-
Notifications
You must be signed in to change notification settings - Fork 258
Update actions that run on Node.js 20 #7150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -41,7 +41,7 @@ jobs: | |
| echo "SCRIPTS=.github/workflows/scripts/python" >> $GITHUB_ENV | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow and any repo guidance about action pinning.
git ls-files .github/workflows/docs-convert-changelog.yaml .github/workflows README.md .github | sed -n '1,120p'
echo '--- workflow outline ---'
ast-grep outline .github/workflows/docs-convert-changelog.yaml --view expanded || true
echo '--- relevant lines ---'
nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '1,170p'
echo '--- pinning guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 2065 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow and any repo guidance about action pinning.
git ls-files .github/workflows/docs-convert-changelog.yaml .github/workflows README.md .github | sed -n '1,120p'
echo '--- workflow outline ---'
ast-grep outline .github/workflows/docs-convert-changelog.yaml --view expanded || true
echo '--- relevant lines ---'
nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '1,170p'
echo '--- pinning guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 2065 🏁 Script executed: #!/bin/bash
set -euo pipefail
nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '35,135p'
printf '\n---\n'
rg -n "uses:\s*" .github/workflows/docs-convert-changelog.yaml -n -S
printf '\n---\n'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 190 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml
echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
if 'uses:' in line:
print(f"{i}: {line}")
PY
echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 3565 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml
echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
if 'uses:' in line:
print(f"{i}: {line}")
PY
echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 3565 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml
echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
if 'uses:' in line:
print(f"{i}: {line}")
PY
echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 3565 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
path = Path('.github/workflows/docs-convert-changelog.yaml')
for i, line in enumerate(path.read_text().splitlines(), 1):
if 35 <= i <= 145:
print(f"{i:4d}: {line}")
PY
echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
if 'uses:' in line:
print(f"{i}: {line}")
PY
echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || trueRepository: FAForever/fa Length of output: 4099 Pin the GitHub Actions to immutable SHAs.
🧰 Tools🪛 zizmor (1.26.1)[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }} | ||
| ref: ${{ inputs.branch }} | ||
|
|
@@ -53,7 +53,7 @@ jobs: | |
|
|
||
| - name: Download develop changelog | ||
| if: inputs.additional-changelog == 'fafdevelop' | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v7 | ||
| with: | ||
| name: changelog-fafdevelop | ||
|
|
||
|
|
@@ -66,7 +66,7 @@ jobs: | |
|
|
||
| - name: Download beta changelog | ||
| if: inputs.additional-changelog == 'fafbeta' | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v7 | ||
| with: | ||
| name: changelog-fafbeta | ||
|
|
||
|
|
@@ -78,7 +78,7 @@ jobs: | |
| cat changelog-fafbeta.md >> $FILE | ||
|
|
||
| - name: Setup python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.8' | ||
|
|
||
|
|
@@ -99,7 +99,7 @@ jobs: | |
| python3 $SCRIPTS/changelog_overview.py "docs/_posts" "${out_dir}/overview.lua" | ||
|
|
||
| - name: Add the Lua changelog as an artifact | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: lua_changelog | ||
| path: | | ||
|
|
@@ -116,13 +116,13 @@ jobs: | |
| apk add bash git findutils | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| sparse-checkout: | | ||
| tests/run-syntax-test.sh | ||
|
|
||
| - name: Download the Lua changelog artifact | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v7 | ||
| with: | ||
| name: lua_changelog | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -84,7 +84,7 @@ jobs: | |
| git commit -m "Bump game version to ${{ steps.version.outputs.version }}" | ||
|
|
||
| - name: Download changelog artifact | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v7 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: sed -n '70,140p' .github/workflows/prepare-release.yamlRepository: FAForever/fa Length of output: 2974 Pin both workflow actions to commit SHAs.
