From 9d2c7fb647b8e7444116c0a2963965ba9725c2d1 Mon Sep 17 00:00:00 2001 From: dagecko Date: Sat, 28 Mar 2026 01:18:31 -0400 Subject: [PATCH 1/7] fix: pin 6 actions to commit SHA, extract 12 expressions to env vars --- .github/workflows/code-simplifier.lock.yml | 6 ++++-- .github/workflows/cron-weekly.yml | 7 +++++-- .../workflows/duplicate-code-detector.lock.yml | 6 ++++-- .github/workflows/generate-sandboxes.yml | 8 ++++++-- .github/workflows/handle-release-branches.yml | 15 +++++++++++---- .github/workflows/nx.yml | 6 ++++-- .github/workflows/publish.yml | 6 ++++-- .github/workflows/triage.yml | 2 +- .github/workflows/trigger-circle-ci-workflow.yml | 2 +- 9 files changed, 40 insertions(+), 18 deletions(-) diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index f13e0e0ef6af..3c18b4305509 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -291,13 +291,14 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Checkout PR branch id: checkout-pr @@ -715,13 +716,14 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Copy Copilot session state files to logs if: always() diff --git a/.github/workflows/cron-weekly.yml b/.github/workflows/cron-weekly.yml index 26269d89f3ba..ddf4077f3051 100644 --- a/.github/workflows/cron-weekly.yml +++ b/.github/workflows/cron-weekly.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 # checks all markdown files from important folders including all subfolders with: # only show errors that occur instead of successful links + errors @@ -25,4 +25,7 @@ jobs: - name: Send Discord Notification if: failure() # Only run this step if previous steps failed run: | - curl -H "Content-Type: application/json" -X POST -d '{"content":"The Markdown Links Check workflow has failed in the repository: [storybook]"}' ${{ secrets.DISCORD_MONITORING_URL }} + curl -H "Content-Type: application/json" -X POST -d '{"content":"The Markdown Links Check workflow has failed in the repository: [storybook]"}' ${DISCORD_MONITORING_URL} + + env: + DISCORD_MONITORING_URL: ${{ secrets.DISCORD_MONITORING_URL }} \ No newline at end of file diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index ddc15bcdc28b..0487e221a3bd 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -284,13 +284,14 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Checkout PR branch id: checkout-pr @@ -713,13 +714,14 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Copy Copilot session state files to logs if: always() diff --git a/.github/workflows/generate-sandboxes.yml b/.github/workflows/generate-sandboxes.yml index f2039c66a1ee..a33ddab81483 100644 --- a/.github/workflows/generate-sandboxes.yml +++ b/.github/workflows/generate-sandboxes.yml @@ -81,7 +81,9 @@ jobs: - name: Publish # publish sandboxes even if the generation fails, as some sandboxes might have been generated successfully if: ${{ !cancelled() }} - run: yarn publish-sandboxes --remote=https://storybook-bot:${{ secrets.PAT_STORYBOOK_BOT }}@github.com/storybookjs/sandboxes.git --push --branch=next + run: yarn publish-sandboxes --remote=https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git --push --branch=next + env: + PAT_STORYBOOK_BOT: ${{ secrets.PAT_STORYBOOK_BOT }} - name: Report failure to Discord if: failure() @@ -150,7 +152,9 @@ jobs: - name: Publish # publish sandboxes even if the generation fails, as some sandboxes might have been generated successfully if: ${{ !cancelled() }} - run: yarn publish-sandboxes --remote=https://storybook-bot:${{ secrets.PAT_STORYBOOK_BOT }}@github.com/storybookjs/sandboxes.git --push --branch=main + run: yarn publish-sandboxes --remote=https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git --push --branch=main + env: + PAT_STORYBOOK_BOT: ${{ secrets.PAT_STORYBOOK_BOT }} - name: Report failure to Discord if: failure() diff --git a/.github/workflows/handle-release-branches.yml b/.github/workflows/handle-release-branches.yml