From 8374d6c263f31212ed2806c69b2a3b1fb4f3d802 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 11:18:35 +0200 Subject: [PATCH 1/8] chore(deps): bump actions/checkout to v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/validate-plugins.yml | 2 +- .github/workflows/validate-yaml.yml | 4 ++-- workflows/expo-publish-pr.yml | 2 +- workflows/test-in-parallel.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml index 66cbab5..b6a527c 100644 --- a/.github/workflows/validate-plugins.yml +++ b/.github/workflows/validate-plugins.yml @@ -26,7 +26,7 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Bun uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 diff --git a/.github/workflows/validate-yaml.yml b/.github/workflows/validate-yaml.yml index cd3c13a..dac1119 100644 --- a/.github/workflows/validate-yaml.yml +++ b/.github/workflows/validate-yaml.yml @@ -15,7 +15,7 @@ jobs: name: YAML Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Lint YAML files run: yamllint -d relaxed . @@ -24,7 +24,7 @@ jobs: name: GitHub Actions Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install actionlint run: | diff --git a/workflows/expo-publish-pr.yml b/workflows/expo-publish-pr.yml index 34380ac..bda09d4 100644 --- a/workflows/expo-publish-pr.yml +++ b/workflows/expo-publish-pr.yml @@ -66,7 +66,7 @@ jobs: DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} steps: - name: Setup repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: cardinalby/export-env-action@4f48c4676cf6ed6f46e30899ee987ce695da7c80 # 2.2.3 with: diff --git a/workflows/test-in-parallel.yml b/workflows/test-in-parallel.yml index 102b4c8..a3d4fae 100644 --- a/workflows/test-in-parallel.yml +++ b/workflows/test-in-parallel.yml @@ -93,7 +93,7 @@ jobs: test-chunk-ids: ${{ steps['set-test-chunk-ids'].outputs['test-chunk-ids'] }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: cardinalby/export-env-action@4f48c4676cf6ed6f46e30899ee987ce695da7c80 # 2.2.3 if: ${{ inputs.env_file }} @@ -152,7 +152,7 @@ jobs: chunk: ${{ fromJson(needs.setup.outputs['test-chunk-ids']) }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 if: ${{ inputs.package_manager == 'pnpm' }} From f6ab9b1d8f58c868f607b862799765b32607c1d2 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 11:43:49 +0200 Subject: [PATCH 2/8] chore(deps): bump actions/setup-node to v6.4.0 Keep explicit cache: on CI steps (v6 limits auto-cache to npm only, so pnpm/yarn need the explicit input). Add package-manager-cache: false to the act-only steps to preserve their deliberate no-cache behavior under act. Co-Authored-By: Claude Opus 4.8 (1M context) --- workflows/test-in-parallel.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/workflows/test-in-parallel.yml b/workflows/test-in-parallel.yml index a3d4fae..504910f 100644 --- a/workflows/test-in-parallel.yml +++ b/workflows/test-in-parallel.yml @@ -110,12 +110,13 @@ jobs: with: bun-version: ${{ env.BUN_VERSION }} - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 if: ${{ env.ACT && inputs.package_manager != 'bun' }} with: node-version-file: .nvmrc + package-manager-cache: false - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 if: ${{ !env.ACT && inputs.package_manager != 'bun' }} with: node-version-file: .nvmrc @@ -170,13 +171,14 @@ jobs: bun-version: ${{ env.BUN_VERSION }} - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 if: ${{ env.ACT && inputs.package_manager != 'bun' }} with: node-version-file: .nvmrc + package-manager-cache: false - name: Setup Node and Cache - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 if: ${{ !env.ACT && inputs.package_manager != 'bun' }} with: node-version-file: .nvmrc From 7ce77f8da7af91450abe5802482823a5f23bbba6 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 11:54:41 +0200 Subject: [PATCH 3/8] chore(deps): bump actions/cache to v6.0.0 and actions/github-script to v9.