diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c7d26618..87026f24 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -220,7 +220,7 @@ jobs: - name: Check if we need to install browsers id: browsers - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const { existsSync } = require('fs'); diff --git a/.github/workflows/notify-main-branch-failure.yaml b/.github/workflows/notify-main-branch-failure.yaml index 3c74a5bd..2d09c743 100644 --- a/.github/workflows/notify-main-branch-failure.yaml +++ b/.github/workflows/notify-main-branch-failure.yaml @@ -31,7 +31,7 @@ jobs: if [ -z "${{ secrets.SLACK_BOT_TOKEN }}" ] then # shellcheck disable=SC1111 - echo "::error::Missing secret SLACK_BOT_TOKEN. Go to https://api.slack.com/apps/, create a bot, go to “OAuth & Permissions”. Add chate:write permission and grab a token." + echo "::error::Missing secret SLACK_BOT_TOKEN. Go to https://api.slack.com/apps/, create a bot, go to “OAuth & Permissions”. Add chat:write permission and grab a token." exit_code=78 fi diff --git a/.github/workflows/ref-comment-in-commit.yaml b/.github/workflows/ref-comment-in-commit.yaml new file mode 100644 index 00000000..d703a3a0 --- /dev/null +++ b/.github/workflows/ref-comment-in-commit.yaml @@ -0,0 +1,22 @@ +name: 'Ref Comment in Commit' + +# Make it possible to reference a GH comment in a commit message. +# +# This file has been created from +# https://github.com/verkstedt/.github/blob/main/workflow-templates/ref-comment-in-commit.yaml +# +# IF YOU MODIFY IT IN ANY WAY, DESCRIBE IT IN THE COMMENT HERE +# to make updating in the future easier. + +on: + push: + +jobs: + ref-comments: + name: 'Ref Comment in Commit' + runs-on: ubuntu-latest + steps: + - name: 'Ref Comment in Commit' + uses: 'verkstedt/actions/ref-comment-in-commit@v1' + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index ebd7a31c..1d5e3d20 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -21,7 +21,7 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: master @@ -33,7 +33,7 @@ jobs: - name: Determine Version id: version - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | // If version was provided in input, use that @@ -62,7 +62,7 @@ jobs: } - name: Generate Notes and Create Release - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: VERSION: ${{ steps.version.outputs.version }} COMMIT: ${{ steps.commit_details.outputs.commit }} diff --git a/.github/workflows/reusable-tag-docker-release-images.yml b/.github/workflows/reusable-tag-docker-release-images.yml index 2e6afbbe..7c039eda 100644 --- a/.github/workflows/reusable-tag-docker-release-images.yml +++ b/.github/workflows/reusable-tag-docker-release-images.yml @@ -19,7 +19,7 @@ jobs: id: release_details env: RELEASE_ID: ${{ inputs.release_id }} - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | let releaseId = process.env.RELEASE_ID; @@ -115,7 +115,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Login to GitHub Container Registry uses: docker/login-action@v3 @@ -126,7 +126,7 @@ jobs: - name: Authenticate to Google Cloud id: google_auth - uses: google-github-actions/auth@v2 + uses: google-github-actions/auth@v3 with: token_format: access_token project_id: ${{ secrets.GOOGLE_PROJECT_ID }} diff --git a/setup/action.yaml b/setup/action.yaml index e60f19f2..a793e416 100644 --- a/setup/action.yaml +++ b/setup/action.yaml @@ -19,18 +19,21 @@ outputs: scripts: description: "Comma–separated list of available npm scripts. Includes comma at the beginning and the end, so you can use contains(needs.setup.outputs.scripts, ',script-name,')" value: ${{ steps.scripts.outputs.scripts }} + package-manager: + description: 'Detected package manager (npm or yarn)' + value: ${{ steps.package-manager.outputs.package-manager }} runs: using: composite steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ github.event.pull_request.head.ref || github.ref }} - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version-file: '${{ inputs.working-directory }}/.nvmrc' @@ -83,6 +86,22 @@ runs: run: | echo "//npm.pkg.github.com/:_authToken=${{ inputs.github-npm-registry-personal-access-token }}" >> ~/.npmrc + - name: Determine package manager + id: package-manager + working-directory: ${{ inputs.working-directory }} + shell: bash + run: | + if [ -e "yarn.lock" ] + then + echo "package-manager=yarn" >> "$GITHUB_OUTPUT" + elif [ -e "package-lock.json" ] + then + echo "package-manager=npm" >> "$GITHUB_OUTPUT" + else + echo "ERROR: Could not determine package manager. Neither package-lock.json nor yarn.lock found." >&2 + exit 66 # EX_NOINPUT + fi + - name: Install dependencies if: steps.cache.outputs.cache-hit != 'true' working-directory: ${{ inputs.working-directory }} @@ -96,13 +115,23 @@ runs: export GH_REGISTRY_TOKEN="$GITHUB_NPM_REGISTRY_PERSONAL_ACCESS_TOKEN" fi - if [ -e "yarn.lock" ] + if [ "${{ steps.package-manager.outputs['package-manager'] }}" = "yarn" ] then yarn install --immutable else npm ci fi + - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies + if: steps.cache.outputs.cache-hit != 'true' && steps.package-manager.outputs['package-manager'] == 'npm' + working-directory: ${{ inputs.working-directory }} + shell: bash + run: | + if [ 0 -lt "$( jq -r '( .dependencies + .devDependencies ) // {} | to_entries | length' package.json )" ] + then + npm audit signatures + fi + - name: Run prepare npm script if: > steps.cache.outputs.cache-hit == 'true'