diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index d44562d61637..16ff31403e06 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -83,7 +83,7 @@ jobs: github.event.pull_request.user.login != 'dependabot[bot]' steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: block @@ -101,16 +101,16 @@ jobs: 54.185.253.63:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm - name: Bundle size check - uses: preactjs/compressed-size-action@f780fd104362cfce9e118f9198df2ee37d12946c + uses: preactjs/compressed-size-action@6fa0e7ca017120c754863b31123c5ee2860fd434 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pattern: '{assets/js/*.js,assets/css/*.css}' @@ -129,15 +129,15 @@ jobs: github.event.pull_request.user.login != 'dependabot[bot]' steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -184,7 +184,7 @@ jobs: # Upload ZIP file to GCS for use in QA environment. - name: Authenticate - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 with: credentials_json: ${{ secrets.GCP_SA_KEY }} diff --git a/.github/workflows/cleanup-pr-assets.yml b/.github/workflows/cleanup-pr-assets.yml index 0e95036c32ad..c97d5ca92f83 100644 --- a/.github/workflows/cleanup-pr-assets.yml +++ b/.github/workflows/cleanup-pr-assets.yml @@ -21,7 +21,7 @@ jobs: github.event.pull_request.user.login != 'dependabot[bot]' steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true disable-sudo: true @@ -34,7 +34,7 @@ jobs: raw.githubusercontent.com:443 - name: Authenticate - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 with: credentials_json: ${{ secrets.GCP_SA_KEY }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f959396bf985..66a3d9a972b2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,12 +41,12 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 with: languages: javascript - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 diff --git a/.github/workflows/deploy-storybook.yml b/.github/workflows/deploy-storybook.yml index 46dfb3b7dae3..474b29f8be12 100644 --- a/.github/workflows/deploy-storybook.yml +++ b/.github/workflows/deploy-storybook.yml @@ -33,10 +33,10 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -50,7 +50,7 @@ jobs: run: npm run storybook:build - name: Checkout gh-pages - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: ref: gh-pages token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} diff --git a/.github/workflows/lint-css-js-md.yml b/.github/workflows/lint-css-js-md.yml index 405472876584..0a28544729ba 100644 --- a/.github/workflows/lint-css-js-md.yml +++ b/.github/workflows/lint-css-js-md.yml @@ -61,7 +61,7 @@ jobs: timeout-minutes: 20 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true disable-file-monitoring: true @@ -74,10 +74,10 @@ jobs: 54.185.253.63:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm diff --git a/.github/workflows/lint-i18n.yml b/.github/workflows/lint-i18n.yml index 70a61d8ed628..43488c222597 100644 --- a/.github/workflows/lint-i18n.yml +++ b/.github/workflows/lint-i18n.yml @@ -42,12 +42,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup PHP uses: shivammathur/setup-php@v2 @@ -60,7 +60,7 @@ jobs: run: wp package install wp-cli/i18n-command:dev-main - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index c5c917845839..f81dad8d724e 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -41,7 +41,7 @@ jobs: timeout-minutes: 5 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: block @@ -55,7 +55,7 @@ jobs: dl.cloudsmith.io:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup PHP uses: shivammathur/setup-php@e6f75134d35752277f093989e72e140eaa222f35 diff --git a/.github/workflows/lint-plugin-check.yml b/.github/workflows/lint-plugin-check.yml index 85b8dba0f03d..f9fa023f9d2f 100644 --- a/.github/workflows/lint-plugin-check.yml +++ b/.github/workflows/lint-plugin-check.yml @@ -42,15 +42,15 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index 4b63179a156b..b268f9c4aa08 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -34,10 +34,10 @@ jobs: environment: Production steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -102,18 +102,18 @@ jobs: needs: [dry-run] steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} # See go/npm-publish - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm diff --git a/.github/workflows/plugin-release.yml b/.github/workflows/plugin-release.yml index 72df3bf3c19a..cdd7c1141927 100644 --- a/.github/workflows/plugin-release.yml +++ b/.github/workflows/plugin-release.yml @@ -41,12 +41,12 @@ jobs: environment: Production steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Verify semver compatibility run: | @@ -104,7 +104,7 @@ jobs: needs: [checks] steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs @@ -127,7 +127,7 @@ jobs: # Grab current assets version from `web-stories.php` and pass on to next steps. # - name: Checkout - # uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + # uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # with: # ref: @@ -143,7 +143,7 @@ jobs: # ASSETS_VERSION_REGEX: "https://wp.stories.google/static/([^']+)" - name: Checkout wp.stories.google - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: repository: GoogleForCreators/wp.stories.google lfs: true @@ -151,7 +151,7 @@ jobs: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} - name: Authenticate - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 with: credentials_json: ${{ secrets.GCP_SA_KEY }} @@ -245,12 +245,12 @@ jobs: release_name: ${{ steps.release_branch.outputs.release_name }} steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: fetch-depth: 0 # 0 indicates all history for all branches and tags. token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} @@ -269,7 +269,7 @@ jobs: continue-on-error: true - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -408,12 +408,12 @@ jobs: needs: [build] steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Download release artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 @@ -444,18 +444,18 @@ jobs: if: ${{ ! startsWith(github.ref, 