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both are SHA-only bumps for our usage: - cache: v5 moved to node24, v6 is an internal ESM migration; our path/key usage is unaffected. - github-script: v9's breaking changes are all @actions/github / getOctokit related; our script only uses the os/path Node built-ins. Note: cache v6.0.0 released ~3 days ago — holding off merge a day to clear the 3-day release-age policy. Co-Authored-By: Claude Opus 4.8 (1M context) --- workflows/expo-publish-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflows/expo-publish-pr.yml b/workflows/expo-publish-pr.yml index bda09d4..f383434 100644 --- a/workflows/expo-publish-pr.yml +++ b/workflows/expo-publish-pr.yml @@ -97,7 +97,7 @@ jobs: - name: Find Metro cache id: metro-cache-dir-path - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: result-encoding: string script: | @@ -106,7 +106,7 @@ jobs: return path.join(os.tmpdir(), 'metro-cache'); - name: Cache Metro - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6.0.0 id: cache-metro with: path: ${{ steps.metro-cache-dir-path.outputs.result }} From d91d6049d5f4505e6a7ad9e8864901be0efb7722 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 12:06:46 +0200 Subject: [PATCH 4/8] chore(deps): bump docker login/buildx/build-push actions - docker/login-action v3.7.0 -> v4.2.0 - docker/setup-buildx-action v3.12.0 -> v4.1.0 - docker/build-push-action v5.4.0 -> v7.2.0 All SHA-only for our usage. build-push v6+ auto-adds a Build Summary panel to the run page (kept on by default); our image-tag output plumbing via $GITHUB_OUTPUT is unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) --- actions/docker-build/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/docker-build/action.yml b/actions/docker-build/action.yml index 4f68b16..5edf771 100644 --- a/actions/docker-build/action.yml +++ b/actions/docker-build/action.yml @@ -31,14 +31,14 @@ runs: using: 'composite' steps: - name: Log in to the Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ inputs.github-token }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Extract image name id: image-name @@ -51,7 +51,7 @@ runs: fi - name: Build and push Docker image - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: push: true context: ${{ inputs.context }} From c3de239bd6528d8a8bd243aa436c7c7690d6afb0 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 12:10:38 +0200 Subject: [PATCH 5/8] chore(deps): bump 1password install-cli and load-secrets to v4 - 1password/install-cli-action v1.0.0 -> v4.0.0 - 1password/load-secrets-action/configure v2.0.0 -> v4.0.1 SHA-only for our usage: we install the CLI and use the /configure subpath to set up auth via OP_SERVICE_ACCOUNT_TOKEN; we don't use the secret-export path that changed in v3/v4. Co-Authored-By: Claude Opus 4.8 (1M context) --- workflows/expo-publish-pr.yml | 4 ++-- workflows/test-in-parallel.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/workflows/expo-publish-pr.yml b/workflows/expo-publish-pr.yml index f383434..ffce35c 100644 --- a/workflows/expo-publish-pr.yml +++ b/workflows/expo-publish-pr.yml @@ -80,10 +80,10 @@ jobs: run: bun install --frozen-lockfile - name: Install 1Password CLI - uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f # v1.0.0 + uses: 1password/install-cli-action@a5215d3a7f75c1629216c465ea9ab3ab399c4b71 # v4.0.0 - name: Load secret - uses: 1password/load-secrets-action/configure@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0 + uses: 1password/load-secrets-action/configure@3a12b0ab99d9cd590a3e9b5a90ea017210ed9556 # v4.0.1 env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/workflows/test-in-parallel.yml b/workflows/test-in-parallel.yml index 504910f..efd8c78 100644 --- a/workflows/test-in-parallel.yml +++ b/workflows/test-in-parallel.yml @@ -193,11 +193,11 @@ jobs: if: ${{ inputs.package_manager != 'npm' }} - name: Install 1Password CLI - uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f # v1.0.0 + uses: 1password/install-cli-action@a5215d3a7f75c1629216c465ea9ab3ab399c4b71 # v4.0.0 if: ${{ inputs.op_setup_script }} - name: Load secret - uses: 1password/load-secrets-action/configure@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0 + uses: 1password/load-secrets-action/configure@3a12b0ab99d9cd590a3e9b5a90ea017210ed9556 # v4.0.1 if: ${{ inputs.op_setup_script }} env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} From 3f21005da97af1ce11117b64c4b0c16d54962d4e Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 12:25:17 +0200 Subject: [PATCH 6/8] chore(deps): bump pnpm/action-setup to v6.0.9, drop stale pnpm_version default v4+ errors on a mismatch between the version input and the packageManager field in package.json. Remove the stale default: "8" so packageManager is the single source of truth when pnpm_version isn't passed; kept the input optional (required: false) since npm/bun consumers don't use it. Co-Authored-By: Claude Opus 4.8 (1M context) --- workflows/test-in-parallel.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/workflows/test-in-parallel.yml b/workflows/test-in-parallel.yml index efd8c78..906151d 100644 --- a/workflows/test-in-parallel.yml +++ b/workflows/test-in-parallel.yml @@ -30,8 +30,7 @@ on: pnpm_version: required: false type: string - default: "8" - description: If using pnpm - which version to use + description: If using pnpm - which version to use (defaults to the packageManager field in package.json) env_file: required: false type: string @@ -65,8 +64,7 @@ on: pnpm_version: required: false type: string - default: "8" - description: If using pnpm - which version to use + description: If using pnpm - which version to use (defaults to the packageManager field in package.json) op_setup_script: required: false type: string @@ -100,7 +98,7 @@ jobs: with: envFile: ${{ inputs.env_file }} - - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 if: ${{ inputs.package_manager == 'pnpm' }} with: version: ${{ inputs.pnpm_version }} @@ -155,7 +153,7 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 if: ${{ inputs.package_manager == 'pnpm' }} with: version: ${{ inputs.pnpm_version }} From 6ddcce599cea5aba9c5faaa7232100717de2a7bc Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 12:29:14 +0200 Subject: [PATCH 7/8] chore(deps): bump expo/expo-github-action (+ /preview) to v9.0.0 Base action and /preview subpath v8.2.1 -> v9.0.0. Only breaking change is the Node 24 tooling bump (runner floor satisfied on hosted runners). Co-Authored-By: Claude Opus 4.8 (1M context) --- workflows/expo-publish-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflows/expo-publish-pr.yml b/workflows/expo-publish-pr.yml index ffce35c..f550c4e 100644 --- a/workflows/expo-publish-pr.yml +++ b/workflows/expo-publish-pr.yml @@ -113,7 +113,7 @@ jobs: key: metro-cache-${{ env.BUN_VERSION }}-${{ runner.os }}-${{ inputs.platform }}-${{ inputs.working_directory }} - name: Setup EAS - uses: expo/expo-github-action@c7b66a9c327a43a8fa7c0158e7f30d6040d2481e # v8.2.1 + uses: expo/expo-github-action@eab7a230208c952974db8c3245cfd78402c7b385 # v9.0.0 with: eas-version: latest packager: bun @@ -123,7 +123,7 @@ jobs: run: bun run codegen - name: Create preview - uses: expo/expo-github-action/preview@c7b66a9c327a43a8fa7c0158e7f30d6040d2481e # v8.2.1 + uses: expo/expo-github-action/preview@eab7a230208c952974db8c3245cfd78402c7b385 # v9.0.0 env: TAMAGUI_TARGET: native EXPO_PUBLIC_BACKEND_ROOT_URL: ${{ inputs.backend_url }} From ea2438d79c409d6a4580ace04a2e088b4b067c95 Mon Sep 17 00:00:00 2001 From: Ryan Iguchi Date: Fri, 26 Jun 2026 12:30:38 +0200 Subject: [PATCH 8/8] chore(deps): bump jtalk/url-health-check-action to v5 Only change is the Node 24 runtime bump; our url/max-attempts/retry inputs are unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- actions/healthcheck/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/healthcheck/action.yml b/actions/healthcheck/action.yml index 88ed57f..01bbea5 100644 --- a/actions/healthcheck/action.yml +++ b/actions/healthcheck/action.yml @@ -22,7 +22,7 @@ runs: using: 'composite' steps: - name: Check the deployed service URL - uses: jtalk/url-health-check-action@b716ccb6645355dd9fcce8002ce460e5474f7f00 # v4 + uses: jtalk/url-health-check-action@e7d5ebdc9027fbf494d2d034f3e8fc78f8b7a2b9 # v5 with: url: ${{ inputs.url }} max-attempts: ${{ inputs.max-attempts }}