diff --git a/.github/actions/bootstrap/action.yml b/.github/actions/bootstrap/action.yml index 3e73946..dfe0a56 100644 --- a/.github/actions/bootstrap/action.yml +++ b/.github/actions/bootstrap/action.yml @@ -11,7 +11,7 @@ runs: - name: Restore asdf cache id: asdf-cache-restore - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: key: asdf-tools-v1-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.tool-versions') }} path: | @@ -32,7 +32,7 @@ runs: - name: Save asdf cache if: always() && steps.asdf-cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: key: ${{ steps.asdf-cache-restore.outputs.cache-primary-key }} path: | @@ -41,7 +41,7 @@ runs: ~/.asdf/shims - name: Restore Bun install cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: key: bun-install-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('bun.lock') }} path: ~/.bun/install/cache diff --git a/.github/actions/detect-changes/action.yml b/.github/actions/detect-changes/action.yml index e75c510..11621fa 100644 --- a/.github/actions/detect-changes/action.yml +++ b/.github/actions/detect-changes/action.yml @@ -30,7 +30,7 @@ outputs: runs: using: 'composite' steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/actions/fetch-release-secrets/action.yml b/.github/actions/fetch-release-secrets/action.yml index d393505..a4dadef 100644 --- a/.github/actions/fetch-release-secrets/action.yml +++ b/.github/actions/fetch-release-secrets/action.yml @@ -22,7 +22,7 @@ runs: using: 'composite' steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ inputs.role-to-assume }} aws-region: ${{ inputs.aws-region }} diff --git a/.github/workflows/build-contextbridge-image.yml b/.github/workflows/build-contextbridge-image.yml index 9e5fe39..6b32c9a 100644 --- a/.github/workflows/build-contextbridge-image.yml +++ b/.github/workflows/build-contextbridge-image.yml @@ -26,12 +26,12 @@ jobs: id-token: write # AWS OIDC role assumption actions: write # docker/build-push-action writes GitHub Actions cache entries steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ secrets.CONTEXTBRIDGE_ECR_PUSH_ROLE_ARN }} aws-region: ${{ secrets.CONTEXTBRIDGE_ECR_PUSH_REGION }} diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 4cd8a7f..5b90034 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -34,7 +34,7 @@ jobs: (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main') steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # Checkout main when merged, otherwise checkout PR branch (not ephemeral merge commit) ref: ${{ github.event.pull_request.merged && 'main' || github.event.pull_request.head.ref }} diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 5add261..f97a9ef 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -37,7 +37,7 @@ jobs: id-token: write packages: read steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -82,7 +82,7 @@ jobs: run: bun run --cwd packages/website build - name: Configure AWS credentials for website deploy - uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 + uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1 with: role-to-assume: ${{ secrets.website_deploy_role_arn }} aws-region: us-east-1 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 22c46e2..010dd5f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: cli_ref: ${{ steps.cli-ref.outputs.cli_ref }} steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index e36199f..ed2f93d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -20,7 +20,7 @@ jobs: install_script_changed: ${{ steps.changes.outputs.install_script_changed }} steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e4449d4..b3dac8a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: packages: read attestations: write # publish Sigstore build-provenance attestations for release artifacts steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -78,7 +78,7 @@ jobs: done - name: Run GoReleaser - uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 + uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3 with: version: '~> v2' args: release --clean @@ -94,7 +94,7 @@ jobs: # downloads.contextbridge.ai and the Homebrew cask. Verify a download with: # gh attestation verify --repo contextbridge/planbridge - name: Attest build provenance - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-checksums: dist/checksums.txt diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78ce3d6..3d0f646 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -23,7 +23,7 @@ jobs: - name: Check formatting run: bun run format:check - name: Restore ESLint cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: .eslintcache key: eslint-${{ runner.os }}-${{ github.sha }} @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -52,7 +52,7 @@ jobs: id: ubuntu-version run: echo "version=$(lsb_release -rs)" >> $GITHUB_OUTPUT - name: Cache Playwright browsers - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: /home/runner/.cache/ms-playwright key: ${{ runner.os }}-${{ steps.ubuntu-version.outputs.version }}-playwright-browsers-${{ steps.playwright-version.outputs.version }} @@ -77,7 +77,7 @@ jobs: matrix: os: [ubuntu-latest, macos-latest] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 if: inputs.install_script_changed with: persist-credentials: false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index b159b46..df42838 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,7 +23,7 @@ jobs: # paths-filter needs a git checkout — it runs `git branch --show-current` # before any API fallback, and fails outside a working tree. - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false