chore: Update third party actions

.github/workflows/ci.yaml

@@ -220,7 +220,7 @@ jobs:
 
       - name: Check if we need to install browsers
         id: browsers
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const { existsSync } = require('fs');

.github/workflows/notify-main-branch-failure.yaml

@@ -31,7 +31,7 @@ jobs:
           if [ -z "${{ secrets.SLACK_BOT_TOKEN }}" ]
           then
             # shellcheck disable=SC1111
-            echo "::error::Missing secret SLACK_BOT_TOKEN. Go to https://api.slack.com/apps/, create a bot, go to “OAuth & Permissions”. Add chate:write permission and grab a token."
+            echo "::error::Missing secret SLACK_BOT_TOKEN. Go to https://api.slack.com/apps/, create a bot, go to “OAuth & Permissions”. Add chat:write permission and grab a token."
             exit_code=78
           fi
 

.github/workflows/ref-comment-in-commit.yaml

@@ -0,0 +1,22 @@
+name: 'Ref Comment in Commit'
+
+# Make it possible to reference a GH comment in a commit message.
+#
+# This file has been created from
+# https://github.com/verkstedt/.github/blob/main/workflow-templates/ref-comment-in-commit.yaml
+#
+# IF YOU MODIFY IT IN ANY WAY, DESCRIBE IT IN THE COMMENT HERE
+# to make updating in the future easier.
+
+on:
+  push:
+
+jobs:
+  ref-comments:
+    name: 'Ref Comment in Commit'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Ref Comment in Commit'
+        uses: 'verkstedt/actions/ref-comment-in-commit@v1'
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reusable-release.yml

@@ -21,7 +21,7 @@ jobs:
       version: ${{ steps.version.outputs.version }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: master
 
@@ -33,7 +33,7 @@ jobs:
 
       - name: Determine Version
         id: version
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             // If version was provided in input, use that
@@ -62,7 +62,7 @@ jobs:
             }
 
       - name: Generate Notes and Create Release
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           VERSION: ${{ steps.version.outputs.version }}
           COMMIT: ${{ steps.commit_details.outputs.commit }}

.github/workflows/reusable-tag-docker-release-images.yml

@@ -19,7 +19,7 @@ jobs:
         id: release_details
         env:
           RELEASE_ID: ${{ inputs.release_id }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             let releaseId = process.env.RELEASE_ID;
@@ -115,7 +115,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -126,7 +126,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: google_auth
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@v3
         with:
           token_format: access_token
           project_id: ${{ secrets.GOOGLE_PROJECT_ID }}

setup/action.yaml

@@ -19,18 +19,21 @@ outputs:
   scripts:
     description: "Comma–separated list of available npm scripts. Includes comma at the beginning and the end, so you can use contains(needs.setup.outputs.scripts, ',script-name,')"
     value: ${{ steps.scripts.outputs.scripts }}
+  package-manager:
+    description: 'Detected package manager (npm or yarn)'
+    value: ${{ steps.package-manager.outputs.package-manager }}
 
 runs:
   using: composite
   steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         fetch-depth: ${{ inputs.fetch-depth }}
         ref: ${{ github.event.pull_request.head.ref || github.ref }}
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v5
       with:
         node-version-file: '${{ inputs.working-directory }}/.nvmrc'
 
@@ -83,6 +86,22 @@ runs:
       run: |
         echo "//npm.pkg.github.com/:_authToken=${{ inputs.github-npm-registry-personal-access-token }}" >> ~/.npmrc
 
+    - name: Determine package manager
+      id: package-manager
+      working-directory: ${{ inputs.working-directory }}
+      shell: bash
+      run: |
+        if [ -e "yarn.lock" ]
+        then
+          echo "package-manager=yarn" >> "$GITHUB_OUTPUT"
+        elif [ -e "package-lock.json" ]
+        then
+          echo "package-manager=npm" >> "$GITHUB_OUTPUT"
+        else
+          echo "ERROR: Could not determine package manager. Neither package-lock.json nor yarn.lock found." >&2
+          exit 66 # EX_NOINPUT
+        fi
+
     - name: Install dependencies
       if: steps.cache.outputs.cache-hit != 'true'
       working-directory: ${{ inputs.working-directory }}
@@ -96,13 +115,23 @@ runs:
           export GH_REGISTRY_TOKEN="$GITHUB_NPM_REGISTRY_PERSONAL_ACCESS_TOKEN"
         fi
 
-        if [ -e "yarn.lock" ]
+        if [ "${{ steps.package-manager.outputs['package-manager'] }}" = "yarn" ]
         then
           yarn install --immutable
         else
           npm ci
         fi
 
+    - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+      if: steps.cache.outputs.cache-hit != 'true' && steps.package-manager.outputs['package-manager'] == 'npm'
+      working-directory: ${{ inputs.working-directory }}
+      shell: bash
+      run: |
+        if [ 0 -lt "$( jq -r '( .dependencies + .devDependencies ) // {} | to_entries | length' package.json )" ]
+        then
+          npm audit signatures
+        fi
+
     - name: Run prepare npm script
       if: >
         steps.cache.outputs.cache-hit == 'true'