From e4d15a02ff6d0d20bbb6ebfb122f5a932d93c5ae Mon Sep 17 00:00:00 2001 From: afc163 Date: Fri, 22 May 2026 16:00:36 +0800 Subject: [PATCH] chore: pin GitHub Actions to commit SHAs and configure dependabot for actions (#11803) Co-authored-by: Claude Opus 4.7 --- .github/dependabot.yml | 11 ++++++++++- .github/workflows/ci.yml | 10 +++++----- .github/workflows/coverage.yml | 8 ++++---- .github/workflows/deploy.yml | 6 +++--- .github/workflows/emoji-helper.yml | 2 +- .github/workflows/issue-labeled.yml | 4 ++-- .github/workflows/preview-build.yml | 8 ++++---- .github/workflows/preview-deploy.yml | 12 ++++++------ .github/workflows/preview-start.yml | 2 +- .github/workflows/react-doctor.yml | 8 ++++---- 10 files changed, 40 insertions(+), 31 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7565faa7..659caf63 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,4 +10,13 @@ updates: groups: dependencies: patterns: - - '*' \ No newline at end of file + - '*' + + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + groups: + github-actions: + patterns: + - '*' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2abf452..e3e9b309 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,8 +9,8 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version: 20 - run: npm ci @@ -23,13 +23,13 @@ jobs: node_version: [20] os: [ubuntu-latest, windows-latest, macOS-latest] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node_version }} - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version: ${{ matrix.node_version }} - run: echo ${{github.ref}} - - uses: utooland/setup-utoo@v1 + - uses: utooland/setup-utoo@3a51006d0b66afcc32d1b9177a4b200b74f4a8cb # v1 with: cache-utoo: false - run: ut diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index c4302e6b..b6ec6ed1 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -9,13 +9,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js 20 - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version: 20 - run: echo ${{github.ref}} - - uses: utooland/setup-utoo@v1 + - uses: utooland/setup-utoo@3a51006d0b66afcc32d1b9177a4b200b74f4a8cb # v1 - run: ut - run: ut test:coverage - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5006e586..34f31627 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -15,16 +15,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: utooland/setup-utoo@v1 + - uses: utooland/setup-utoo@3a51006d0b66afcc32d1b9177a4b200b74f4a8cb # v1 - run: ut - name: Set COMMIT_HASH run: echo "COMMIT_HASH=${{ github.sha }}" >> $GITHUB_ENV - run: ut build - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./dist diff --git a/.github/workflows/emoji-helper.yml b/.github/workflows/emoji-helper.yml index da62d3e7..e499ba24 100644 --- a/.github/workflows/emoji-helper.yml +++ b/.github/workflows/emoji-helper.yml @@ -11,7 +11,7 @@ jobs: emoji: runs-on: ubuntu-latest steps: - - uses: actions-cool/emoji-helper@v1.0.0 + - uses: actions-cool/emoji-helper@040b841cb25e2e6f50151c73b5ce12fee57019d2 # v1.0.0 with: type: 'release' emoji: '+1, laugh, heart, hooray, rocket, eyes' diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml index e4a7fa6d..c9a1d061 100644 --- a/.github/workflows/issue-labeled.yml +++ b/.github/workflows/issue-labeled.yml @@ -13,7 +13,7 @@ jobs: steps: - name: help wanted if: github.event.label.name == '❤️ help wanted' || github.event.label.name == '🤝Welcome PR' - uses: actions-cool/issues-helper@v1.11 + uses: actions-cool/issues-helper@v1.11 # repo blocked, unable to pin to SHA with: actions: 'create-comment' token: ${{ secrets.GITHUB_TOKEN }} @@ -27,7 +27,7 @@ jobs: - name: Need Reproduce if: github.event.label.name == '🤔 Need Reproduce' - uses: actions-cool/issues-helper@v1.11 + uses: actions-cool/issues-helper@v1.11 # repo blocked, unable to pin to SHA with: actions: 'create-comment' token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/preview-build.yml b/.github/workflows/preview-build.yml index 6568c6f3..2ac4e77c 100644 --- a/.github/workflows/preview-build.yml +++ b/.github/workflows/preview-build.yml @@ -12,18 +12,18 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: utooland/setup-utoo@v1 + - uses: utooland/setup-utoo@3a51006d0b66afcc32d1b9177a4b200b74f4a8cb # v1 - run: ut - name: Set COMMIT_HASH run: echo "COMMIT_HASH=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - run: ut build - name: upload dist artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: dist path: dist/ @@ -35,7 +35,7 @@ jobs: - name: Upload PR number if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: pr path: ./pr-id.txt diff --git a/.github/workflows/preview-deploy.yml b/.github/workflows/preview-deploy.yml index 16e35d52..35536ec5 100644 --- a/.github/workflows/preview-deploy.yml +++ b/.github/workflows/preview-deploy.yml @@ -19,7 +19,7 @@ jobs: if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr @@ -36,7 +36,7 @@ jobs: echo "id=$PR_ID" >> "$GITHUB_OUTPUT" - name: download dist artifact - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: workflow: ${{ github.event.workflow_run.workflow_id }} workflow_conclusion: success @@ -49,7 +49,7 @@ jobs: npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }} - name: update status comment - uses: actions-cool/maintain-one-comment@v1.2.1 + uses: actions-cool/maintain-one-comment@v1.2.1 # repo blocked, unable to pin to SHA with: token: ${{ secrets.GITHUB_TOKEN }} body: | @@ -63,7 +63,7 @@ jobs: - name: The job failed if: ${{ failure() }} - uses: actions-cool/maintain-one-comment@v1.2.1 + uses: actions-cool/maintain-one-comment@v1.2.1 # repo blocked, unable to pin to SHA with: token: ${{ secrets.GITHUB_TOKEN }} body: | @@ -84,7 +84,7 @@ jobs: if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr @@ -101,7 +101,7 @@ jobs: echo "id=$PR_ID" >> "$GITHUB_OUTPUT" - name: The job failed - uses: actions-cool/maintain-one-comment@v1.2.1 + uses: actions-cool/maintain-one-comment@v1.2.1 # repo blocked, unable to pin to SHA with: token: ${{ secrets.GITHUB_TOKEN }} body: | diff --git a/.github/workflows/preview-start.yml b/.github/workflows/preview-start.yml index 39f561d1..3a978e23 100644 --- a/.github/workflows/preview-start.yml +++ b/.github/workflows/preview-start.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: create - uses: actions-cool/maintain-one-comment@v1.2.1 + uses: actions-cool/maintain-one-comment@v1.2.1 # repo blocked, unable to pin to SHA with: token: ${{ secrets.GITHUB_TOKEN }} body: | diff --git a/.github/workflows/react-doctor.yml b/.github/workflows/react-doctor.yml index 31d448d2..893ae8e0 100644 --- a/.github/workflows/react-doctor.yml +++ b/.github/workflows/react-doctor.yml @@ -10,11 +10,11 @@ jobs: react-doctor: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version: 22 - - uses: millionco/react-doctor@main + - uses: millionco/react-doctor@6543a86f9dfe86c894bd71361fc2c46d8d9c967d # main with: diff: true - github-token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + github-token: ${{ secrets.GITHUB_TOKEN }}