chore: github action version bumps (#3299)

* chore: update actions/cache/restore to v4.0.2

* chore: update actions/cache/save to v4.0.2

* chore: update actions/checkout to v4.1.5

* chore: update actions/create-release to v1.1.4

* chore: update actions/setup-node to v4.0.2

* chore: update aws-actions/amazon-ecr-login to v2.0.1

* chore: update aws-actions/configure-aws-credentials to v4.0.2

* chore: update azure/k8s-set-context to v4.0.0

* chore: update docker/build-push-action to v5.3.0

* chore: update jakejarvis/wait-action to v0.1.1

* chore: update jwalton/gh-find-current-pr to v1.3.3

* chore: update signed-commits to changesets-signed-commits@1.2.3

* chore: update webiny/action-post-run to 3.1.0

* fix: use softprops/action-gh-release instead of actions/create-release

* chore: remove todos, formatting

* fix: gh-hosted runners for check-changesets

* empty changeset

.changeset/lemon-phones-build.md

@@ -0,0 +1,2 @@
+---
+---

.github/actions/publish-image/action.yml

@@ -36,11 +36,12 @@ runs:
   using: 'composite'
   steps:
     - name: Configure AWS Credentials for SDLC Private ECR
-      uses: aws-actions/configure-aws-credentials@v2
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
       with:
         role-to-assume: ${{ inputs.aws-role }}
         aws-region: ${{ inputs.aws-region }}
         role-duration-seconds: 1200
+        mask-aws-account-id: true
     - name: Authenticate to ECR
       shell: bash
       run: |

.github/actions/setup/action.yml

@@ -36,7 +36,7 @@ runs:
         git config user.name "github-actions[bot]"
         git config user.email "github-actions[bot]@users.noreply.github.com"
     # First, we want to install yarn since our base image doesn't have it installed
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         # This doesn't use cache: 'yarn' as the base image doesn't have it, and we're caching node_modules
         node-version: 22
@@ -50,7 +50,7 @@ runs:
     - name: Restore yarn cache
       id: restore-yarn-cache
       if: inputs.skip-cache != 'true'
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         # Restrict it to the run and attempt for debugging purposes, but in theory
         # these should be fine to persist between runs as well
@@ -70,7 +70,7 @@ runs:
       shell: bash
     - name: Cache yarn cache
       if: steps.restore-yarn-cache.outputs.cache-hit != 'true' && inputs.skip-cache != 'true'
-      uses: actions/cache/save@v3
+      uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         key: yarn_cache-${{ hashFiles('./yarn.lock') }}-${{ github.run_id }}-${{ github.run_attempt }}
         path: |
@@ -80,7 +80,7 @@ runs:
     # Build TS files unless it's been specified otherwise
     - name: Restore TS built files if present
       id: restore-ts-build
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       if: |
         inputs.skip-setup != 'true'
         && inputs.skip-cache != 'true'
@@ -157,7 +157,7 @@ runs:
       if: |
         inputs.skip-setup != 'true'
         && inputs.skip-cache != 'true'
-      uses: actions/cache/save@v3
+      uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         key: tsbuild-${{ github.sha }}-${{ github.run_id }}
         path: |