'refs/heads/release/') && ! contains(github.event.inputs.version, 'rc') }} steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: ref: main token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -500,7 +500,7 @@ jobs: SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }} steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e8793d5a8371..42ad65510f8f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -25,12 +25,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: 'Checkout code' - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: persist-credentials: false @@ -56,6 +56,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 with: sarif_file: results.sarif diff --git a/.github/workflows/tests-e2e.yml b/.github/workflows/tests-e2e.yml index 74086f1fc2f9..d3e4b5d40b88 100644 --- a/.github/workflows/tests-e2e.yml +++ b/.github/workflows/tests-e2e.yml @@ -70,15 +70,15 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -149,7 +149,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: audit @@ -165,7 +165,7 @@ jobs: 34.104.35.123:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Download bundle uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 @@ -177,7 +177,7 @@ jobs: run: sudo apt-get install libgbm1 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm diff --git a/.github/workflows/tests-karma-dashboard.yml b/.github/workflows/tests-karma-dashboard.yml index a1fce57f81d6..1691a81f3edb 100644 --- a/.github/workflows/tests-karma-dashboard.yml +++ b/.github/workflows/tests-karma-dashboard.yml @@ -47,7 +47,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: block @@ -65,10 +65,10 @@ jobs: 34.104.35.123:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -97,7 +97,7 @@ jobs: DISABLE_ERROR_BOUNDARIES: true - name: Upload code coverage report - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: file: build/logs/karma-coverage/dashboard/lcov.info flags: karmatests diff --git a/.github/workflows/tests-karma-editor.yml b/.github/workflows/tests-karma-editor.yml index f57c546f4207..fb071c27370b 100644 --- a/.github/workflows/tests-karma-editor.yml +++ b/.github/workflows/tests-karma-editor.yml @@ -83,7 +83,7 @@ jobs: ] steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: block @@ -103,10 +103,10 @@ jobs: 34.104.35.123:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -138,7 +138,7 @@ jobs: SHARD: ${{ matrix.shard }} - name: Upload code coverage report - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: file: build/logs/karma-coverage/story-editor/lcov.info flags: karmatests diff --git a/.github/workflows/tests-unit-js.yml b/.github/workflows/tests-unit-js.yml index acb10b265faa..2cfacb2625b7 100644 --- a/.github/workflows/tests-unit-js.yml +++ b/.github/workflows/tests-unit-js.yml @@ -51,7 +51,7 @@ jobs: shard: ['1/2', '2/2'] steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-sudo: true disable-file-monitoring: true @@ -67,10 +67,10 @@ jobs: fonts.gstatic.com:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -103,7 +103,7 @@ jobs: AMP_VALIDATOR_FILE: ${{ env.validator_file }} - name: Upload code coverage report - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: file: build/logs/lcov.info flags: unittests diff --git a/.github/workflows/tests-unit-php.yml b/.github/workflows/tests-unit-php.yml index cb7e3d736248..51321c93988d 100644 --- a/.github/workflows/tests-unit-php.yml +++ b/.github/workflows/tests-unit-php.yml @@ -80,7 +80,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: disable-file-monitoring: true egress-policy: audit @@ -100,7 +100,7 @@ jobs: dl.cloudsmith.io:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # PHP-Scoper only works on PHP 7.4+ and we need to prefix our dependencies to accurately test them. # So we temporarily switch PHP versions, do a full install and then remove the package. @@ -178,7 +178,7 @@ jobs: if: ${{ matrix.random }} - name: Upload code coverage report - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: file: build/logs/*.xml token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/update-browserslist.yml b/.github/workflows/update-browserslist.yml index 30e45267c4b5..cb6392173b9e 100644 --- a/.github/workflows/update-browserslist.yml +++ b/.github/workflows/update-browserslist.yml @@ -22,17 +22,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -41,7 +41,7 @@ jobs: run: npx update-browserslist-db@latest - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} commit-message: Update browserslist db diff --git a/.github/workflows/update-google-fonts.yml b/.github/workflows/update-google-fonts.yml index d4db15b43d3c..7e764ec69d4e 100644 --- a/.github/workflows/update-google-fonts.yml +++ b/.github/workflows/update-google-fonts.yml @@ -22,17 +22,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -53,7 +53,7 @@ jobs: run: npm run workflow:fonts - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} commit-message: Update list of Google Fonts diff --git a/.github/workflows/update-product-schema.yml b/.github/workflows/update-product-schema.yml index 399a49000274..9072d569f19f 100644 --- a/.github/workflows/update-product-schema.yml +++ b/.github/workflows/update-product-schema.yml @@ -22,12 +22,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} @@ -38,7 +38,7 @@ jobs: mv product.schema.json tests/phpunit/integration/data/schema.json - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} commit-message: Update Product Schema diff --git a/.github/workflows/update-templates.yml b/.github/workflows/update-templates.yml index e586f2d5f5e9..c57cc535b089 100644 --- a/.github/workflows/update-templates.yml +++ b/.github/workflows/update-templates.yml @@ -22,17 +22,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 with: node-version-file: '.nvmrc' cache: npm @@ -46,7 +46,7 @@ jobs: run: npm run workflow:migrate - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f with: token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }} commit-message: Migrate templates and text sets to latest version