diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 50e0ff7ad27..d3ab6161210 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,10 +9,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "cron" + cronjob: "15 22 5,20 * *" # At 22:15, every 5th and 20th day of the month. open-pull-requests-limit: 5 commit-message: prefix: "GH Actions:" labels: - "changelog: non-user-facing" - "yoast cs/qa" + groups: + action-runners: + applies-to: version-updates + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/browserslist-db.yml b/.github/workflows/browserslist-db.yml index 6e0fab56a53..952a105fa15 100644 --- a/.github/workflows/browserslist-db.yml +++ b/.github/workflows/browserslist-db.yml @@ -21,7 +21,7 @@ jobs: git config --global user.name "${{ github.actor }}" - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 209cec62d41..5328fb5986d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,13 +26,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index c0d604083fa..c0935efefaa 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -32,7 +32,7 @@ concurrency: jobs: actionlint: name: 'Lint GH Action workflows' - uses: Yoast/.github/.github/workflows/reusable-actionlint.yml@main + uses: Yoast/.github/.github/workflows/reusable-actionlint.yml@c14f66005ab514663a48d00712db67617c98728c # v1.0.0 checkcs: name: 'Check code style' @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Determine the base branch for the file diff id: base_branch @@ -59,7 +59,7 @@ jobs: run: git fetch --no-tags --depth=1 origin ${{ steps.base_branch.outputs.NAME }} - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 'latest' coverage: none @@ -75,7 +75,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c6ed0a5d65f..d8cd4393a73 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -56,10 +56,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -69,7 +69,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -90,7 +90,7 @@ jobs: # and available across runs of the same workflow. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies and run the prefixing script - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -126,7 +126,7 @@ jobs: # Retention is normally 90 days, but this artifact is only for review # and use in the next step, so no need to keep it for more than a day. - name: Upload the artifact folder - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ success() }} with: name: deploy-artifact @@ -169,7 +169,7 @@ jobs: fi - name: Checkout Yoast Dist repo - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: ${{ env.DIST_ORG }}/${{ github.event.repository.name }} ref: ${{ env.DIST_DEFAULT_BRANCH }} @@ -198,7 +198,7 @@ jobs: # The artifact will be unpacked into the root directory of the repository. - name: Download and unpack the prepared artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: deploy-artifact diff --git a/.github/workflows/deprecation-check.yml b/.github/workflows/deprecation-check.yml index c923af4b8a1..92061b985a0 100644 --- a/.github/workflows/deprecation-check.yml +++ b/.github/workflows/deprecation-check.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Place a comment on the PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 diff --git a/.github/workflows/finish-coveralls.yml b/.github/workflows/finish-coveralls.yml index 3adbdd41428..af311cbd32e 100644 --- a/.github/workflows/finish-coveralls.yml +++ b/.github/workflows/finish-coveralls.yml @@ -84,7 +84,7 @@ jobs: # NOTE: The ref value should be different when triggered by pull_request event. # See: https://github.com/lewagon/wait-on-check-action/issues/25. - name: "Wait on tests (PR)" - uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # lewagon/wait-on-check-action@v1.4.1 + uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.head.sha }} @@ -93,14 +93,14 @@ jobs: - name: "Wait on tests (push)" if: github.event_name != 'pull_request' - uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # lewagon/wait-on-check-action@v1.4.1 + uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1 with: ref: ${{ github.sha }} repo-token: ${{ secrets.GITHUB_TOKEN }} check-regexp: Test|TestJS - name: "Coveralls Finished" - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: diff --git a/.github/workflows/generate_csv.yml b/.github/workflows/generate_csv.yml index 6475928b5b8..bd79047b706 100644 --- a/.github/workflows/generate_csv.yml +++ b/.github/workflows/generate_csv.yml @@ -9,7 +9,7 @@ jobs: steps: # Check out the repository - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Install dependencies - name: Install dependencies diff --git a/.github/workflows/jslint.yml b/.github/workflows/jslint.yml index d71547733c0..a3e3f440f28 100644 --- a/.github/workflows/jslint.yml +++ b/.github/workflows/jslint.yml @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md @@ -65,7 +65,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' diff --git