index 021ed04934ff..57bc62f7ce0b 100644 --- a/.github/workflows/handle-release-branches.yml +++ b/.github/workflows/handle-release-branches.yml @@ -10,8 +10,10 @@ jobs: steps: - id: get-branch run: | - BRANCH=($(echo ${{ github.ref }} | sed -E 's/refs\/heads\///')) + BRANCH=($(echo ${GIT_REF} | sed -E 's/refs\/heads\///')) echo "branch=$BRANCH" >> $GITHUB_ENV + env: + GIT_REF: ${{ github.ref }} outputs: branch: ${{ env.branch }} is-latest-branch: ${{ env.branch == 'main' }} @@ -26,7 +28,9 @@ jobs: steps: - uses: actions/checkout@v4 - - run: curl -X POST "https://api.netlify.com/build_hooks/${{ secrets.FRONTPAGE_HOOK }}" + - run: curl -X POST "https://api.netlify.com/build_hooks/${FRONTPAGE_HOOK}" + env: + FRONTPAGE_HOOK: ${{ secrets.FRONTPAGE_HOOK }} get-next-release-branch: needs: branch-checks @@ -39,7 +43,7 @@ jobs: path: next - id: next-version - uses: notiz-dev/github-action-json-property@release + uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # release with: path: ${{ github.workspace }}/next/code/package.json prop_path: version @@ -97,5 +101,8 @@ jobs: run: | curl -X POST https://api.github.com/repos/storybookjs/frontpage/dispatches \ -H 'Accept: application/vnd.github.v3+json' \ - -u ${{ secrets.FRONTPAGE_ACCESS_TOKEN }} \ + -u ${FRONTPAGE_ACCESS_TOKEN} \ --data '{"event_type": "request-create-frontpage-branch", "client_payload": { "branch": "${{ needs.create-next-release-branch.outputs.branch || needs.branch-checks.outputs.branch }}" }}' + + env: + FRONTPAGE_ACCESS_TOKEN: ${{ secrets.FRONTPAGE_ACCESS_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/nx.yml b/.github/workflows/nx.yml index f3b048a2122a..cc0db2352f28 100644 --- a/.github/workflows/nx.yml +++ b/.github/workflows/nx.yml @@ -51,7 +51,7 @@ jobs: fi fi - if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/next" ]]; then + if [[ "${{ github.event_name }}" == "push" && "${GIT_REF}" == "refs/heads/next" ]]; then tags="merged" fi @@ -60,6 +60,8 @@ jobs: fi echo "tag=$tags" >> "$GITHUB_OUTPUT" + env: + GIT_REF: ${{ github.ref }} - name: Select distribution config id: dist run: | @@ -91,7 +93,7 @@ jobs: node-version: 22 cache: 'yarn' - run: yarn install --immutable - - uses: nrwl/nx-set-shas@v4 + - uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4 - id: nx name: 'Run nx' run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8259f525d13e..3558fbe5b901 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -111,7 +111,9 @@ jobs: - name: Get target branch id: target - run: echo "target=${{ github.ref_name == 'next-release' && 'next' || 'main' }}" >> $GITHUB_OUTPUT + run: echo "target=${REF_NAME}" >> $GITHUB_OUTPUT + env: + REF_NAME: ${{ github.ref_name == 'next-release' && 'next' || 'main' }} - name: Get changelog for ${{ steps.version.outputs.current-version }} if: steps.publish-needed.outputs.published == 'false' @@ -203,7 +205,7 @@ jobs: - name: Create Sentry release if: steps.publish-needed.outputs.published == 'false' - uses: getsentry/action-release@v3 + uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index af45b109da06..a48595626c20 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -18,7 +18,7 @@ jobs: if: github.repository_owner == 'storybookjs' runs-on: ubuntu-latest steps: - - uses: balazsorban44/nissuer@1.10.0 + - uses: balazsorban44/nissuer@92ef22afd6a75e5e588f5d689a1fd3433f596f82 # 1.10.0 with: label-comments: | { diff --git a/.github/workflows/trigger-circle-ci-workflow.yml b/.github/workflows/trigger-circle-ci-workflow.yml index 7b1cedda19f1..57fdbbdb6ae9 100644 --- a/.github/workflows/trigger-circle-ci-workflow.yml +++ b/.github/workflows/trigger-circle-ci-workflow.yml @@ -60,7 +60,7 @@ jobs: if: github.repository_owner == 'storybookjs' && needs.get-parameters.outputs.workflow != '' steps: - name: Trigger Normal tests - uses: fjogeleit/http-request-action@v1 + uses: