diff --git a/.github/actions/setup-env/action.yml b/.github/actions/setup-env/action.yml index f983278c..0543b190 100644 --- a/.github/actions/setup-env/action.yml +++ b/.github/actions/setup-env/action.yml @@ -21,7 +21,7 @@ runs: using: 'composite' steps: - name: Node.js setup - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ inputs.node-version }} cache: 'yarn' @@ -40,7 +40,7 @@ runs: run: yarn install --frozen-lockfile - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1 with: aws-access-key-id: ${{ inputs.aws-access-key-id }} aws-secret-access-key: ${{ inputs.aws-secret-access-key }} diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index bb6d845a..847c13cb 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,35 +5,26 @@ on: pull_request_target: types: [opened, closed, synchronize] +permissions: {} + jobs: - CLAAssistant: + CLAssistant: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write steps: + - name: Checkout reusable workflows + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: safe-global/github-reusable-workflows + token: ${{ secrets.REUSABLE_WORKFLOWS_TOKEN }} + path: reusable-workflows + ref: c4fd58f9c721aca09b841c8035ce1d115ed5f3c3 # v2.4.18 - name: 'CLA Assistant' - if: (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' - # Beta Release - uses: contributor-assistant/github-action@v2.2.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # the below token should have repo scope and must be manually added by you in the repository's secret - PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }} + uses: ./reusable-workflows/actions/cla with: - path-to-signatures: 'signatures/version1/cla.json' - path-to-document: 'https://safe.global/cla' # e.g. a CLA or a DCO document - # branch should not be protected - branch: 'main' - # user names of users allowed to contribute without CLA + github-token: ${{ secrets.GITHUB_TOKEN }} + personal-access-token: ${{ secrets.CLA_ACCESS_TOKEN }} allowlist: clovisdasilvaneto,rmeissner,Uxio0,dasanra,francovenica,luarx,yagopv,usame-algan,bot* - - # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken - # enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository) - remote-organization-name: 'safe-global' - # enter the remote repository name where the signatures should be stored (Default is storing the signatures in the same repository) - remote-repository-name: 'cla-signatures' - #create-file-commit-message: 'For example: Creating file for storing CLA Signatures' - #signed-commit-message: 'For example: $contributorName has signed the CLA in #$pullRequestNo' - #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign' - #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA' - #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.' - #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true) - #use-dco-flag: true - If you are using DCO instead of CLA diff --git a/.github/workflows/conventional-commit-check.yml b/.github/workflows/conventional-commit-check.yml index c32009ba..d0d8d043 100644 --- a/.github/workflows/conventional-commit-check.yml +++ b/.github/workflows/conventional-commit-check.yml @@ -7,11 +7,14 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v4 + - uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7 # v4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 1b3f35e2..4de3972e 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -10,6 +10,11 @@ on: - development # Run manually to version/production deployment/github releases workflow_dispatch: + +permissions: + contents: read + pull-requests: write + env: REPO_NAME_ALPHANUMERIC: safereactapps HUSKY: 0 @@ -20,7 +25,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event_name == 'pull_request' }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 @@ -32,7 +37,7 @@ jobs: aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Derive appropriate SHAs for base and head for `nx affected` commands - uses: nrwl/nx-set-shas@v4 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4 - name: Test, Build, Deploy PR run: | @@ -52,7 +57,7 @@ jobs: - name: 'PRaul: Comment PR with app URLs' if: success() && github.event.number - uses: mshick/add-pr-comment@v1 + uses: mshick/add-pr-comment@a96c578acba98b60f16c6866d5f20478dc4ef68b # v1 with: message: | * [Drain Account App](${{ env.REVIEW_FEATURE_URL }}/drain-safe/) @@ -72,7 +77,7 @@ jobs: if: github.event_name != 'pull_request' && github.event_name != 'workflow_dispatch' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 @@ -83,7 +88,7 @@ jobs: aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Derive appropriate SHAs for base and head for `nx affected` commands - uses: nrwl/nx-set-shas@v4 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4 - name: Test and Build run: | @@ -118,7 +123,7 @@ jobs: if: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 ref: main diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 33c5b854..01964462 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,13 +1,16 @@ name: 'ESLint check' on: [pull_request] +permissions: + contents: read + jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 18 cache: yarn diff --git a/.github/workflows/safe-apps-check.yml b/.github/workflows/safe-apps-check.yml index 5dd0f487..2339db92 100644 --- a/.github/workflows/safe-apps-check.yml +++ b/.github/workflows/safe-apps-check.yml @@ -26,15 +26,18 @@ on: # # At 4:00 on every day-of-week from Monday through Friday # - cron: '0 4 * * 1-5' +permissions: + contents: read + jobs: e2e: runs-on: ubuntu-20.04 # let's make sure our tests pass on Chrome browser name: E2E on Chrome steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Mainnet with: browser: chrome @@ -52,7 +55,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Gnosis Chain with: browser: chrome @@ -70,7 +73,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Polygon with: browser: chrome @@ -88,7 +91,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: BNB Smart Chain with: browser: chrome @@ -106,7 +109,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Arbitrum with: browser: chrome @@ -124,7 +127,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Aurora with: browser: chrome @@ -142,7 +145,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Avalanche with: browser: chrome @@ -160,7 +163,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Optimism with: browser: chrome diff --git a/.github/workflows/safe-apps-e2e.yml b/.github/workflows/safe-apps-e2e.yml index 82532b32..cccbbd03 100644 --- a/.github/workflows/safe-apps-e2e.yml +++ b/.github/workflows/safe-apps-e2e.yml @@ -6,18 +6,22 @@ on: - development - main +permissions: + actions: write + contents: read + jobs: e2e: runs-on: ubuntu-latest name: Execute E2E tests steps: - name: Cancel previous runs - uses: styfle/cancel-workflow-action@0.8.0 + uses: styfle/cancel-workflow-action@3d86a7cc43670094ac248017207be0295edbc31d # 0.8.0 with: access_token: ${{ github.token }} - name: Checkout web-core - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: safe-global/web-core ref: main @@ -28,7 +32,7 @@ jobs: run: yarn install - name: Yarn cache web-core modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: 'web-core/**/node_modules' key: web-core-modules-${{ hashFiles('**/yarn.lock') }} @@ -65,13 +69,13 @@ jobs: if: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 9 * * 1-5' }} - name: Checkout safe-react-apps - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: safe-global/safe-react-apps path: apps - name: Execute E2E tests - uses: cypress-io/github-action@v5 + uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 with: browser: chrome record: true