.github/workflows/checks.yml

@@ -21,10 +21,10 @@ jobs:
   # Check that the changes introduced in this PR include changesets for packages that would need them
   check-changesets:
     name: Adapter changes accompanied by a changeset
-    runs-on: [self-hosted, sdlc-ghr-prod]
+    runs-on: ['ubuntu-latest']
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 2
       - name: Check whether adapter change also has a changeset
@@ -34,13 +34,13 @@ jobs:
   # Set up yarn and install dependencies, caching them to be reused across other steps in this workflow
   install-packages:
     name: Install and verify dependencies
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     outputs:
       changed-packages: ${{ steps.changed-adapters.outputs.CHANGED_PACKAGES }}
       adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
       - name: Set up and install dependencies
@@ -56,14 +56,14 @@ jobs:
   # Run unit tests
   unit-tests:
     name: Run unit tests for changed adapters
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     if: needs.install-packages.outputs.changed-packages != '[]'
     needs:
       - check-changesets
       - install-packages
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Set up and install dependencies
         uses: ./.github/actions/setup
       - name: Run unit tests
@@ -74,14 +74,14 @@ jobs:
   # Run integration tests
   integration-tests:
     name: Run integration tests for changed adapters
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     if: needs.install-packages.outputs.changed-packages != '[]'
     needs:
       - check-changesets
       - install-packages
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Set up and install dependencies
         uses: ./.github/actions/setup
       - name: Run integration tests
@@ -92,13 +92,13 @@ jobs:
   # Run linters
   linters:
     name: Run linters and formatters
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     needs:
       - check-changesets
       - install-packages
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Set up and install dependencies
         uses: ./.github/actions/setup
       - name: Lint all files
@@ -109,7 +109,7 @@ jobs:
   # Run documentation tests (check that the doc generation succeeds to avoid problems downstream)
   run-documentation-check:
     name: Documentation generation test
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     if: needs.install-packages.outputs.changed-packages != '[]'
     needs:
       - check-changesets
@@ -118,7 +118,7 @@ jobs:
       METRICS_ENABLED: false
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
       - name: Set up and install dependencies
@@ -131,14 +131,14 @@ jobs:
   # Run a script to check that modified v3 adapters have the latest framework version
   ea-framework-version-check:
     name: Check that changed adapters have the latest EA framework version
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     if: needs.install-packages.outputs.changed-packages != '[]'
     needs:
       - check-changesets
       - install-packages
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Set up and install dependencies
         uses: ./.github/actions/setup
       - name: Check for outdated ea-framework dependencies
@@ -153,31 +153,31 @@ jobs:
           packages=$(find packages -name 'package.json')
           latest_version=$(curl -sH "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/smartcontractkit/ea-framework-js/contents/package.json" | jq -r '.content' | base64 -d | jq -r '.version')
 
-           # get the list of v3 EAs
-           for file in $(echo $packages); do
+          # get the list of v3 EAs
+          for file in $(echo $packages); do
               if jq -e ".dependencies[\"$dependency\"]" "$file" >/dev/null; then
                 v3_packages+=("$(dirname $file)")
               fi
-           done
-
-           # check if changed code is part of any v3 EA
-            for changedFile in $changed_packages; do
-             for package in "${v3_packages[@]}"; do
-                if [[ "$changedFile" == "$package"* ]]; then
-                  # found change in v3 EA, comparing versions
-                  local_version=$(jq -r ".dependencies[\"$dependency\"]" "$package/package.json")
-                  if [ "$local_version" != "$latest_version" ] && ! grep -q "^$package$" <<< "${outdated_packages[@]}"; then
-                    outdated_packages+=("$package")
-                  fi
+          done
+
+          # check if changed code is part of any v3 EA
+          for changedFile in $changed_packages; do
+            for package in "${v3_packages[@]}"; do
+              if [[ "$changedFile" == "$package"* ]]; then
+                # found change in v3 EA, comparing versions
+                local_version=$(jq -r ".dependencies[\"$dependency\"]" "$package/package.json")
+                if [ "$local_version" != "$latest_version" ] && ! grep -q "^$package$" <<< "${outdated_packages[@]}"; then
+                  outdated_packages+=("$package")
                 fi
-             done
+              fi
             done
+          done
 
-            # print and error if there are outdated adapters
-            if [ ${#outdated_packages[@]} -gt 0 ]; then
-              echo "The following packages have an outdated \"$dependency\" dependency:"
-              for file in "${outdated_packages[@]}"; do
-                echo "- $file"
-              done
+          # print and error if there are outdated adapters
+          if [ ${#outdated_packages[@]} -gt 0 ]; then
+            echo "The following packages have an outdated \"$dependency\" dependency:"
+            for file in "${outdated_packages[@]}"; do
+              echo "- $file"
+            done
             exit 1
-            fi
+          fi

