From 4efa6249ed59243b4497bf759be6b7eecbe6087e Mon Sep 17 00:00:00 2001 From: rory Date: Tue, 14 Oct 2025 15:41:57 -0700 Subject: [PATCH 1/5] Immutable action refs only --- .github/workflows/build-android.yml | 6 +- .github/workflows/build-ios.yml | 12 ++- .github/workflows/build-web.yml | 3 +- .github/workflows/check.yml | 10 ++- .github/workflows/cla.yml | 2 + .github/workflows/lint.yml | 14 ++-- .github/workflows/publish.yml | 126 ++++++++++++++-------------- .github/workflows/web-e2e-test.yml | 10 ++- 8 files changed, 102 insertions(+), 81 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index 08042060f..acae7f55d 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -34,11 +34,13 @@ jobs: group: build-android-${{ matrix.react-native-architecture }}-${{ github.ref }} cancel-in-progress: true steps: + # v5.0.0 - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + # v5.0.0 - name: Setup Java 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@ead9eaa3cfe0b0fc2fa749519ae09c3d4f4080b0 with: distribution: 'zulu' java-version: 17 diff --git a/.github/workflows/build-ios.yml b/.github/workflows/build-ios.yml index 41158c7b6..11de21473 100644 --- a/.github/workflows/build-ios.yml +++ b/.github/workflows/build-ios.yml @@ -34,11 +34,13 @@ jobs: group: build-ios-${{ matrix.react-native-architecture }}-${{ github.ref }} cancel-in-progress: true steps: + # v5.0.0 - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + # v4.3.0 - name: Restore node_modules from cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: | node_modules @@ -49,8 +51,9 @@ jobs: - name: Install node_modules run: yarn install --immutable + # v4.3.0 - name: Restore Pods from cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: | example/ios/Pods @@ -71,8 +74,9 @@ jobs: working-directory: example/ios run: rm -rf .xcode.env.local + # v4.3.0 - name: Restore build artifacts from cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: ~/Library/Developer/Xcode/DerivedData key: build-ios-derived-data-${{ matrix.react-native-architecture }}-${{ hashFiles('example/node_modules/react-native/package.json') }} diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 652ee5ecf..7aa10f990 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -24,8 +24,9 @@ jobs: group: build-web-${{ github.ref }} cancel-in-progress: true steps: + # v5.0.0 - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - name: Install node_modules run: yarn install --immutable diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 1d0f65c1d..fa58abd99 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -16,13 +16,15 @@ jobs: group: check-root-${{ github.ref }} cancel-in-progress: true steps: + # v5.0.0 - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - name: Use Node.js 18 - uses: actions/setup-node@v4 + # v6.0.0 + - name: Setup Node.js + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: - node-version: 18 + node-version-file: '.nvmrc' - name: Install node_modules run: yarn install --immutable diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 32bd52431..cf1fa7eef 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -17,11 +17,13 @@ jobs: with: text: ${{ github.event.comment.body }} regex: '\s*I have read the CLA Document and I hereby sign the CLA\s*' + - uses: actions-ecosystem/action-regex-match@9c35fe9ac1840239939c59e5db8839422eed8a73 id: recheck with: text: ${{ github.event.comment.body }} regex: '\s*recheck\s*' + - name: CLA Assistant if: ${{ steps.recheck.outputs.match != '' || steps.sign.outputs.match != '' }} || github.event_name == 'pull_request_target' # Version: 2.1.2-beta diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6267fe6bd..46d56d696 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,19 +8,23 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + # v5.0.0 + - name: Check out Git repository + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: actions/cache@v2 + # v4.3.0 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: ~/.yarn key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-yarn- - - name: Setup Node - uses: actions/setup-node@v1 + # v6.0.0 + - name: Setup Node.js + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: - node-version: "16.x" + node-version-file: '.nvmrc' - name: Install node_modules run: yarn install --immutable diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 