a/.github/workflows/jstest.yml b/.github/workflows/jstest.yml index fced52cffe0..7fef7b1e50b 100644 --- a/.github/workflows/jstest.yml +++ b/.github/workflows/jstest.yml @@ -77,7 +77,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md @@ -85,7 +85,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -117,7 +117,7 @@ jobs: working-directory: packages/${{ matrix.package }} - name: Upload coverage results to Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -146,7 +146,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Checks for changes uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # dorny/paths-filter@v3.0.2 @@ -165,7 +165,7 @@ jobs: # Check out the premium config repo ahead of running the tests to prevent issues with permissions. - name: Checkout premium configuration if: ${{ steps.checks-run.outputs.should == 'true' && matrix.needs_premium_config == true }} - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: Yoast/YoastSEO.js-premium-configuration path: packages/yoastseo/premium-configuration @@ -179,7 +179,7 @@ jobs: # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies if: ${{ steps.checks-run.outputs.should == 'true' }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -218,7 +218,7 @@ jobs: - name: Upload coverage results to Coveralls if: ${{ steps.checks-run.outputs.should == 'true' }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1458365a0e2..23937b2c73d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -43,14 +43,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # For the purpose of linting the code, we need the `vendor-prefixed` directory to # be created as the prefixed code should be linted to ensure there are no parse errors # in the generated code against any of the supported PHP versions. # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -58,7 +58,7 @@ jobs: fail-fast: true - name: Install Composer dependencies and generate vendor_prefixed directory - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -69,7 +69,7 @@ jobs: run: composer remove --dev --no-scripts humbug/php-scoper - name: Install PHP for the actual linting - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml index f7c913a6978..d71b6f55602 100644 --- a/.github/workflows/merge-conflict-check.yml +++ b/.github/workflows/merge-conflict-check.yml @@ -21,4 +21,4 @@ jobs: if: github.repository_owner == 'Yoast' name: Check PRs for merge conflicts - uses: Yoast/.github/.github/workflows/reusable-merge-conflict-check.yml@main + uses: Yoast/.github/.github/workflows/reusable-merge-conflict-check.yml@c14f66005ab514663a48d00712db67617c98728c # v1.0.0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f0899ab2c5b..0562be2112b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,9 +26,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # This action checks the `composer.lock` file against known security vulnerabilities in the dependencies. # https://github.com/marketplace/actions/the-php-security-checker - name: Run Security Check - uses: symfonycorp/security-checker-action@v5 + uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5 # v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6fecb8397c1..d2f2bc54431 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -61,11 +61,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -73,7 +73,7 @@ jobs: fail-fast: true - name: Install Composer dependencies, generate vendor_prefixed directory and run dependency injection - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -87,7 +87,7 @@ jobs: run: rm -rf vendor/* - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On @@ -106,7 +106,7 @@ jobs: # for the PHP version on which the tests will be run. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Force a `composer update` run. dependency-versions: "highest" @@ -125,7 +125,7 @@ jobs: - name: Upload coverage results to Coveralls if: ${{ success() && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -196,11 +196,11 @@ jobs: run: sudo apt-get install -y subversion - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -208,7 +208,7 @@ jobs: fail-fast: true - name: Install Composer dependencies, generate vendor_prefixed directory and run dependency injection - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -222,7 +222,7 @@ jobs: run: rm -rf vendor/* - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On @@ -237,7 +237,7 @@ jobs: run: composer config --unset platform.php - name: "Install Composer dependencies" - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Force a `composer update` run. dependency-versions: "highest" @@ -272,7 +272,7 @@ jobs: - name: Upload coverage results to Coveralls - single site if: ${{ success() && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -283,7 +283,7 @@ jobs: - name: Upload coverage results to Coveralls - multisite if: ${{ success() && matrix.multisite == true && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: