.github/workflows/docker-edge.yml index ee53ad32f7..ef7e2cb53b 100644 --- a/.github/workflows/docker-edge.yml +++ b/.github/workflows/docker-edge.yml @@ -36,17 +36,17 @@ jobs: matrix: os: [ubuntu, alpine] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: # Push to both Docker Hub and Github Container Registry images: ${{ env.IMAGES }} @@ -54,14 +54,14 @@ jobs: tags: ${{ env.TAGS }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 if: github.event_name != 'pull_request' && !github.event.repository.fork with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 if: github.event_name != 'pull_request' with: registry: ghcr.io @@ -76,7 +76,7 @@ jobs: run: yarn build:server - name: Build image for testing - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: false @@ -93,7 +93,7 @@ jobs: # This will use the cache from the earlier build step and not rebuild the image # https://docs.docker.com/build/ci/github-actions/test-before-push/ - name: Build and push images - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 0250b4a357..94e3d74e2b 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -28,17 +28,17 @@ jobs: name: Build Docker image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: # Push to both Docker Hub and Github Container Registry images: ${{ env.IMAGES }} @@ -48,7 +48,7 @@ jobs: - name: Docker meta for Alpine image id: alpine-meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: images: ${{ env.IMAGES }} # Automatically update :latest @@ -58,13 +58,13 @@ jobs: tags: ${{ env.TAGS }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -78,7 +78,7 @@ jobs: run: yarn build:server - name: Build and push ubuntu image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: true @@ -87,7 +87,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} - name: Build and push alpine image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: true diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 6e2a89ba55..637d135bde 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -17,7 +17,7 @@ jobs: outputs: netlify_url: ${{ steps.netlify.outputs.url }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Wait for Netlify build to finish @@ -34,7 +34,7 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.56.0-jammy steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Trust the repository directory @@ -43,7 +43,7 @@ jobs: run: yarn e2e env: E2E_START_URL: ${{ needs.netlify.outputs.netlify_url }} - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always() with: name: desktop-client-test-results @@ -57,7 +57,7 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.56.0-jammy steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Trust the repository directory @@ -65,7 +65,7 @@ jobs: - name: Run Desktop app E2E Tests run: | xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always() with: name: desktop-app-test-results @@ -80,14 +80,14 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.56.0-jammy steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup - name: Run VRT Tests on Netlify URL run: yarn vrt env: E2E_START_URL: ${{ needs.netlify.outputs.netlify_url }} - - uses: actions/upload-artifact@v5 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always() with: name: desktop-client-test-results diff --git a/.github/workflows/electron-master.yml b/.github/workflows/electron-master.yml index b7b537939f..80209b5b80 100644 --- a/.github/workflows/electron-master.yml +++ b/.github/workflows/electron-master.yml @@ -29,7 +29,7 @@ jobs: - macos-latest runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - if: ${{ startsWith(matrix.os, 'windows') }} run: pip.exe install setuptools - if: ${{ ! startsWith(matrix.os, 'windows') }} @@ -62,7 +62,7 @@ jobs: if: ${{ ! startsWith(matrix.os, 'macos') }} run: ./bin/package-electron - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-electron-${{ matrix.os }} path: | @@ -73,7 +73,7 @@ jobs: packages/desktop-electron/dist/*.flatpak - name: Upload Windows Store Build if: ${{ startsWith(matrix.os, 'windows') }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-electron-${{ matrix.os }}-appx path: | @@ -83,7 +83,7 @@ jobs: run: | echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - name: Add to new release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 with: draft: true body: | @@ -113,7 +113,7 @@ jobs: Install-Module -Name StoreBroker -AcceptLicense -Force -Scope CurrentUser -Verbose - name: Download Microsoft Store artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: actual-electron-windows-latest-appx diff --git a/.github/workflows/electron-pr.yml b/.github/workflows/electron-pr.yml index 697576655a..4987bb0bf8 100644 --- a/.github/workflows/electron-pr.yml +++ b/.github/workflows/electron-pr.yml @@ -24,7 +24,7 @@ jobs: - macos-latest runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - if: ${{ startsWith(matrix.os, 'windows') }} run: pip.exe install setuptools - if: ${{ ! startsWith(matrix.os, 'windows') }} @@ -47,7 +47,7 @@ jobs: - name: Build Electron run: ./bin/package-electron - name: Upload Build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-electron-${{ matrix.os }} path: | @@ -58,7 +58,7 @@ jobs: packages/desktop-electron/dist/*.flatpak - name: Upload Windows Store Build if: ${{ startsWith(matrix.os, 'windows') }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: actual-electron-${{ matrix.os }}-appx path: | diff --git a/.github/workflows/generate-release-pr.yml b/.github/workflows/generate-release-pr.yml index 04ec32aeac..3fc227e412 100644 --- a/.github/workflows/generate-release-pr.yml +++ b/.github/workflows/generate-release-pr.