.github/workflows/deploy.yml

@@ -30,13 +30,13 @@ concurrency:
 jobs:
   calculate-changes:
     name: Compute changed adapters
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     outputs:
       adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
       tmp-branch: ${{ steps.push-branch.outputs.TMP_BRANCH }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 2
       - name: Set up and install dependencies
@@ -89,11 +89,11 @@ jobs:
       IMAGE_VERSION: ${{ matrix.adapter.version }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
       - name: Build the adapter image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: .
           push: false
@@ -129,10 +129,10 @@ jobs:
     steps:
       - name: Trigger Image Dispatcher
         run: >
-          gh workflow run 
+          gh workflow run
           --repo smartcontractkit/infra-k8s
-          --ref main "Infra-k8s Image Dispatcher" 
-          -F imageRepos="$(echo $CHANGED_ADAPTERS | jq -r "\"$ECR_URL/adapters/\" + (.adapter | .[].shortName) + \"-adapter\"" | tr '\n' ' ')" 
+          --ref main "Infra-k8s Image Dispatcher"
+          -F imageRepos="$(echo $CHANGED_ADAPTERS | jq -r "\"$ECR_URL/adapters/\" + (.adapter | .[].shortName) + \"-adapter\"" | tr '\n' ' ')"
           -F gitRepo=${{ github.event.repository.name }}
         env:
           GITHUB_TOKEN: ${{ secrets.INFRA_K8s_PAT }}
@@ -146,7 +146,7 @@ jobs:
     if: always() && needs.calculate-changes.outputs.adapter-list != '[]'
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
       - name: Delete ephemeral branch

.github/workflows/release.yml

@@ -23,14 +23,14 @@ concurrency:
 jobs:
   calculate-changes:
     name: Compute changed adapters
-    runs-on: [ubuntu-latest] # TODO change back to [self-hosted, sdlc-ghr-prod] runners after they are upgraded to support Node 22 libraries
+    runs-on: [ubuntu-latest]
     env:
       BUILD_ALL: ${{ inputs.build-all }}
     outputs:
       adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 2
       - name: Set up and install dependencies
@@ -61,12 +61,13 @@ jobs:
       ECR_REPO: adapters/${{ matrix.adapter.shortName }}-adapter
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Configure AWS Credentials for SDLC Private ECR
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
           aws-region: ${{ secrets.AWS_REGION_ECR_PRIVATE }}
+          mask-aws-account-id: true
       - name: Authenticate to ECR
         run: aws ecr get-login-password --region ${{ secrets.AWS_REGION_ECR_PRIVATE }} | docker login --username AWS --password-stdin ${{ env.PRIVATE_ECR_URL }}/adapters/
       - name: Pull adapter image from private ECR and retag with public ecr details
@@ -93,7 +94,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Get release version
         id: get-version
         run: |
@@ -103,8 +104,8 @@ jobs:
           # Get the PR body to use in the GH release body
           gh pr list --search "$(git rev-parse HEAD)" --state merged --json number,body --jq '"This release was merged in PR #" + (.[0].number | tostring) + "\n" + (.[0].body | split("\n\n\n# Releases") | .[1])' > pr_body.tmp
       - name: Create release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
         with:
           tag_name: v${{ steps.get-version.outputs.result }}
-          release_name: Release v${{ steps.get-version.outputs.result }}
+          name: Release v${{ steps.get-version.outputs.result }}
           body_path: pr_body.tmp

.github/workflows/soak-test-cleanup.yml

@@ -15,20 +15,21 @@ jobs:
     runs-on: ubuntu-latest
     environment: QA
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-access-key-id: ${{ secrets.QA_SDLC_AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.QA_SDLC_AWS_SECRET_KEY }}
           aws-region: ${{ secrets.QA_SDLC_AWS_REGION }}
           role-to-assume: ${{ secrets.QA_SDLC_AWS_ROLE_TO_ASSUME }}
           role-duration-seconds: 3600
+          mask-aws-account-id: true
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
       - name: Set Kubernetes Context
-        uses: azure/k8s-set-context@v1
+        uses: azure/k8s-set-context@27bfb387305b8f0ab5495d692e4a3304db7d0669 # v4.0.0
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.QA_SDLC_KUBECONFIG }}