expo · dependabot · May 12, 2026
diff --git a/.github/actions/setup-mise/action.yml b/.github/actions/setup-mise/action.yml
@@ -4,7 +4,7 @@ description: Install tools via mise
 runs:
   using: "composite"
   steps:
-    - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
+    - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
       with:
         install: true
         cache: true

diff --git a/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml b/.github/internal-actions/notify-slack-on-fail-or-recover/action.yml
@@ -12,7 +12,7 @@ runs:
   using: 'composite'
   steps:
     - name: Get previous workflow run status
-      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
       id: run-status
       with:
         script: |

diff --git a/.github/internal-actions/setup-gcloud/action.yml b/.github/internal-actions/setup-gcloud/action.yml
@@ -4,13 +4,13 @@ runs:
   using: "composite"
   steps:
     - name: Auth gcloud
-      uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       with:
         workload_identity_provider: 'projects/321830142373/locations/global/workloadIdentityPools/github/providers/expo'
         project_id: exponentjs
 
     - name: Setup gcloud
-      uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       with:
         version: 548.0.0
         project_id: exponentjs
diff --git a/.github/workflows/build-and-deploy-worker.yml b/.github/workflows/build-and-deploy-worker.yml
@@ -23,7 +23,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: ./.github/actions/setup-mise
 

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -18,19 +18,19 @@ jobs:
     name: Check CHANGELOG.md updated
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check if CHANGELOG.md was updated
         id: changelog-updated
-        uses: tj-actions/changed-files@b1ba699b304f2083b602164e06a89b868c84f076
+        uses: tj-actions/changed-files@7dc4d75b6aa91041857e522f1426c3d1ac5d13b6
         with:
           files: CHANGELOG.md
       - name: Fail if CHANGELOG.md was not updated and the "no changelog" label is absent
         if: steps.changelog-updated.outputs.any_changed == 'false' && !contains(github.event.pull_request.labels.*.name, 'no changelog')
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             core.setFailed('Please add a changelog entry!')
-      - uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
+      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
         if: always()
         with:
           message-id: changelog-entry-check

diff --git a/.github/workflows/codemention.yml b/.github/workflows/codemention.yml
@@ -15,6 +15,6 @@ jobs:
       # Pinned to a commit SHA (not the v1.4.0 tag) because this runs under
       # pull_request_target with a write-scoped token — a re-pointed tag from
       # a compromised upstream account would give the attacker repo write access.
-      - uses: tobyhs/codemention@bb6bfb2c3ff1e6fee7ee37006bbee6d114057225 # v1.4.0
+      - uses: tobyhs/codemention@14c10ab8528ed556c3b92f205e7b5aa03e7b187c # v1.5.2
         with:
           githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: "${{ contains(github.event.label.name, 'incomplete issue: missing or invalid repro') }}"
     steps:
-      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }}
           script: |
@@ -52,7 +52,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: "${{ contains(github.event.label.name, 'incomplete issue: missing info') }}"
     steps:
-      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }}
           script: |
@@ -81,7 +81,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: github.event.label.name == 'issue accepted'
     steps:
-      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }}
           script: |
@@ -98,7 +98,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: "${{ contains(github.event.label.name, 'invalid issue: question') }}"
     steps:
-      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }}
           script: |
@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: "${{ contains(github.event.label.name, 'invalid issue: feature request') }}"
     steps:
-      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           github-token: ${{ secrets.EXPO_BOT_GITHUB_TOKEN }}
           script: |

diff --git a/.github/workflows/move-eas-build-tag.yml b/.github/workflows/move-eas-build-tag.yml
@@ -29,7 +29,7 @@ jobs:
       INPUT_DRY_RUN: ${{ github.event.inputs.dry_run }}
       INPUT_STAGING_ONLY: ${{ github.event.inputs.staging_only }}
     steps:
-      - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           registry-url: "https://registry.npmjs.org/"
           scope: "expo"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/setup-mise
       - name: Install dependencies
         run: yarn install --immutable
@@ -58,7 +58,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.EXPO_BOT_PAT }}
       - uses: ./.github/actions/setup-mise

diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml
@@ -8,7 +8,7 @@ jobs:
   close-issues:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           ascending: false
           operations-per-run: 300

diff --git a/.github/workflows/test-graphql.yml b/.github/workflows/test-graphql.yml
@@ -17,7 +17,7 @@ jobs:
     name: Ensure GraphQL schema and generated code is up-to-date
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup tools
         uses: ./.github/actions/setup-mise
       - run: yarn install --immutable

diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml
@@ -21,7 +21,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup tools
         uses: ./.github/actions/setup-mise
       - run: yarn install --immutable

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
             coverage: true
     name: Test with Node ${{ matrix.node }}
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup tools
         uses: ./.github/actions/setup-mise
         env:
@@ -66,7 +66,7 @@ jobs:
         working-directory: ./scripts
         env:
           YARN_ENABLE_HARDENED_MODE: ${{ matrix.coverage == true && '1' || '0' }}
-      - uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1
+      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         if: ${{ matrix.coverage }}
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -79,7 +79,7 @@ jobs:
     name: Notify Slack
     if: ${{ github.ref == 'refs/heads/main' && always() }}
     steps:
-      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Notify Slack
         uses: ./.github/internal-actions/notify-slack-on-fail-or-recover
         with:

diff --git a/.github/workflows/trigger-release.yml b/.github/workflows/trigger-release.yml
@@ -22,7 +22,7 @@ jobs:
       INPUT_VERSION: ${{ github.event.inputs.version }}
       INPUT_DRY_RUN: ${{ github.event.inputs.dry_run }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: main
           fetch-depth: 0

diff --git a/.github/workflows/worker-system-tests.yml b/.github/workflows/worker-system-tests.yml
@@ -11,7 +11,7 @@ jobs:
       EXPO_TOKEN: ${{ secrets.STAGING_EXPO_DEV_EXPO_SERVICES_GITHUB_ROBOT_ACCESS_TOKEN }}
       EXPO_STAGING: "1"
     steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: ./.github/actions/setup-mise
 

diff --git a/.github/workflows/worker.yml b/.github/workflows/worker.yml
@@ -24,7 +24,7 @@ jobs:
   worker-checks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - uses: ./.github/actions/setup-mise
 
@@ -71,7 +71,7 @@ jobs:
       - deploy-worker-production
     if: github.ref == 'refs/heads/main' && always() && !cancelled()
     steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 
       - name: Notify Slack
         uses: ./.github/internal-actions/notify-slack-on-fail-or-recover