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ github.event.inputs.ref }} - name: Bump package versions @@ -48,7 +48,7 @@ jobs: echo "version=$NEW_WEB_VERSION" >> "$GITHUB_OUTPUT" - name: Create PR - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: commit-message: '🔖 (${{ steps.bump_package_versions.outputs.version }})' title: '🔖 (${{ steps.bump_package_versions.outputs.version }})' diff --git a/.github/workflows/i18n-string-extract-master.yml b/.github/workflows/i18n-string-extract-master.yml index 84f94c44b3..41eca59560 100644 --- a/.github/workflows/i18n-string-extract-master.yml +++ b/.github/workflows/i18n-string-extract-master.yml @@ -12,7 +12,7 @@ jobs: if: github.repository == 'actualbudget/actual' steps: - name: Check out main repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: path: actual - name: Set up environment @@ -44,7 +44,7 @@ jobs: push \ actualbudget/actual - name: Check out updated translations - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ssh-key: ${{ secrets.STRING_IMPORT_DEPLOY_KEY }} repository: actualbudget/translations diff --git a/.github/workflows/issues-close-feature-requests.yml b/.github/workflows/issues-close-feature-requests.yml index 2b8d965dad..8d552d7ce2 100644 --- a/.github/workflows/issues-close-feature-requests.yml +++ b/.github/workflows/issues-close-feature-requests.yml @@ -9,16 +9,16 @@ jobs: if: ${{ github.event.label.name == 'feature' }} runs-on: ubuntu-latest steps: - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 with: labels: needs votes - name: Add reactions - uses: aidan-mundy/react-to-issue@v1 + uses: aidan-mundy/react-to-issue@109392cac5159c2df6c47c8ab3b5d6b708852fe5 # v1.1.2 with: issue-number: ${{ github.event.issue.number }} reactions: '+1' - name: Create comment - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/issues-feature-implemented.yml b/.github/workflows/issues-feature-implemented.yml index bbade96620..18ba978ad7 100644 --- a/.github/workflows/issues-feature-implemented.yml +++ b/.github/workflows/issues-feature-implemented.yml @@ -24,8 +24,8 @@ jobs: runs-on: ubuntu-latest steps: # This is not a security concern because we have approved & merged the PR - - uses: actions/checkout@v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 22 - name: Handle feature requests diff --git a/.github/workflows/issues-remove-help-wanted.yml b/.github/workflows/issues-remove-help-wanted.yml index 75d5f73e78..2902e33e03 100644 --- a/.github/workflows/issues-remove-help-wanted.yml +++ b/.github/workflows/issues-remove-help-wanted.yml @@ -9,6 +9,6 @@ jobs: if: ${{ !contains(github.event.issue.labels.*.name, 'feature') && contains(github.event.issue.labels.*.name, 'help wanted') }} runs-on: ubuntu-latest steps: - - uses: actions-ecosystem/action-remove-labels@v1 + - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 with: labels: help wanted diff --git a/.github/workflows/netlify-release.yml b/.github/workflows/netlify-release.yml index eed693679e..59c9805c72 100644 --- a/.github/workflows/netlify-release.yml +++ b/.github/workflows/netlify-release.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Repository Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup diff --git a/.github/workflows/publish-nightly-npm-packages.yml b/.github/workflows/publish-nightly-npm-packages.yml index e05da124f8..a39a4f970f 100644 --- a/.github/workflows/publish-nightly-npm-packages.yml +++ b/.github/workflows/publish-nightly-npm-packages.yml @@ -12,7 +12,7 @@ jobs: name: Build and pack npm packages if: github.event.repository.fork == false steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup @@ -49,7 +49,7 @@ jobs: yarn workspace @actual-app/api pack --filename @actual-app/api.tgz - name: Upload package artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: npm-packages path: | @@ -66,12 +66,12 @@ jobs: packages: write steps: - name: Download the artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: npm-packages - name: Setup node and npm registry - uses: actions/setup-node@v6 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 22 registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index f9b65749ed..64c67405e6 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest name: Build and pack npm packages steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up environment uses: ./.github/actions/setup @@ -32,7 +32,7 @@ jobs: yarn workspace @actual-app/api pack --filename @actual-app/api.tgz - name: Upload package artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: npm-packages path: | @@ -49,12 +49,12 @@ jobs: packages: write steps: - name: Download the artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: npm-packages - name: Setup node and npm registry - uses: actions/setup-node@v6 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 22 registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index fd116e1ed2..84b90af06b 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Check release notes if: startsWith(github.head_ref, 'release/') == false uses: actualbudget/actions/release-notes/check@main diff --git a/.github/workflows/size-compare.yml b/.github/workflows/size-compare.yml index 2d169ba22f..6de1377067 100644 --- a/.github/workflows/size-compare.yml +++ b/.github/workflows/size-compare.yml @@ -28,7 +28,7 @@ jobs: pull-requests: write steps: - name: Wait for ${{github.base_ref}} build to succeed - uses: fountainhead/action-wait-for-check@v1.2.0 + uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 id: master-build with: token: ${{ secrets.GITHUB_TOKEN }} @@ -36,7 +36,7 @@ jobs: ref: ${{github.base_ref}} - name: Wait for PR build to succeed - uses: fountainhead/action-wait-for-check@v1.2.0 + uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 id: wait-for-build with: token: ${{ secrets.GITHUB_TOKEN }} @@ -49,7 +49,7 @@ jobs: echo "Build failed on PR branch or ${{github.base_ref}}" exit 1 - name: Download build artifact from ${{github.base_ref}} - uses: dawidd6/action-download-artifact@v11 + uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11 id: pr-build with: branch: ${{github.base_ref}} @@ -59,7 +59,7 @@ jobs: path: base - name: Download build artifact from PR - uses: dawidd6/action-download-artifact@v11 + uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11 with: pr: ${{github.event.pull_request.number}} workflow: build.yml @@ -76,14 +76,14 @@ jobs: sed -i -E 's/index\.[0-9a-zA-Z_-]{8,}\./index./g' ./base/web-stats.json sed -i -E 's/\.[0-9a-zA-Z_-]{8,}\.chunk\././g' ./base/web-stats.json sed -i -E 's/\.[0-9a-f]{8,}\././g' ./base/*.json - - uses: twk3/rollup-size-compare-action@v1.2.0 + - uses: twk3/rollup-size-compare-action@a1f8628fee0e40899ab2b46c1b6e14552b99281e # v1.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} current-stats-json-path: ./head/web-stats.json base-stats-json-path: ./base/web-stats.json title: desktop-client - - uses: twk3/rollup-size-compare-action@v1.2.0 + - uses: twk3/rollup-size-compare-action@a1f8628fee0e40899ab2b46c1b6e14552b99281e # v1.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} current-stats-json-path: ./head/loot-core-stats.json diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3f0ca0df7d..5d300c9a4a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -8,7 +8,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: stale-pr-message: 'This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.' close-pr-message: 'This PR was closed because it has been stalled for 5 days with no activity.' @@ -18,7 +18,7 @@ jobs: stale-wip: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: stale-pr-message: ':wave: Hi! It looks like this PR has not had any changes for a week now. Would you like someone to review this PR? If so - please remove the "[WIP]" prefix from the PR title. That will let the community know that this PR is open for a review.' days-before-stale: 7 @@ -29,7 +29,7 @@ jobs: stale-needs-info: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: stale-issue-label: 'needs info' days-before-stale: -1 diff --git a/.github/workflows/vrt-update-apply.yml b/.github/workflows/vrt-update-apply.yml index 84e9bfb40b..38c7948d98 100644 --- a/.github/workflows/vrt-update-apply.yml +++ b/.github/workflows/vrt-update-apply.yml @@ -19,7 +19,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Download patch artifact - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} @@ -27,7 +27,7 @@ jobs: path: /tmp/artifacts - name: Download metadata artifact - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} @@ -57,7 +57,7 @@ jobs: - name: Checkout fork branch if: steps.metadata.outputs.pr_number != '' - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: repository: ${{ steps.metadata.outputs.head_repo }} ref: ${{ steps.metadata.outputs.head_ref }} @@ -132,7 +132,7 @@ jobs: - name: Comment on PR - Success if: steps.apply.outputs.applied == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | await github.rest.issues.createComment({ @@ -144,7 +144,7 @@ jobs: - name: Comment on PR - Failure if: failure() && steps.metadata.outputs.pr_number != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred'; diff --git a/.github/workflows/vrt-update-generate.yml b/.github/workflows/vrt-update-generate.yml index 89e5f56f5f..c050a1a3bd 100644 --- a/.github/workflows/vrt-update-generate.yml +++ b/.github/workflows/vrt-update-generate.yml @@ -22,7 +22,7 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.56.0-jammy steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ github.event.pull_request.head.sha }} @@ -82,7 +82,7 @@ jobs: - name: Upload patch artifact if: steps.create-patch.outputs.has_changes == 'true' - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: vrt-patch-${{ github.event.pull_request.number }} path: vrt-update.patch @@ -98,7 +98,7 @@ jobs: - name: Upload PR metadata if: steps.create-patch.outputs.has_changes == 'true' - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: vrt-metadata-${{ github.event.pull_request.number }} path: pr-metadata/ diff --git a/upcoming-release-notes/6114.md b/upcoming-release-notes/6114.md new file mode 100644 index 0000000000..6635123493 --- /dev/null +++ b/upcoming-release-notes/6114.md @@ -0,0 +1,6 @@ +--- +category: Maintenance +authors: [matt-fidd] +--- + +Fix broken GitHub Action version resolutions