🧰 Tools🪛 zizmor (1.26.1)[error] 87-87: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| name: changelog-faf | ||
| path: changelog/snippets | ||
|
|
@@ -125,7 +125,7 @@ jobs: | |
| # The push also triggers docs-synchronize-changelog.yaml | ||
|
|
||
| - name: Create Pull Request | ||
| uses: actions/github-script@v7 | ||
| uses: actions/github-script@v8 | ||
| with: | ||
| script: | | ||
| const version = "${{ steps.version.outputs.version }}"; | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,18 +34,18 @@ jobs: | |
| needs: [build] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # https://github.com/actions/checkout/tree/v4/ | ||
| # https://github.com/actions/checkout/tree/v6/ | ||
| - name: Checkout spooky db code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: sed -n '1,120p' .github/workflows/spookydb-update.yaml | cat -nRepository: FAForever/fa Length of output: 4239 🏁 Script executed: sed -n '1,120p' .github/workflows/spookydb-update.yaml | cat -nRepository: FAForever/fa Length of output: 4239 🏁 Script executed: sed -n '1,140p' .github/workflows/spookydb-update.yaml | cat -nRepository: FAForever/fa Length of output: 4239 Pin both action refs to commit SHAs (lines 39, 48). 🧰 Tools🪛 zizmor (1.26.1)[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| repository: FAForever/spooky-db | ||
| path: gh-pages | ||
| ref: gh-pages | ||
| ssh-key: ${{ secrets.SPOOKYDB_DEPLOYMENT_KEY }} | ||
|
|
||
| # https://github.com/actions/download-artifact/tree/v4/ | ||
| # https://github.com/actions/download-artifact/tree/v7/ | ||
| - name: Download recent unit information | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v7 | ||
| with: | ||
| name: spookydb-dist | ||
| path: dist | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,14 +34,14 @@ jobs: | |
| steps: | ||
| # Checkout repos, FA repo is sparse checkout as it is quite large | ||
| - name: Checkout Brewlan Wikigen Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| repository: The-Balthazar/BrewWikiGen | ||
| path: ./brew-wiki-gen | ||
|
|
||
| # FA repo is sparse checkout as it is quite large and we dont won't to incur higher action minutes for no reason | ||
| - name: Checkout FAF Repository # -png folder doesnt exist yet, confirm location. | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
Comment on lines
+37
to
+44
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow file around the referenced lines and look for all action refs.
nl -ba .github/workflows/wiki-generate-blueprints.yaml | sed -n '1,220p'
printf '\n--- action refs ---\n'
rg -n "uses:\s*" .github/workflows/wiki-generate-blueprints.yamlRepository: FAForever/fa Length of output: 190 🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '%s\n' '--- workflow file ---'
awk 'NR>=1 && NR<=240 { printf "%4d %s\n", NR, $0 }' .github/workflows/wiki-generate-blueprints.yaml
printf '\n%s\n' '--- action refs ---'
rg -n "uses:\s*" .github/workflows/wiki-generate-blueprints.yamlRepository: FAForever/fa Length of output: 4593 Pin the updated GitHub Actions to immutable SHAs. 🧰 Tools🪛 zizmor (1.26.1)[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| path: ./fa | ||
| sparse-checkout-cone-mode: | | ||
|
|
@@ -56,7 +56,7 @@ jobs: | |
| projectiles | ||
|
|
||
| - name: Checkout FAF Wiki Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| repository: FAForever/fa.wiki | ||
| path: ./fa.wiki | ||
|
|
@@ -76,7 +76,7 @@ jobs: | |
|
|
||
|
|
||
| - name: Upload as artifact | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: Wiki | ||
| path: fa.wiki | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: FAForever/fa
Length of output: 1683
🏁 Script executed:
Repository: FAForever/fa
Length of output: 6094
🏁 Script executed:
Repository: FAForever/fa
Length of output: 1683
🏁 Script executed:
Repository: FAForever/fa
Length of output: 6094
🏁 Script executed:
Repository: FAForever/fa
Length of output: 781
Pin both checkout steps to immutable SHAs.
actions/checkout@v6is still a mutable tag and can be retargeted; replace both refs with full commit SHAs and keep# v6if you want the version hint.🧰 Tools
🪛 zizmor (1.26.1)
[error] 60-60: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 67-67: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools