diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2b4966..36d0be4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,16 +17,16 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm exec biome ci . typecheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: Build workspace .d.ts so cross-package types resolve # Skip @opencodehub/docs — its build runs astro + rehype-mermaid + @@ -55,8 +55,8 @@ jobs: env: MISE_NODE_VERSION: ${{ matrix.node-version }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts # Remove any stale build output before the incremental `tsc -b` build. # A `.test.ts` deleted in source leaves its compiled `dist/**/*.test.js` @@ -98,8 +98,8 @@ jobs: MISE_NODE_VERSION: ${{ matrix.node-version }} CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts # Mirror the `test` lane: prune stale build output so a deleted-in-source # `dist/**/*.test.js` can't run against an interface it no longer matches. @@ -115,8 +115,8 @@ jobs: sarif-validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm -F @opencodehub/sarif build - run: pnpm -F @opencodehub/sarif run validate-schema @@ -124,7 +124,7 @@ jobs: banned-strings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: bash scripts/check-banned-strings.sh no-dist-cache: @@ -134,14 +134,14 @@ jobs: # that no longer exists. Cache the pnpm store for speed — never dist/. runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - run: bash scripts/check-no-dist-cache.sh licenses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: license allowlist # Root is `private: true` with no runtime deps post-collapse; scan @@ -171,7 +171,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 596fc02..ccb5953 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ jobs: matrix: language: [javascript-typescript, python] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: languages: ${{ matrix.language }} diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 37c2089..623e9fa 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -12,10 +12,10 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: Validate PR commit messages run: | diff --git a/.github/workflows/och-self-scan.yml b/.github/workflows/och-self-scan.yml index 0de0035..ea3307b 100644 --- a/.github/workflows/och-self-scan.yml +++ b/.github/workflows/och-self-scan.yml @@ -24,11 +24,11 @@ jobs: security-events: write issues: write steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 - name: Cache pnpm store uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml index 14374ab..c3f5acb 100644 --- a/.github/workflows/osv.yml +++ b/.github/workflows/osv.yml @@ -24,7 +24,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index e19df0a..af6a068 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -21,8 +21,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 # NOTE: --ignore-scripts removed so sharp's native binary download # and Playwright's chromium install (via rehype-mermaid) are allowed. - run: pnpm install --frozen-lockfile diff --git a/.github/workflows/pre-release-gate.yml b/.github/workflows/pre-release-gate.yml index fdde683..d41d9ba 100644 --- a/.github/workflows/pre-release-gate.yml +++ b/.github/workflows/pre-release-gate.yml @@ -42,10 +42,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 - name: Run pnpm audit at high+ severity run: pnpm audit --audit-level=high --prod @@ -54,10 +54,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 # Frozen + ignore-scripts is the strictest install path: any lockfile # drift, missing entry, or sneaky postinstall fails the job. - name: Install with frozen lockfile and no lifecycle scripts @@ -68,11 +68,11 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 - name: Sweep working tree run: | set -euo pipefail @@ -90,10 +90,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 - run: pnpm install --frozen-lockfile --ignore-scripts - name: license allowlist # Root is `private: true` with no runtime deps post-collapse; scan diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e3554db..59e2d13 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,14 +113,14 @@ jobs: sarif-sha256: ${{ steps.hashes.outputs.sarif }} steps: - name: Checkout released SHA - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ needs.resolve.outputs.sha }} fetch-depth: 0 persist-credentials: false - name: Provision toolchain (mise) - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 - name: Install dependencies run: pnpm install --frozen-lockfile @@ -376,11 +376,11 @@ jobs: contents: read id-token: write # OIDC token for npm trusted publishing AND provenance steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ needs.resolve.outputs.sha }} persist-credentials: false - - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 - run: pnpm install --frozen-lockfile - run: pnpm --filter '!@opencodehub/docs' -r build # Idempotency guard: a stuck/retried release (e.g. the automated chain diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 10c7d79..2e2b779 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,7 +19,7 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8e59c9f..3415c48 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -26,7 +26,7 @@ jobs: container: image: semgrep/semgrep steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: semgrep scan (p/auto + p/owasp-top-ten) # `|| true` so the SARIF upload step still runs on findings; # gating happens through GitHub code scanning, not the scan's diff --git a/.github/workflows/verify-global-install.yml b/.github/workflows/verify-global-install.yml index 9da5f76..c3bd490 100644 --- a/.github/workflows/verify-global-install.yml +++ b/.github/workflows/verify-global-install.yml @@ -103,7 +103,7 @@ jobs: node: "24" installer: nvm steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -115,7 +115,7 @@ jobs: # ------------------------------------------------------------------ - name: Setup Node via mise if: matrix.installer == 'mise' - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 + uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0 env: MISE_NODE_VERSION: ${{ matrix.node }} @@ -171,7 +171,7 @@ jobs: - name: Install pnpm (non-mise / non-volta paths) if: matrix.installer == 'nvm' || matrix.installer == 'homebrew' - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: version: 11.1.0