fjogeleit/http-request-action@c0b95d02a088b47c1f2f4db04fd8af8bd19eee54 # v1 with: url: 'https://circleci.com/api/v2/project/gh/storybookjs/storybook/pipeline' method: 'POST' From e76e466cd789e56ef5fe9bb27df7a559463634f1 Mon Sep 17 00:00:00 2001 From: dagecko Date: Sat, 28 Mar 2026 13:45:41 -0400 Subject: [PATCH 2/7] fix: quote env var references in run blocks Did some research into the CodeQL envvar-injection-critical guidance (https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) and wanted to add this additional change to prevent shell injection through attacker-controllable values like ref names and workflow inputs, and to prevent unexpected behavior from special characters in secret values. Before: echo ${REF_NAME} After: echo "${REF_NAME}" --- .github/workflows/generate-sandboxes.yml | 4 ++-- .github/workflows/handle-release-branches.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generate-sandboxes.yml b/.github/workflows/generate-sandboxes.yml index a33ddab81483..1a8388a4042e 100644 --- a/.github/workflows/generate-sandboxes.yml +++ b/.github/workflows/generate-sandboxes.yml @@ -81,7 +81,7 @@ jobs: - name: Publish # publish sandboxes even if the generation fails, as some sandboxes might have been generated successfully if: ${{ !cancelled() }} - run: yarn publish-sandboxes --remote=https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git --push --branch=next + run: yarn publish-sandboxes --remote="https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git" --push --branch=next env: PAT_STORYBOOK_BOT: ${{ secrets.PAT_STORYBOOK_BOT }} @@ -152,7 +152,7 @@ jobs: - name: Publish # publish sandboxes even if the generation fails, as some sandboxes might have been generated successfully if: ${{ !cancelled() }} - run: yarn publish-sandboxes --remote=https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git --push --branch=main + run: yarn publish-sandboxes --remote="https://storybook-bot:${PAT_STORYBOOK_BOT}@github.com/storybookjs/sandboxes.git" --push --branch=main env: PAT_STORYBOOK_BOT: ${{ secrets.PAT_STORYBOOK_BOT }} diff --git a/.github/workflows/handle-release-branches.yml b/.github/workflows/handle-release-branches.yml index 57bc62f7ce0b..fa0088f84f35 100644 --- a/.github/workflows/handle-release-branches.yml +++ b/.github/workflows/handle-release-branches.yml @@ -10,7 +10,7 @@ jobs: steps: - id: get-branch run: | - BRANCH=($(echo ${GIT_REF} | sed -E 's/refs\/heads\///')) + BRANCH=($(echo "${GIT_REF}" | sed -E 's/refs\/heads\///')) echo "branch=$BRANCH" >> $GITHUB_ENV env: GIT_REF: ${{ github.ref }} @@ -101,7 +101,7 @@ jobs: run: | curl -X POST https://api.github.com/repos/storybookjs/frontpage/dispatches \ -H 'Accept: application/vnd.github.v3+json' \ - -u ${FRONTPAGE_ACCESS_TOKEN} \ + -u "${FRONTPAGE_ACCESS_TOKEN}" \ --data '{"event_type": "request-create-frontpage-branch", "client_payload": { "branch": "${{ needs.create-next-release-branch.outputs.branch || needs.branch-checks.outputs.branch }}" }}' env: From 84d4214d2738f49cf2d094d315aef833e8bd0467 Mon Sep 17 00:00:00 2001 From: dagecko Date: Sat, 28 Mar 2026 13:46:40 -0400 Subject: [PATCH 3/7] fix: quote remaining env var reference in cron-weekly.yml --- .github/workflows/cron-weekly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron-weekly.yml b/.github/workflows/cron-weekly.yml index ddf4077f3051..4862352e4c2e 100644 --- a/.github/workflows/cron-weekly.yml +++ b/.github/workflows/cron-weekly.yml @@ -25,7 +25,7 @@ jobs: - name: Send Discord Notification if: failure() # Only run this step if previous steps failed run: | - curl -H "Content-Type: application/json" -X POST -d '{"content":"The Markdown Links Check workflow has failed in the repository: [storybook]"}' ${DISCORD_MONITORING_URL} + curl -H "Content-Type: application/json" -X POST -d '{"content":"The Markdown Links Check workflow has failed in the repository: [storybook]"}' "${DISCORD_MONITORING_URL}" env: DISCORD_MONITORING_URL: ${{ secrets.DISCORD_MONITORING_URL }} \ No newline at end of file From 9074db144405e3fe291615c2fab9907c33f82a2b Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Tue, 31 Mar 2026 12:30:13 -0400 Subject: [PATCH 4/7] fix: pin actions/checkout to commit SHA in cron-weekly.yml --- .github/workflows/cron-weekly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron-weekly.yml b/.github/workflows/cron-weekly.yml index 4862352e4c2e..d1b80e73b95c 100644 --- a/.github/workflows/cron-weekly.yml +++ b/.github/workflows/cron-weekly.yml @@ -12,7 +12,7 @@ jobs: if: github.repository_owner == 'storybookjs' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 # checks all markdown files from important folders including all subfolders with: From 4d140ee18211f4973864d9ccf2422827f494c718 Mon Sep 17 00:00:00 2001 From: dagecko Date: Thu, 23 Apr 2026 06:45:48 -0400 Subject: [PATCH 5/7] revert: restore code-simplifier.lock.yml to upstream (auto-generated by gh-aw) --- .github/workflows/code-simplifier.lock.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 3c18b4305509..f13e0e0ef6af 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -291,14 +291,13 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} - GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Checkout PR branch id: checkout-pr @@ -716,14 +715,13 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} - GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Copy Copilot session state files to logs if: always() From 20889fc94ab7180fada0e4a719aceaa90b7afc27 Mon Sep 17 00:00:00 2001 From: dagecko Date: Thu, 23 Apr 2026 06:45:59 -0400 Subject: [PATCH 6/7] revert: restore duplicate-code-detector.lock.yml to upstream (auto-generated by gh-aw) --- .github/workflows/duplicate-code-detector.lock.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0487e221a3bd..ddc15bcdc28b 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -284,14 +284,13 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} - GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Checkout PR branch id: checkout-pr @@ -714,14 +713,13 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} - GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git config --global am.keepcr true # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Copy Copilot session state files to logs if: always() From 486a136f5acfc435cbdfd142422e5c67101df58f Mon Sep 17 00:00:00 2001 From: dagecko Date: Thu, 23 Apr 2026 06:46:08 -0400 Subject: [PATCH 7/7] fix: pin actions/checkout to SHA in handle-release-branches.yml, add trailing newline --- .github/workflows/handle-release-branches.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/handle-release-branches.yml b/.github/workflows/handle-release-branches.yml index fa0088f84f35..587bc8178055 100644 --- a/.github/workflows/handle-release-branches.yml +++ b/.github/workflows/handle-release-branches.yml @@ -26,7 +26,7 @@ jobs: if: ${{ needs.branch-checks.outputs.is-latest-branch == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: curl -X POST "https://api.netlify.com/build_hooks/${FRONTPAGE_HOOK}" env: @@ -37,7 +37,7 @@ jobs: if: ${{ needs.branch-checks.outputs.is-next-branch == 'true' || needs.branch-checks.outputs.is-release-branch == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: next path: next @@ -59,7 +59,7 @@ jobs: if: ${{ needs.branch-checks.outputs.is-next-branch == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 @@ -105,4 +105,4 @@ jobs: --data '{"event_type": "request-create-frontpage-branch", "client_payload": { "branch": "${{ needs.create-next-release-branch.outputs.branch || needs.branch-checks.outputs.branch }}" }}' env: - FRONTPAGE_ACCESS_TOKEN: ${{ secrets.FRONTPAGE_ACCESS_TOKEN }} \ No newline at end of file + FRONTPAGE_ACCESS_TOKEN: ${{ secrets.FRONTPAGE_ACCESS_TOKEN }}