diff --git a/.github/actions/pr-title-check/action.yaml b/.github/actions/pr-title-check/action.yaml index 5b243e7..2dfa374 100644 --- a/.github/actions/pr-title-check/action.yaml +++ b/.github/actions/pr-title-check/action.yaml @@ -4,12 +4,12 @@ runs: using: composite steps: - name: Check PR title - uses: Slashgear/action-check-pr-title@v4 + uses: Slashgear/action-check-pr-title@860e8dc639f8e60335a6f5e8936ba67ed2536890 # v4 with: regexp: '^(\[(develop|development|staging)\]\s)?(build|chore|ci|docs|feat|feature|fix|perf|refactor|revert|style|test|release|ignore)(\([\w\- ]+\))?!?: (.+)' helpMessage: "Example: 'feat(app-ui): Add new dashboard component (WEB-123)'" - name: Check for Jira link in PR description - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const prBody = context.payload.pull_request.body || ''; diff --git a/.github/workflows/allow-deploys.yml b/.github/workflows/allow-deploys.yml index c2dc9ab..7a313aa 100644 --- a/.github/workflows/allow-deploys.yml +++ b/.github/workflows/allow-deploys.yml @@ -23,7 +23,7 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Enable CD on merge to main - name: Enable ${{ inputs.workflow }} workflow diff --git a/.github/workflows/block-deploys.yml b/.github/workflows/block-deploys.yml index d0abd31..316e839 100644 --- a/.github/workflows/block-deploys.yml +++ b/.github/workflows/block-deploys.yml @@ -23,7 +23,7 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Disable CD on merge to main - name: Disable ${{ inputs.workflow }} workflow diff --git a/.github/workflows/code-coverage-kotlin.yml b/.github/workflows/code-coverage-kotlin.yml index 98fadb1..c768dba 100644 --- a/.github/workflows/code-coverage-kotlin.yml +++ b/.github/workflows/code-coverage-kotlin.yml @@ -97,7 +97,7 @@ jobs: timeout-minutes: ${{ inputs.test-timeout-minutes }} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Validate service-name format run: | if ! echo "${{ inputs.service-name }}" | grep -qE '^[a-z0-9]+(-[a-z0-9]+)*$'; then @@ -107,7 +107,7 @@ jobs: fi echo "✓ service-name '${{ inputs.service-name }}' is valid" - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: "corretto" @@ -123,7 +123,7 @@ jobs: gradle-tasks: "test koverXmlReport" gradle-args: ${{ inputs.gradle-args }} - name: Upload coverage report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: coverage-report-${{ inputs.service-name }} path: ${{ inputs.kover-report-path }} @@ -135,13 +135,13 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check if can access Dev Lens run: | curl --retry 3 --retry-delay 5 --retry-all-errors -f -s -o /dev/null --max-time 30 https://dev-lens.staging.monta.app/health - name: Download coverage report id: download-coverage - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: coverage-report-${{ inputs.service-name }} - name: Set coverage report path diff --git a/.github/workflows/component-build.yml b/.github/workflows/component-build.yml index 00eb7b3..2e17e84 100644 --- a/.github/workflows/component-build.yml +++ b/.github/workflows/component-build.yml @@ -99,7 +99,7 @@ jobs: runner-arm64: ${{ steps.runner-arm64.outputs.runner-name }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.git-sha || github.sha }} - name: Get x64 runner name @@ -140,21 +140,21 @@ jobs: runner: ${{ needs.setup.outputs.runner-arm64 }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.git-sha || github.sha }} - name: Configure AWS credentials via assumed role - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ecr-put-image role-session-name: push-new-image-to-${{ inputs.service-identifier }}-${{inputs.stage}} aws-region: ${{ inputs.region }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2 - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.ecr-repository-name || format('{0}-{1}', inputs.service-identifier, inputs.stage) }} tags: | @@ -162,7 +162,7 @@ jobs: type=raw,value=latest,suffix=-${{ matrix.arch }} - name: Build and push id: build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 env: BUILDX_NO_DEFAULT_ATTESTATIONS: 1 with: @@ -201,14 +201,14 @@ jobs: image-tag: ${{ inputs.git-sha || github.sha }} steps: - name: Configure AWS credentials via assumed role - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ecr-put-image role-session-name: create-manifest-${{ inputs.service-identifier }}-${{inputs.stage}} aws-region: ${{ inputs.region }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2 - name: Create and push manifest run: | # Enable experimental features diff --git a/.github/workflows/component-deploy-v2.yml b/.github/workflows/component-deploy-v2.yml index 1f529ce..ea151ac 100644 --- a/.github/workflows/component-deploy-v2.yml +++ b/.github/workflows/component-deploy-v2.yml @@ -108,7 +108,7 @@ jobs: slack-channel-id: "C01KL9FUPNK" slack-message-id: ${{ inputs.slack-message-id }} - name: Check out service repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: monta-app/${{ inputs.repository-name || format('service-{0}', inputs.service-identifier) }} path: 'service-repo' diff --git a/.github/workflows/component-deploy.yml b/.github/workflows/component-deploy.yml index 79d85af..61238a9 100644 --- a/.github/workflows/component-deploy.yml +++ b/.github/workflows/component-deploy.yml @@ -101,7 +101,7 @@ jobs: slack-channel-id: "C01KL9FUPNK" slack-message-id: ${{ inputs.slack-message-id }} - name: Check out manifest repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: monta-app/kube-manifests path: 'manifests' diff --git a/.github/workflows/component-service-profile-kotlin.yml b/.github/workflows/component-service-profile-kotlin.yml index 4f414bc..8e13ce6 100644 --- a/.github/workflows/component-service-profile-kotlin.yml +++ b/.github/workflows/component-service-profile-kotlin.yml @@ -41,9 +41,9 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: ${{ inputs.java-version }} @@ -109,7 +109,7 @@ jobs: {"condition": {"method": "OPTIONS"}, "name": "OPTIONS [Default]"} ]' > service-profile.yml - name: Check out manifest repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: path: 'manifests' repository: monta-app/kube-manifests @@ -154,7 +154,7 @@ jobs: fi - name: Push changes if: always() && steps.commit-changes.outputs.has_changes == 'true' - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@d30dc2d070765d7e509df00c34c5fa2dd636ff74 # master with: directory: './manifests' github_token: ${{ secrets.MANIFEST_REPO_PAT }} diff --git a/.github/workflows/component-test-kotlin.yml b/.github/workflows/component-test-kotlin.yml index 582702b..3402fc2 100644 --- a/.github/workflows/component-test-kotlin.yml +++ b/.github/workflows/component-test-kotlin.yml @@ -72,9 +72,9 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: ${{ inputs.java-version }} @@ -91,7 +91,7 @@ jobs: gradle-args: ${{ inputs.gradle-args }} - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-result-${{ inputs.gradle-module || 'root' }} path: | diff --git a/.github/workflows/component-test-python.yml b/.github/workflows/component-test-python.yml index fdc01a5..d030eb7 100644 --- a/.github/workflows/component-test-python.yml +++ b/.github/workflows/component-test-python.yml @@ -74,7 +74,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Docker Compose if: ${{ inputs.docker-compose-path }} uses: monta-app/github-workflows/.github/actions/docker-compose-setup@main @@ -85,11 +85,11 @@ jobs: echo "${{ secrets.TEST_ENV_FILE }}" > .env echo "Created .env file with $(wc -l < .env) lines" - name: Set up Python ${{ inputs.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: enable-cache: true cache-dependency-glob: | @@ -110,7 +110,7 @@ jobs: ${{ inputs.pytest-args }} - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: test-results-python-${{ inputs.python-version }} path: | diff --git a/.github/workflows/create-release-tag.yml b/.github/workflows/create-release-tag.yml index bf3c5aa..21e6497 100644 --- a/.github/workflows/create-release-tag.yml +++ b/.github/workflows/create-release-tag.yml @@ -17,7 +17,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish-tech-docs.yml b/.github/workflows/publish-tech-docs.yml index bf5a5b7..e3be864 100644 --- a/.github/workflows/publish-tech-docs.yml +++ b/.github/workflows/publish-tech-docs.yml @@ -26,10 +26,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-node@v6 - - uses: actions/setup-python@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' diff --git a/.github/workflows/pull-request-bun.yml b/.github/workflows/pull-request-bun.yml index 46c7e5e..8515ab0 100644 --- a/.github/workflows/pull-request-bun.yml +++ b/.github/workflows/pull-request-bun.yml @@ -69,7 +69,7 @@ jobs: timeout-minutes: ${{ inputs.build-timeout-minutes }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -79,7 +79,7 @@ jobs: with: docker-compose-path: ${{ inputs.docker-compose-path }} - name: Setup Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: "latest" - name: Install dependencies @@ -103,7 +103,7 @@ jobs: run: | sudo apt-get install -y lcov - name: Report code coverage - uses: zgosalvez/github-actions-report-lcov@v7 + uses: zgosalvez/github-actions-report-lcov@7d72c57ce4bc101a4a0bf9d726b6c435abde8439 # v7 with: coverage-files: coverage/*lcov.info* minimum-coverage: 0 diff --git a/.github/workflows/pull-request-kotlin.yml b/.github/workflows/pull-request-kotlin.yml index ce19f1d..14bbf5a 100644 --- a/.github/workflows/pull-request-kotlin.yml +++ b/.github/workflows/pull-request-kotlin.yml @@ -74,19 +74,19 @@ jobs: steps: # Checkout - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # to check out the actual pull request commit, not the merge commit ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: corretto java-version: ${{ inputs.java-version }} cache: 'gradle' - name: Cache SonarCloud packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 if: ${{ !inputs.skip-sonar }} with: path: ~/.sonar/cache @@ -114,7 +114,7 @@ jobs: gradle-args: ${{ inputs.gradle-args }} - name: Upload test results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ${{ inputs.gradle-module || 'test-result' }} path: | @@ -135,7 +135,7 @@ jobs: gradle-tasks: 'sonar' gradle-args: ${{ inputs.gradle-args }} - name: Add code coverage to PR - uses: mi-kas/kover-report@v2 + uses: mi-kas/kover-report@e44de7f5f7a878ba9d0070c86aa5c470efd5e2d1 # v2 with: title: Code Coverage ${{ inputs.gradle-module }} path: ${{ inputs.kover-report-path }} @@ -145,7 +145,7 @@ jobs: update-comment: true coverage-counter-type: LINE - name: Publish test results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2 if: always() with: files: | diff --git a/.github/workflows/pull-request-react.yml b/.github/workflows/pull-request-react.yml index 70c098c..bfba3d8 100644 --- a/.github/workflows/pull-request-react.yml +++ b/.github/workflows/pull-request-react.yml @@ -75,17 +75,17 @@ jobs: timeout-minutes: ${{ inputs.build-timeout-minutes }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Setup pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6 with: version: ${{ inputs.pnpm-version || null }} run_install: false - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ inputs.node-version }} cache: pnpm diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index e51f189..60f3084 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -16,10 +16,10 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run actionlint - uses: reviewdog/action-actionlint@v1 + uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} reporter: github-pr-review diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 873eaf6..7998684 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -53,9 +53,9 @@ jobs: if: ${{ !inputs.dry-run }} runs-on: linux-arm64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Slack Notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2 env: MSG_MINIMAL: true #'ref,commit' SLACK_CHANNEL: ${{ inputs.slack-channel }} @@ -82,7 +82,7 @@ jobs: runs-on: linux-arm64 steps: - name: Checkout branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 @@ -96,7 +96,7 @@ jobs: echo "rollback_commit_sha=$ROLLBACK_COMMIT_SHA" >> "$GITHUB_OUTPUT" - name: Check out kube-manifests - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: monta-app/kube-manifests path: 'kube-manifests' @@ -130,7 +130,7 @@ jobs: - name: Push if: ${{ !inputs.dry-run }} - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@d30dc2d070765d7e509df00c34c5fa2dd636ff74 # master with: github_token: ${{ secrets.ADMIN_PAT }} directory: './kube-manifests' diff --git a/.github/workflows/semgrep-security-scan.yml b/.github/workflows/semgrep-security-scan.yml index f722040..7d12389 100644 --- a/.github/workflows/semgrep-security-scan.yml +++ b/.github/workflows/semgrep-security-scan.yml @@ -28,12 +28,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -160,7 +160,7 @@ jobs: # github.event_name will not be 'pull_request' and this step will be skipped. - name: Post PR Comment if: steps.evaluate.outputs.total > 0 && github.event_name == 'pull_request' && always() - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const fs = require('fs'); diff --git a/.github/workflows/sonar-cloud.yml b/.github/workflows/sonar-cloud.yml index 08be242..51eece8 100644 --- a/.github/workflows/sonar-cloud.yml +++ b/.github/workflows/sonar-cloud.yml @@ -54,18 +54,18 @@ jobs: runs-on: ${{ needs.setup.outputs.runner-name }} timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # Shallow clones should be disabled for a better relevancy of analysis fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: corretto java-version: ${{ inputs.java-version }} cache: 'gradle' - name: Cache SonarCloud packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -82,7 +82,7 @@ jobs: gradle-args: ${{ inputs.gradle-args }} - name: Upload build reports if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-reports-${{ inputs.gradle-module || 'root' }} path: | diff --git a/.github/workflows/track-pending-release.yml b/.github/workflows/track-pending-release.yml index 5e702c6..ad48da5 100644 --- a/.github/workflows/track-pending-release.yml +++ b/.github/workflows/track-pending-release.yml @@ -21,7 +21,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Need full history for comparison