diff --git a/.github/workflows/bump-openclaw.yml b/.github/workflows/bump-openclaw.yml index fc3aa70c5..3a554b135 100644 --- a/.github/workflows/bump-openclaw.yml +++ b/.github/workflows/bump-openclaw.yml @@ -5,11 +5,15 @@ on: - cron: '0 */12 * * *' # Every 12 hours (midnight and noon UTC) workflow_dispatch: {} +permissions: + contents: read + jobs: check: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 10 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: sparse-checkout: kiloclaw/Dockerfile sparse-checkout-cone-mode: false @@ -96,7 +100,7 @@ jobs: - name: Notify Slack if: steps.age.outputs.recent == 'true' continue-on-error: true - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 env: CURRENT_VERSION: ${{ steps.current.outputs.version }} NEW_VERSION: ${{ steps.latest.outputs.version }} diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index c440997f8..e8a4d32a5 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -9,6 +9,9 @@ on: - '**' workflow_dispatch: +permissions: + contents: read + # Cancel in-progress jobs when new workflow is triggered concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -17,6 +20,7 @@ concurrency: jobs: playwright: runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 30 services: postgres: @@ -41,18 +45,18 @@ jobs: DOTENV_PRIVATE_KEY_DEVELOPMENT: ${{ secrets.DOTENV_PRIVATE_KEY_DEVELOPMENT }} steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true fetch-depth: 0 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - node-version: '22' + node-version: 22 cache: 'pnpm' - name: Install dependencies @@ -70,7 +74,7 @@ jobs: run: pnpm test:e2e continue-on-error: true - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always() with: name: test-results @@ -80,35 +84,24 @@ jobs: chromatic: needs: playwright runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 30 if: always() # Run even if playwright job fails continue-on-error: true # Make this check optional - don't block PR merges steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true fetch-depth: 0 - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' - - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - - name: Setup pnpm cache - uses: actions/cache@v4 + - name: Setup Node.js + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-store- + node-version: 22 + cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile @@ -118,7 +111,7 @@ jobs: cd storybook pnpm install --frozen-lockfile - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: test-results path: ./test-results @@ -135,7 +128,7 @@ jobs: - name: Run Chromatic id: chromatic - uses: chromaui/action@latest + uses: chromaui/action@f191a0224b10e1a38b2091cefb7b7a2337009116 # v16.0.0 continue-on-error: true with: projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 63367006c..737a19796 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,24 +21,25 @@ permissions: jobs: changes: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 5 outputs: kilocode_backend: ${{ steps.filter.outputs.kilocode_backend }} cloud_agent: ${{ steps.filter.outputs.cloud_agent }} cloud_agent_next: ${{ steps.filter.outputs.cloud_agent_next }} workspace_matrix: ${{ steps.workspaces.outputs.matrix }} steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 - name: Detect changes id: filter - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 with: filters: | kilocode_backend: @@ -69,19 +70,17 @@ jobs: typecheck: needs: changes runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -95,19 +94,17 @@ jobs: lint: needs: changes runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -124,19 +121,17 @@ jobs: format-check: needs: changes runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -154,19 +149,17 @@ jobs: drizzle-check: needs: changes runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -183,6 +176,7 @@ jobs: needs: [changes, typecheck, lint, format-check, drizzle-check] if: needs.changes.outputs.kilocode_backend == 'true' runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 30 services: postgres: @@ -205,18 +199,15 @@ jobs: JEST_MAX_WORKERS: 4 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -234,19 +225,17 @@ jobs: needs: [changes, typecheck, lint, format-check, drizzle-check] if: needs.changes.outputs.kilocode_backend == 'true' runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 30 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -255,7 +244,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Cache Next.js build - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.npm @@ -281,25 +270,23 @@ jobs: needs: [changes, typecheck, lint, format-check, drizzle-check] if: needs.changes.outputs.cloud_agent == 'true' runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' - name: Setup Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest @@ -317,26 +304,24 @@ jobs: needs: [changes, typecheck, lint, format-check, drizzle-check] if: needs.changes.outputs.cloud_agent_next == 'true' runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true ref: ${{ github.head_ref }} - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' - name: Setup Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest @@ -359,19 +344,17 @@ jobs: workspace: ${{ fromJson(needs.changes.outputs.workspace_matrix) }} name: test (${{ matrix.workspace.name }}) runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' diff --git a/.github/workflows/deploy-kiloclaw.yml b/.github/workflows/deploy-kiloclaw.yml index 02e497c80..15a27d2f6 100644 --- a/.github/workflows/deploy-kiloclaw.yml +++ b/.github/workflows/deploy-kiloclaw.yml @@ -4,26 +4,29 @@ on: workflow_dispatch: workflow_call: +permissions: + contents: read + jobs: deploy: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 30 name: Deploy KiloClaw steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: dissociate: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 + cache: 'pnpm' - name: Install dependencies working-directory: kiloclaw @@ -82,10 +85,10 @@ jobs: # ── Docker setup ──────────────────────────────────────────── # Always set up Docker + login so we can check the registry. - name: Setup Docker Buildx - uses: useblacksmith/setup-docker-builder@v1 + uses: useblacksmith/setup-docker-builder@5241b2e9423e8b1fa37ed6050ecb62d0fb9a4e38 # v1.6.0 - name: Login to Fly Registry - uses: docker/login-action@v3 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: registry.fly.io username: x @@ -121,7 +124,7 @@ jobs: - name: Build and push Docker image id: docker-build if: steps.check-image.outputs.exists != 'true' - uses: useblacksmith/build-push-action@v2 + uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2.1.0 with: context: kiloclaw file: kiloclaw/Dockerfile @@ -165,7 +168,7 @@ jobs: # Worker always deploys with the content-hash image tag. # registerVersionIfNeeded() will no-op if the tag is already registered. - name: Deploy Worker - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} workingDirectory: kiloclaw @@ -177,7 +180,7 @@ jobs: - name: Notify Slack continue-on-error: true - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.DEPLOY_NOTIFY_SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index 0c68b95f0..7dbbff86d 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -4,6 +4,9 @@ on: push: branches: [main] +permissions: + contents: read + concurrency: group: deploy-production cancel-in-progress: false @@ -11,21 +14,20 @@ concurrency: jobs: run-migrations: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 environment: production steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -43,6 +45,7 @@ jobs: deploy-app: runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 30 needs: run-migrations environment: production @@ -52,17 +55,15 @@ jobs: steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -71,7 +72,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Cache Next.js build - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.npm @@ -98,6 +99,7 @@ jobs: deploy-global-app: runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} + timeout-minutes: 30 needs: run-migrations environment: production @@ -107,17 +109,15 @@ jobs: steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -126,7 +126,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Cache Next.js build - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.npm @@ -151,75 +151,19 @@ jobs: - name: Deploy Project Artifacts to Vercel run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }} - deploy-gateway: - # Disabled: R2_ACCOUNT_ID env var is missing, causing deploy failures - if: false - runs-on: ${{ vars.RUNNER_LARGE_LABEL || 'ubuntu-24.04-8core' }} - needs: run-migrations - environment: production - - env: - VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} - VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_GATEWAY }} - - steps: - - name: Checkout code - uses: useblacksmith/checkout@v1 - with: - lfs: true - - - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 22 - cache: 'pnpm' - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Cache Next.js build - uses: actions/cache@v4 - with: - path: | - ~/.npm - ${{ github.workspace }}/.next/cache - key: ${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }} - restore-keys: | - ${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}- - - - name: Install Vercel CLI - run: pnpm install --global vercel@latest - - - run: vercel link --project=kilocode-gateway --token=${{ secrets.VERCEL_TOKEN }} --yes - - - name: Pull Vercel Environment Information - run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }} - - - name: Build Project Artifacts - env: - NODE_OPTIONS: '--max-old-space-size=8192' - run: vercel build --prod --token=${{ secrets.VERCEL_TOKEN }} - - - name: Deploy Project Artifacts to Vercel - run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }} - check-kiloclaw-changes: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 5 outputs: changed: ${{ steps.changes.outputs.kiloclaw }} steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: fetch-depth: 0 - name: Check for kiloclaw changes - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: changes with: filters: | diff --git a/.github/workflows/deploy-workers.yml b/.github/workflows/deploy-workers.yml index 31d4dfa48..1f0b8ced8 100644 --- a/.github/workflows/deploy-workers.yml +++ b/.github/workflows/deploy-workers.yml @@ -30,6 +30,9 @@ on: - cloudflare-session-ingest - cloudflare-webhook-agent-ingest +permissions: + contents: read + concurrency: group: deploy-workers-${{ github.ref }} cancel-in-progress: false @@ -39,27 +42,27 @@ jobs: deploy-manual: if: github.event_name == 'workflow_dispatch' runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 name: Deploy ${{ inputs.worker }} steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 + cache: 'pnpm' - name: Install dependencies working-directory: ${{ inputs.worker }} run: pnpm install --frozen-lockfile - name: Deploy to Cloudflare Workers - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} workingDirectory: ${{ inputs.worker }} @@ -69,11 +72,12 @@ jobs: detect-changes: if: github.event_name == 'push' runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 5 outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: fetch-depth: 0 @@ -128,6 +132,7 @@ jobs: needs: detect-changes if: needs.detect-changes.outputs.matrix != '[]' && needs.detect-changes.outputs.matrix != '' runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 strategy: fail-fast: false matrix: @@ -135,24 +140,23 @@ jobs: name: Deploy ${{ matrix.worker }} steps: - name: Checkout code - uses: useblacksmith/checkout@v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 + cache: 'pnpm' - name: Install dependencies working-directory: ${{ matrix.worker }} run: pnpm install --frozen-lockfile - name: Deploy to Cloudflare Workers - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} workingDirectory: ${{ matrix.worker }} diff --git a/.github/workflows/kilo-app-ci.yml b/.github/workflows/kilo-app-ci.yml index cedd66ab6..57e7b01d2 100644 --- a/.github/workflows/kilo-app-ci.yml +++ b/.github/workflows/kilo-app-ci.yml @@ -29,19 +29,17 @@ permissions: jobs: typecheck: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -57,19 +55,17 @@ jobs: lint: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -85,19 +81,17 @@ jobs: format-check: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' @@ -114,19 +108,17 @@ jobs: check-unused: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' diff --git a/.github/workflows/kilo-app-release.yml b/.github/workflows/kilo-app-release.yml index ae212fa74..951f0bfff 100644 --- a/.github/workflows/kilo-app-release.yml +++ b/.github/workflows/kilo-app-release.yml @@ -15,10 +15,11 @@ permissions: jobs: check-changes: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 5 outputs: should_build: ${{ steps.check.outputs.should_build }} steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: fetch-depth: 0 @@ -54,18 +55,15 @@ jobs: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} timeout-minutes: 60 steps: - - uses: useblacksmith/checkout@v1 + - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: lfs: true - name: Setup pnpm - uses: pnpm/action-setup@v2 - with: - version: latest - run_install: false + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 cache: 'pnpm' diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index f8174e1a9..62fd14a21 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -12,12 +12,13 @@ permissions: jobs: trufflehog: runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }} + timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Secret Scanning - uses: trufflesecurity/trufflehog@v3.93.0 + uses: trufflesecurity/trufflehog@7f4e37db2d928c18ddd7ddf0604f8f7d1f5793ec # v3.93.0 with: extra_args: --results=verified,unknown