diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml index 746ae366..9843f606 100644 --- a/.github/workflows/backend-ci.yml +++ b/.github/workflows/backend-ci.yml @@ -45,7 +45,7 @@ jobs: pull-requests: read # Or 'write' if reviewdog needs to create PR review comments directly steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup Java uses: ./.github/actions/setup/java @@ -73,7 +73,7 @@ jobs: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup Java uses: ./.github/actions/setup/java @@ -85,14 +85,14 @@ jobs: run: ./gradlew test - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0 + uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0 if: always() with: files: | **/build/test-results/**/*.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v4 if: secrets.CODECOV_TOKEN != '' with: files: ./server/thryve/build/reports/kover/report.xml # Updated path for Kover @@ -103,7 +103,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: backend-artifacts path: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 177f30a1..1030ac94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,10 +36,10 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Run Labeler # Pinned to v5 commit hash for security - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -56,7 +56,7 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Initialize CodeQL # Pinned to v3 commit hash for security uses: github/codeql-action/init@7c651bd38dd1af6b6a3150197b37799cb367fb05 # v3 @@ -80,7 +80,7 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 @@ -108,10 +108,10 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Dependency Review # Pinned to v4 commit hash for security - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4 + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4 with: # You can specify configuration options here, e.g.: # fail-on-severity: critical @@ -129,9 +129,9 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Run OWASP Dependency Check - uses: dependency-check/Dependency-Check_Action@2ba636726705b0f74f126ebeaacaf2ad4600b967 + uses: dependency-check/Dependency-Check_Action@1e54355a8b4c8abaa8cc7d0b70aa655a3bb15a6c with: project: 'hatchgrid-monorepo' path: '.' @@ -143,7 +143,7 @@ jobs: - name: Upload OWASP Dependency Check Report if: always() # Ensure report is uploaded even if previous steps fail # Pinned to v4 commit hash for security - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 with: name: owasp-dependency-check-report path: reports/dependency-check-report.html # Default path for HTML report @@ -170,7 +170,7 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup Java uses: ./.github/actions/setup/java @@ -185,21 +185,21 @@ jobs: - name: Download backend artifacts # Pinned to v4 commit hash for security - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 with: name: backend-artifacts path: backend-artifacts - name: Download frontend artifacts # Pinned to v4 commit hash for security - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 with: name: frontend-artifacts path: frontend-artifacts - name: Cache Gradle # Pinned to v4 commit hash for security - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v4 with: path: | ~/.gradle/caches @@ -220,7 +220,7 @@ jobs: - name: Upload test report # Pinned to v4 commit hash for security - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 with: name: test-report path: test-report/ @@ -230,9 +230,9 @@ jobs: name: Markdown lint (docs) runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Markdownlint - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 + uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 with: globs: | **/*.md diff --git a/.github/workflows/cleanup-cache.yml b/.github/workflows/cleanup-cache.yml index cc368dee..181ea363 100644 --- a/.github/workflows/cleanup-cache.yml +++ b/.github/workflows/cleanup-cache.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Ensure gh-actions-cache extension is installed run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3321e38b..778a95d2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: matrix: language: [ 'java-kotlin', 'javascript-typescript' ] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - uses: github/codeql-action/init@7a63fc29565e929abdb0fc4f6955b7d6c2397477 #v3 with: languages: ${{ matrix.language }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4190462a..f827fa41 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -65,7 +65,7 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Build and push backend Docker image id: build-backend @@ -94,7 +94,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Set environment-specific configuration id: env-config @@ -153,7 +153,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Set environment-specific configuration id: env-config @@ -211,13 +211,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup kubectl uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 - name: Set Kubernetes context - uses: azure/k8s-set-context@212a19233d93f03eceaac31ae5a1d1acf650b6ef # v4.0.1 + uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2 with: method: kubeconfig kubeconfig: ${{ secrets.KUBECONFIG }} diff --git a/.github/workflows/frontend-ci.yml b/.github/workflows/frontend-ci.yml index 04485a0d..6f183ca9 100644 --- a/.github/workflows/frontend-ci.yml +++ b/.github/workflows/frontend-ci.yml @@ -42,7 +42,7 @@ jobs: # Permissions are inherited from workflow level steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: 🧩 Setup Node.js and pnpm uses: ./.github/actions/setup/node @@ -51,7 +51,7 @@ jobs: - name: Run Biome with Reviewdog - uses: mongolyy/reviewdog-action-biome@25e6813418e91845859fadb665e49c7590667caf + uses: mongolyy/reviewdog-action-biome@abafdf75a79678ef8e2715298ee2dfc12262c82f with: github_token: ${{ secrets.GITHUB_TOKEN }} workdir: ./client @@ -64,7 +64,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup Node.js and pnpm uses: ./.github/actions/setup/node @@ -75,7 +75,7 @@ jobs: run: pnpm build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: frontend-artifacts path: | @@ -91,7 +91,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Setup Node.js and pnpm uses: ./.github/actions/setup/node @@ -102,7 +102,7 @@ jobs: run: pnpm test - name: Upload coverage to Codecov - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v4 if: secrets.CODECOV_TOKEN != '' with: files: ./coverage/lcov.info # Adjust path if necessary, common for JS projects diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index d8e2844e..763b4373 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,7 +12,7 @@ jobs: label: runs-on: ubuntu-latest steps: - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true diff --git a/.github/workflows/qodana_code_quality.yml b/.github/workflows/qodana_code_quality.yml index b567fb77..283cfce6 100644 --- a/.github/workflows/qodana_code_quality.yml +++ b/.github/workflows/qodana_code_quality.yml @@ -24,12 +24,12 @@ jobs: pull-requests: write checks: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} fetch-depth: 0 - name: 'Qodana Scan' - uses: JetBrains/qodana-action@e14351bdf4707c4cecc25a86a9190745b7b40de8 #v2025.1.1^ + uses: JetBrains/qodana-action@42dad391966aca8ca344ca2340a7f43a5507e9b2 #v2025.1.1^ env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} with: diff --git a/.github/workflows/ruler-check.yml b/.github/workflows/ruler-check.yml index b8b0c10c..0ea4ba6a 100644 --- a/.github/workflows/ruler-check.yml +++ b/.github/workflows/ruler-check.yml @@ -8,7 +8,7 @@ jobs: check-ruler: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: 🧩 Setup Node.js and pnpm uses: ./.github/actions/setup/node with: diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml index 3909270b..feeb5f43 100644 --- a/.github/workflows/semantic-pull-request.yml +++ b/.github/workflows/semantic-pull-request.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: # Pinned to v5 commit hash for security - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v5 id: lint_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 916fd1ed..9dda56f1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d #v9 with: days-before-stale: 120 days-before-close: 60 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 6d8fc80f..28a7b355 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,7 @@ jobs: cancel-in-progress: false steps: # existing steps here - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 #v5 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test-pnpm.yml b/.github/workflows/test-pnpm.yml index 6284a0b4..34076489 100644 --- a/.github/workflows/test-pnpm.yml +++ b/.github/workflows/test-pnpm.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout repository # Pinned to v4 commit hash for security - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4