diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 5ace4600a..000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f47b75581..3bee9dfdf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -52,7 +52,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -86,7 +86,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -102,7 +102,7 @@ jobs: name: Lint GitHub Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: rhysd/actionlint@4e683ab8014a63fafa117492a0c6053758e6d593 # ratchet:rhysd/actionlint@v1.7.3 with: args: "-color" @@ -111,8 +111,8 @@ jobs: name: Check typos runs-on: ubuntu-latest steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - - uses: crate-ci/typos@52bd719c2c91f9d676e2aa359fc8e0db8925e6d8 # ratchet:crate-ci/typos@master + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 + - uses: crate-ci/typos@a4c3e43aea0a9e9b9e6578d2731ebd9a27e8f6cd # ratchet:crate-ci/typos@master test: name: Test @@ -122,7 +122,7 @@ jobs: node-version: [20.x, 21.x, 22.x, 23.x, 24.x] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: @@ -141,7 +141,7 @@ jobs: bun-version: [latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Setup Bun ${{ matrix.bun-version }} uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2 with: @@ -155,7 +155,7 @@ jobs: name: Test coverage runs-on: ubuntu-latest steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -168,7 +168,7 @@ jobs: with: name: test-coverage path: coverage/ - - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # ratchet:codecov/codecov-action@v5 + - uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # ratchet:codecov/codecov-action@v5 with: fail_ci_if_error: true directory: ./coverage @@ -180,7 +180,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions @@ -200,7 +200,7 @@ jobs: node-version: [20.x, 21.x, 22.x, 23.x, 24.x] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: @@ -227,7 +227,7 @@ jobs: bun-version: [latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Setup Bun ${{ matrix.bun-version }} uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2 with: @@ -250,14 +250,14 @@ jobs: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4 with: node-version-file: .tool-versions cache: npm - run: npm ci - run: npm run website-generate-schema - - uses: stefanzweifel/git-auto-commit-action@01d77ca6cb089da1360e540865f7d035c95aa199 # ratchet:stefanzweifel/git-auto-commit-action@v4 + - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # ratchet:stefanzweifel/git-auto-commit-action@v4 with: commit_message: 'chore(schema): auto generate schema' commit_user_name: "github-actions[bot]" diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index ffa4068cc..9925853d9 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -13,12 +13,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 with: fetch-depth: 1 - name: Auto review PR - uses: anthropics/claude-code-action@02e9ed31816be8cb8d521a26f4ba981e5c89ac5e # ratchet:anthropics/claude-code-action@main + uses: anthropics/claude-code-action@194fca8b05f044ca6678c516c60c73d6b1d6dbae # ratchet:anthropics/claude-code-action@main with: direct_prompt: | Please review this PR. Look at the changes and provide thoughtful feedback on: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 3ae3fe78b..aee67aa2d 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -25,12 +25,12 @@ jobs: id-token: write steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 with: fetch-depth: 1 - name: Run Claude Code id: claude - uses: anthropics/claude-code-action@02e9ed31816be8cb8d521a26f4ba981e5c89ac5e # ratchet:anthropics/claude-code-action@main + uses: anthropics/claude-code-action@194fca8b05f044ca6678c516c60c73d6b1d6dbae # ratchet:anthropics/claude-code-action@main with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0acfd3e36..77b53b81f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,7 @@ jobs: build-mode: none steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 6eb03d251..491af93cc 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Docker metadata id: meta diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 5a3fb28c1..a3251be4e 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -10,15 +10,15 @@ jobs: runs-on: macos-latest steps: - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@b3fb6f7cb1475434d4285b90020c2aa51f1e0b12 # ratchet:Homebrew/actions/setup-homebrew@master + uses: Homebrew/actions/setup-homebrew@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/setup-homebrew@master with: test-bot: false - name: Configure Git user - uses: Homebrew/actions/git-user-config@b3fb6f7cb1475434d4285b90020c2aa51f1e0b12 # ratchet:Homebrew/actions/git-user-config@master + uses: Homebrew/actions/git-user-config@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/git-user-config@master - name: Bump packages - uses: Homebrew/actions/bump-packages@b3fb6f7cb1475434d4285b90020c2aa51f1e0b12 # ratchet:Homebrew/actions/bump-packages@master + uses: Homebrew/actions/bump-packages@87d3af7a72e5ede081b6dafce1798551a74fb366 # ratchet:Homebrew/actions/bump-packages@master with: token: ${{ secrets.COMMITTER_TOKEN }} formulae: repomix diff --git a/.github/workflows/pack-repository.yml b/.github/workflows/pack-repository.yml index 800b364e3..9cfe5edb0 100644 --- a/.github/workflows/pack-repository.yml +++ b/.github/workflows/pack-repository.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Pack repository with Repomix - uses: yamadashy/repomix/.github/actions/repomix@95b508050cb30d621e609f3b605f389c6851f154 # ratchet:yamadashy/repomix/.github/actions/repomix@main + uses: yamadashy/repomix/.github/actions/repomix@dbf406cd7f1651ec410a722eb9ebf2b1a1255b34 # ratchet:yamadashy/repomix/.github/actions/repomix@main with: output: repomix-output.xml diff --git a/.github/workflows/ratchet-update.yml b/.github/workflows/ratchet-update.yml new file mode 100644 index 000000000..4719cc8ad --- /dev/null +++ b/.github/workflows/ratchet-update.yml @@ -0,0 +1,58 @@ +name: Ratchet update +on: + schedule: + - cron: '0 0 * * 1' # Every Monday at midnight UTC + workflow_dispatch: # Allow manual trigger + +jobs: + update: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5 + with: + go-version: stable + + - name: Install ratchet + run: | + go install github.com/sethvargo/ratchet@v0.11.3 + ratchet --version + + - name: Update pinned SHAs + run: | + ratchet update ".github/workflows/"*.yml + + - name: Check for changes + id: changes + run: | + if git diff --quiet; then + echo "has_changes=false" >> "$GITHUB_OUTPUT" + else + echo "has_changes=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + if: steps.changes.outputs.has_changes == 'true' + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # ratchet:peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore(ci): Update pinned GitHub Actions SHAs' + title: 'chore(ci): Update pinned GitHub Actions SHAs' + body: | + ## Summary + - Updated pinned GitHub Actions SHAs using ratchet + + ## Changes + This PR contains automated updates to the pinned SHAs in GitHub Actions workflows to ensure we're using the latest versions while maintaining security through SHA pinning. + + ## Checklist + - [x] Run `npm run test` + - [x] Run `npm run lint` + branch: chore/update-actions-shas + delete-branch: true diff --git a/.github/workflows/ratchet-verify.yml b/.github/workflows/ratchet-verify.yml index 9f438f643..abd0a9a59 100644 --- a/.github/workflows/ratchet-verify.yml +++ b/.github/workflows/ratchet-verify.yml @@ -6,7 +6,7 @@ jobs: ratchet: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5 with: go-version: stable diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 64c592519..eb42f2fe8 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -21,7 +21,7 @@ jobs: - node-version: 22 test-case: "full" steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4 - name: Run Repomix Action (Minimal) if: matrix['test-case'] == 'minimal'