20fa23161..5ecb7ac6c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -2,70 +2,74 @@ name: Publish package to npmjs # This workflow runs when code is pushed to `main` (i.e: when a pull request is merged) on: - push: - branches: [main] + push: + branches: [main] # Ensure that only once instance of this workflow executes at a time. # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending. concurrency: ${{ github.workflow }} jobs: - version: - runs-on: ubuntu-latest - - # OSBotify will update the version on `main`, so this check is important to prevent an infinite loop - if: ${{ github.actor != 'OSBotify' }} - - steps: - - uses: actions/checkout@v4 - with: - ref: main - # The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify - # This is a workaround to allow pushes to a protected branch - token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }} - - - name: Decrypt & Import OSBotify GPG key - run: | - cd .github - gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg - gpg --import OSBotify-private-key.asc - env: - LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} - - - name: Set up git for OSBotify - run: | - git config --global user.signingkey 367811D53E34168C - git config --global commit.gpgsign true - git config --global user.name OSBotify - git config --global user.email infra+osbotify@expensify.com - - - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - registry-url: 'https://registry.npmjs.org' - - - name: Install yarn packages - run: yarn install --immutable - - - name: Update npm version - run: yarn version patch - - - name: Set new version in GitHub ENV - run: echo "NEW_VERSION=$(jq '.version' package.json)" >> $GITHUB_ENV - - - name: Commit version bump - run: git commit -am "Bump version to ${{ env.NEW_VERSION }}" - - - name: Tag version bump - run: git tag ${{ env.NEW_VERSION }} - - - name: Push branch and publish tags - run: git push --set-upstream origin main && git push --tags - - - name: Build package - run: yarn pack - - - name: Publish to npm - run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + version: + runs-on: ubuntu-latest + + # OSBotify will update the version on `main`, so this check is important to prevent an infinite loop + if: ${{ github.actor != 'OSBotify' }} + + steps: + # v5.0.0 + - name: Check out Git repository + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + with: + ref: main + # The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify + # This is a workaround to allow pushes to a protected branch + token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }} + + - name: Decrypt & Import OSBotify GPG key + run: | + cd .github + gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + gpg --import OSBotify-private-key.asc + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Set up git for OSBotify + run: | + git config --global user.signingkey 367811D53E34168C + git config --global commit.gpgsign true + git config --global user.name OSBotify + git config --global user.email infra+osbotify@expensify.com + + # v6.0.0 + - name: Setup Node.js + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 + with: + node-version-file: '.nvmrc' + registry-url: 'https://registry.npmjs.org' + + - name: Install yarn packages + run: yarn install --immutable + + - name: Update npm version + run: yarn version patch + + - name: Set new version in GitHub ENV + run: echo "NEW_VERSION=$(jq '.version' package.json)" >> $GITHUB_ENV + + - name: Commit version bump + run: git commit -am "Bump version to ${{ env.NEW_VERSION }}" + + - name: Tag version bump + run: git tag ${{ env.NEW_VERSION }} + + - name: Push branch and publish tags + run: git push --set-upstream origin main && git push --tags + + - name: Build package + run: yarn pack + + - name: Publish to npm + run: npm publish --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/web-e2e-test.yml b/.github/workflows/web-e2e-test.yml index 13c37e9f7..7c239fd20 100644 --- a/.github/workflows/web-e2e-test.yml +++ b/.github/workflows/web-e2e-test.yml @@ -28,13 +28,15 @@ jobs: group: web-e2e-test-${{ github.ref }} cancel-in-progress: true steps: + # v5.0.0 - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - name: Use Node.js 18 - uses: actions/setup-node@v4 + # v6.0.0 + - name: Setup Node.js + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: - node-version: 18 + node-version-file: '.nvmrc' - name: Install node_modules run: yarn install --immutable From 12cbb70253432254350aa85bf31d0a06c5f66e98 Mon Sep 17 00:00:00 2001 From: rory Date: Tue, 14 Oct 2025 15:43:49 -0700 Subject: [PATCH 2/5] Fix actionlint --- .github/workflows/cla.yml | 2 +- .github/workflows/publish.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index cf1fa7eef..324b8f311 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -25,7 +25,7 @@ jobs: regex: '\s*recheck\s*' - name: CLA Assistant - if: ${{ steps.recheck.outputs.match != '' || steps.sign.outputs.match != '' }} || github.event_name == 'pull_request_target' + if: ${{ steps.recheck.outputs.match != '' || steps.sign.outputs.match != '' || github.event_name == 'pull_request_target' }} # Version: 2.1.2-beta uses: cla-assistant/github-action@948230deb0d44dd38957592f08c6bd934d96d0cf env: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5ecb7ac6c..a1fb84fa1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -55,7 +55,7 @@ jobs: run: yarn version patch - name: Set new version in GitHub ENV - run: echo "NEW_VERSION=$(jq '.version' package.json)" >> $GITHUB_ENV + run: echo "NEW_VERSION=$(jq '.version' package.json)" >> "$GITHUB_ENV" - name: Commit version bump run: git commit -am "Bump version to ${{ env.NEW_VERSION }}" From e5e852855a127ce1394a946dc21d5d2b59aeae49 Mon Sep 17 00:00:00 2001 From: rory Date: Tue, 14 Oct 2025 15:58:10 -0700 Subject: [PATCH 3/5] Two spaces instead of four in lint.yml --- .github/workflows/lint.yml | 56 +++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 32958fdb6..d10bfa9bb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,35 +5,35 @@ on: types: [opened, synchronize] jobs: - lint: - runs-on: ubuntu-latest - steps: - # v5.0.0 - - name: Check out Git repository - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + lint: + runs-on: ubuntu-latest + steps: + # v5.0.0 + - name: Check out Git repository + uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - # v4.3.0 - - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 - with: - path: ~/.yarn - key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} - restore-keys: | - ${{ runner.os }}-yarn- + # v4.3.0 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 + with: + path: ~/.yarn + key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-yarn- - # v6.0.0 - - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 - with: - node-version-file: '.nvmrc' + # v6.0.0 + - name: Setup Node.js + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 + with: + node-version-file: '.nvmrc' - - name: Install node_modules - run: npm ci + - name: Install node_modules + run: npm ci - - name: Verify there's no Prettier diff - run: | - npm run lint -- --fix --quiet - if ! git diff --name-only --exit-code; then - # shellcheck disable=SC2016 - echo 'Error: Prettier diff detected! Please run `npm run lint -- --fix` and commit the changes.' - exit 1 - fi + - name: Verify there's no Prettier diff + run: | + npm run lint -- --fix --quiet + if ! git diff --name-only --exit-code; then + # shellcheck disable=SC2016 + echo 'Error: Prettier diff detected! Please run `npm run lint -- --fix` and commit the changes.' + exit 1 + fi From 57ca071959f66829a25ca3a37ed2a10db244498a Mon Sep 17 00:00:00 2001 From: rory Date: Wed, 15 Oct 2025 22:07:44 -0700 Subject: [PATCH 4/5] Remove accidental npm -> yarn change --- .github/workflows/lint.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d10bfa9bb..182f8d6a2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,10 +15,10 @@ jobs: # v4.3.0 - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: - path: ~/.yarn - key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} + path: ~/.npm + key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} restore-keys: | - ${{ runner.os }}-yarn- + ${{ runner.os }}-npm- # v6.0.0 - name: Setup Node.js From cf0c51661de1e299347714a91cc63a3431e61c3c Mon Sep 17 00:00:00 2001 From: Rory Abraham <47436092+roryabraham@users.noreply.github.com> Date: Thu, 16 Oct 2025 12:26:43 -0700 Subject: [PATCH 5/5] Update .github/workflows/lint.yml Co-authored-by: Tomasz Zawadzki --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 182f8d6a2..c6b452ef5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -18,7 +18,7 @@ jobs: path: ~/.npm key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} restore-keys: | - ${{ runner.os }}-npm- + ${{ runner.os }}-npm- # v6.0.0 - name: Setup Node.js