From 94454c08a33de5c0c4660bed3b268902be6f7ab3 Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Thu, 11 Jun 2026 15:35:24 -0700 Subject: [PATCH 1/4] run ratchet --- .github/workflows/android.yml | 14 +- .github/workflows/build-report.yml | 12 +- .github/workflows/checks.yml | 16 +- .github/workflows/checks_secure.yml | 6 +- .github/workflows/cpp-packaging.yml | 90 ++++---- .github/workflows/desktop.yml | 38 ++-- .github/workflows/integration_tests.yml | 198 +++++++++--------- .github/workflows/ios.yml | 8 +- .github/workflows/lint.yml | 6 +- .github/workflows/retry-test-failures.yml | 6 +- .github/workflows/reviewer-roulette.yml | 6 +- .github/workflows/update-dependencies.yml | 8 +- .github/workflows/update-feature-branches.yml | 10 +- 13 files changed, 205 insertions(+), 213 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index bb58f65576..e2617fb6f9 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -27,7 +27,7 @@ jobs: matrix_architecture: ${{ steps.export-result.outputs.matrix_architecture }} matrix_python_version: ${{ steps.export-result.outputs.matrix_python_version }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Use expanded matrix @@ -60,7 +60,7 @@ jobs: - os: macos-15 architecture: x64 steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: setup Xcode version (macos) @@ -91,7 +91,7 @@ jobs: echo "Enabling expanded build and test matrix." echo "USE_EXPANDED_MATRIX=1" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true @@ -105,18 +105,18 @@ jobs: MATRIX_ARCHITECTURE: ${{ matrix.architecture }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ matrix.python_version }} architecture: ${{ matrix.architecture }} - name: Add msbuild to PATH if: startsWith(matrix.os, 'windows') - uses: microsoft/setup-msbuild@v1.1 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # ratchet:microsoft/setup-msbuild@v1.1 - name: Cache NDK id: cache_ndk - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: /tmp/android-ndk-r21e key: android-ndk-${{ matrix.os }}-r21e @@ -161,7 +161,7 @@ jobs: - name: Cache ccache files id: cache_ccache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: ccache_dir key: dev-test-ccache-${{ env.MATRIX_UNIQUE_NAME }} diff --git a/.github/workflows/build-report.yml b/.github/workflows/build-report.yml index 3fdb21d135..8c9473bc25 100644 --- a/.github/workflows/build-report.yml +++ b/.github/workflows/build-report.yml @@ -26,14 +26,14 @@ jobs: if: ${{ matrix.test_set == 'firestore' }} run: sleep 300 - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: fetch-depth: 0 - name: Install Desktop SDK prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 15 max_attempts: 3 @@ -41,7 +41,7 @@ jobs: python3 scripts/gha/install_prereqs_desktop.py --gha_build python3 -m pip install requests python-dateutil progress attrs - name: Fetch GitHub jobs (with retry) - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 20 max_attempts: 3 @@ -53,7 +53,7 @@ jobs: fi python3 scripts/gha/report_build_status.py --token ${{ github.token }} --days ${{ env.numDays }} --write_cache build_status_short.cache ${extra_flags} - name: Fetch extended GitHub jobs (with retry) - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 80 max_attempts: 3 @@ -103,7 +103,7 @@ jobs: run: | cat comment.md - name: Update GitHub issue (with retry) - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 5 max_attempts: 3 diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index e74fb016d4..b1be6be7cf 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -21,11 +21,11 @@ jobs: file_format_check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Install prerequisites @@ -44,7 +44,7 @@ jobs: # This check fails if integration tests are queued, in progress, or failed. runs-on: ubuntu-22.04 steps: - - uses: docker://agilepathway/pull-request-label-checker:latest + - uses: docker://index.docker.io/agilepathway/pull-request-label-checker@sha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61 # ratchet:docker://agilepathway/pull-request-label-checker:latest with: none_of: "${{ env.statusLabelInProgress }},${{ env.statusLabelFailed }},${{ env.triggerLabelFull }},${{ env.triggerLabelQuick }}" repo_token: ${{ github.token }} @@ -53,14 +53,14 @@ jobs: # This check succeeds if Doxygen documentation generates without errors. runs-on: ubuntu-22.04 steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Install prerequisites @@ -95,7 +95,7 @@ jobs: # Check for Google copyright in each file. runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Run check_copyright.sh @@ -107,7 +107,7 @@ jobs: # Check that the readme was updated, unless the PR has a specific label set (env.skipReleaseNotesLabel). runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main. if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}} with: diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml index 1ee31c83a1..53309c0ca2 100644 --- a/.github/workflows/checks_secure.yml +++ b/.github/workflows/checks_secure.yml @@ -19,19 +19,19 @@ jobs: steps: - name: Check user permission id: check - uses: scherermichael-oss/action-has-permission@1.0.6 + uses: scherermichael-oss/action-has-permission@136e061bfe093832d87f090dd768e14e27a740d3 # ratchet:scherermichael-oss/action-has-permission@1.0.6 # This action sets outputs.has-permission to '1' or '' with: required-permission: write env: GITHUB_TOKEN: ${{ github.token }} - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository with: submodules: false - name: Setup python if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Install prerequisites diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml index d409cd4ab8..f2395dec2c 100644 --- a/.github/workflows/cpp-packaging.yml +++ b/.github/workflows/cpp-packaging.yml @@ -93,7 +93,7 @@ jobs: # Binutils 2.35.1 released Sep 19, 2020 binutils_version: "2.35.1" steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: setup Xcode version (macos) @@ -101,7 +101,7 @@ jobs: run: sudo xcode-select -s /Applications/Xcode_${{ env.xcodeVersion }}.app/Contents/Developer - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 @@ -131,7 +131,7 @@ jobs: - name: Cache LLVM (Mac only) if: matrix.tools_platform == 'darwin' id: cache_llvm - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: llvm-src/llvm/build/bin key: llvm-bin-${{matrix.tools_platform}}-${{env.xcodeVersion}}-${{env.llvmVer}} @@ -139,7 +139,7 @@ jobs: - name: Fetch LLVM source (Mac only) # Only fetch LLVM if we don't already have binaries from the cache. if: ${{ matrix.tools_platform == 'darwin' && !steps.cache_llvm.outputs.cache-hit }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: repository: llvm/llvm-project path: llvm-src @@ -161,7 +161,7 @@ jobs: cp -af llvm-src/llvm/build/bin/* packaging-tools - name: fetch demumble - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: repository: nico/demumble path: demumble-src @@ -184,7 +184,7 @@ jobs: tar -czhf ../packaging-tools.tgz . - name: upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: packaging-tools-${{ matrix.tools_platform }} path: packaging-tools.tgz @@ -194,7 +194,7 @@ jobs: runs-on: macos-15 if: ${{ github.event.inputs.downloadPublicVersion == '' && github.event.inputs.downloadPreviousRun == '' }} steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: Store git credentials for all git commands @@ -209,12 +209,12 @@ jobs: run: sudo xcode-select -s /Applications/Xcode_${{ env.xcodeVersion }}.app/Contents/Developer - name: fetch SDK - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 @@ -245,7 +245,7 @@ jobs: find firebase-cpp-sdk-*-package -type f - name: upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase-cpp-sdk-ios-tvos-package path: firebase-cpp-sdk-ios-tvos-package.tgz @@ -257,14 +257,14 @@ jobs: strategy: fail-fast: false steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: Force Java 11 shell: bash run: echo "JAVA_HOME=${JAVA_HOME_11_X64}" >> $GITHUB_ENV - name: fetch SDK - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src @@ -277,7 +277,7 @@ jobs: - name: Cache NDK id: cache_ndk - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: /tmp/android-ndk-r21e key: android-ndk-${{ runner.os }}-r21e @@ -308,7 +308,7 @@ jobs: find firebase-cpp-sdk-*-package -type f - name: upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase-cpp-sdk-android-package path: firebase-cpp-sdk-android-package.tgz @@ -364,7 +364,7 @@ jobs: architecture: "arm64" steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: Store git credentials for all git commands @@ -378,7 +378,7 @@ jobs: if: runner.os == 'macOS' run: sudo xcode-select -s /Applications/Xcode_${{ env.xcodeVersion }}.app/Contents/Developer - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true @@ -395,11 +395,11 @@ jobs: - name: Add msbuild to PATH (windows) if: startsWith(matrix.os, 'windows') - uses: microsoft/setup-msbuild@v1.1 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # ratchet:microsoft/setup-msbuild@v1.1 - name: Cache vcpkg C++ dependencies id: cache_vcpkg - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: external/vcpkg/installed key: dev-vcpkg-${{ matrix.architecture }}-${{ matrix.vcpkg_triplet_suffix }}-${{ matrix.msvc_runtime }}-${{ matrix.linux_abi }}-${{ hashFiles(format('{0}', env.VCPKG_RESPONSE_FILE)) }}-${{ hashFiles('.git/modules/external/vcpkg/HEAD') }}${{env.VCPKG_EXTRA_HASH}} @@ -407,18 +407,18 @@ jobs: - name: Cache ccache files if: startsWith(matrix.os, 'ubuntu') || startsWith(matrix.os, 'macos') id: cache_ccache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: ccache_dir key: dev-test-ccache-${{ env.MATRIX_UNIQUE_NAME }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ matrix.python_version }} - name: Install Desktop SDK prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 15 max_attempts: 3 @@ -466,7 +466,7 @@ jobs: continue-on-error: true - name: upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase-cpp-sdk-${{ env.SDK_NAME }}-build path: firebase-cpp-sdk-${{ env.SDK_NAME }}-build.tgz @@ -521,24 +521,24 @@ jobs: run: sudo xcode-select -s /Applications/Xcode_${{ env.xcodeVersion }}.app/Contents/Developer - name: fetch SDK - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src - name: download packaging-tool artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: artifacts pattern: packaging-tools-* - name: download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: artifacts pattern: firebase-cpp-sdk-* - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 @@ -607,7 +607,7 @@ jobs: find firebase-cpp-sdk-*-package -type f - name: upload SDK zip - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix}}-package path: firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix}}-package.tgz @@ -662,7 +662,7 @@ jobs: && github.event.inputs.downloadPreviousRun == '' ) # Remove the build artifacts that were consumed during this step of packaging. - uses: geekyeggo/delete-artifact@v2 + uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # ratchet:geekyeggo/delete-artifact@v2 with: name: | firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix }}*-build @@ -677,7 +677,7 @@ jobs: if: ${{ github.event.inputs.downloadPublicVersion != '' || github.event.inputs.downloadPreviousRun != '' }} steps: - name: fetch artifact from previous run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 if: ${{ github.event.inputs.downloadPreviousRun != '' }} with: name: 'firebase_cpp_sdk.zip' @@ -710,13 +710,13 @@ jobs: echo "::warning ::$(cat firebase_cpp_sdk_hash.txt)" - name: upload hash - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk_hash.txt path: firebase_cpp_sdk_hash.txt - name: upload SDK zip - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk.zip path: firebase_cpp_sdk.zip @@ -729,12 +729,12 @@ jobs: needs: [build_and_package_ios_tvos, build_and_package_android, package_desktop, log_inputs] steps: - name: fetch SDK - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src - name: download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: artifacts pattern: firebase-cpp-sdk-*-package @@ -772,13 +772,13 @@ jobs: find firebase_cpp_sdk -type f - name: upload hash - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk_hash.txt path: firebase_cpp_sdk_hash.txt - name: upload SDK zip - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk.zip path: firebase_cpp_sdk.zip @@ -789,7 +789,7 @@ jobs: needs: [merge_packages] steps: - name: download SDK zip - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: name: firebase_cpp_sdk.zip - name: unzip SDK and remove non-Windows files @@ -817,12 +817,12 @@ jobs: ${{ env.hashCommand }} --tag firebase_cpp_sdk_windows.zip > firebase_cpp_sdk_windows_hash.txt echo "::warning ::$(cat firebase_cpp_sdk_windows_hash.txt)" - name: upload Windows hash - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk_windows_hash.txt path: firebase_cpp_sdk_windows_hash.txt - name: upload Windows SDK zip - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: firebase_cpp_sdk_windows.zip path: firebase_cpp_sdk_windows.zip @@ -841,7 +841,7 @@ jobs: && github.event.inputs.downloadPreviousRun == '' ) steps: - - uses: geekyeggo/delete-artifact@v2 + - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # ratchet:geekyeggo/delete-artifact@v2 with: name: | packaging-tools-* @@ -856,10 +856,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: '3.9' - name: Use expanded matrix @@ -873,7 +873,7 @@ jobs: # # This method is preferred over the "personal access token" solution, as the GitHub App's scope is limited to just # the firebase-cpp-sdk repository. - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} @@ -929,16 +929,16 @@ jobs: if: ${{ failure() && !cancelled() && github.event_name == 'schedule' }} steps: - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Install python deps run: pip install -r scripts/gha/python_requirements.txt # The default token can't run workflows, so get an alternate token. - name: Generate token for GitHub API - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} diff --git a/.github/workflows/desktop.yml b/.github/workflows/desktop.yml index c2cdf33619..c609d8537d 100644 --- a/.github/workflows/desktop.yml +++ b/.github/workflows/desktop.yml @@ -29,7 +29,7 @@ jobs: matrix_xcode_version: ${{ steps.export-result.outputs.xcode_version }} matrix_python_version: ${{ steps.export-result.outputs.python_version }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Use expanded matrix @@ -97,7 +97,7 @@ jobs: - xcode_version: "11.7" architecture: "arm64" steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: Store git credentials for all git commands @@ -115,7 +115,7 @@ jobs: if: runner.os == 'macOS' run: sudo xcode-select -s /Applications/Xcode_${{ matrix.xcode_version }}.app/Contents/Developer - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true @@ -163,7 +163,7 @@ jobs: - name: Cache vcpkg C++ dependencies id: cache_vcpkg - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: external/vcpkg/installed key: dev-vcpkg-${{ matrix.architecture }}-${{ env.VCPKG_SUFFIX }}-${{ matrix.msvc_runtime }}-${{ hashFiles(format('{0}', env.VCPKG_RESPONSE_FILE)) }}-${{ hashFiles('.git/modules/external/vcpkg/HEAD') }}${{ env.VCPKG_EXTRA_HASH }} @@ -171,20 +171,20 @@ jobs: - name: Cache ccache files if: startsWith(matrix.os, 'ubuntu') || startsWith(matrix.os, 'macos') id: cache_ccache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: ccache_dir key: dev-test-ccache-${{ env.MATRIX_UNIQUE_NAME }}${{ env.VCPKG_EXTRA_HASH }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 if: startsWith(matrix.os, 'ubuntu') with: python-version: ${{ matrix.python_version }} architecture: x64 - name: Setup python (Mac) - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 if: startsWith(matrix.os, 'macos') with: python-version: ${{ matrix.python_version }} @@ -192,7 +192,7 @@ jobs: - name: Install Desktop SDK prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 15 max_attempts: 3 @@ -296,7 +296,7 @@ jobs: sudo chmod -R +rwx ~/Library/Logs/DiagnosticReports/* || : - name: Archive crashes and binaries (linux) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: failure() && startsWith(matrix.build_type, 'Debug') && startsWith(matrix.os, 'ubuntu') with: name: crashes-${{ matrix.os }}-${{ matrix.build_type }}-${{ matrix.architecture }}-${{ matrix.python_version }} @@ -305,7 +305,7 @@ jobs: /tmp/bins/* - name: Archive crashes (mac) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: failure() && startsWith(matrix.build_type, 'Debug') && startsWith(matrix.os, 'macos') with: name: crashes-${{ matrix.os }}-${{ matrix.build_type }}-${{ matrix.architecture }}-${{ matrix.python_version }}-${{ matrix.xcode_version }} @@ -322,30 +322,30 @@ jobs: strategy: fail-fast: false steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Cache vcpkg C++ dependencies id: cache_vcpkg - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: external/vcpkg/installed key: dev-vcpkg-${{ env.VCPKG_TRIPLET }}-${{ hashFiles(format('{0}', env.VCPKG_RESPONSE_FILE)) }}-${{ hashFiles('.git/modules/external/vcpkg/HEAD') }} - name: Cache ccache files - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: ccache_dir key: local-integration-tests-linux-openssl-ccache - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ fromJson(needs.prepare_matrix.outputs.matrix_python_version)[0] }} - name: Prepare for integration tests - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 15 @@ -375,18 +375,18 @@ jobs: env: JOB_STATUS: ${{ job.status }} - name: Set up Node (18) - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3 with: node-version: 18.x - name: Setup Firestore Emulator - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 5 max_attempts: 3 command: npm install -g firebase-tools - name: Setup java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # ratchet:actions/setup-java@v3 with: distribution: 'temurin' java-version: '17' diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 92c901828e..d3838f3190 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -76,7 +76,7 @@ jobs: steps: ### Fail the workflow if the user does not have admin access to run the tests. - name: Check if user has permission to trigger tests - uses: lannonbr/repo-permission-check-action@2.0.0 + uses: lannonbr/repo-permission-check-action@b23b656f0dfb810f0c5e224a264d621a92a6f271 # ratchet:lannonbr/repo-permission-check-action@2.0.0 with: permission: "admin" ### It sets "github_ref,trigger,pr_number,requested_tests" outputs to control the following jobs and steps @@ -137,7 +137,7 @@ jobs: ### e.g. Triggered by non-"test-request" label; triggered by not merged PR close event. - name: Cancel workflow if: ${{ !steps.set_outputs.outputs.trigger }} - uses: andymckay/cancel-action@0.2 + uses: andymckay/cancel-action@8f8510d9dea52fcc8eb6ca10d6ce47fd5fc43cd8 # ratchet:andymckay/cancel-action@0.2 - name: Wait for workflow cancellation if: ${{ !steps.set_outputs.outputs.trigger }} run: | @@ -145,20 +145,20 @@ jobs: exit 1 # fail out if the cancellation above somehow failed. - name: Cancel previous runs on the same PR if: steps.set_outputs.outputs.trigger == 'label_trigger' - uses: styfle/cancel-workflow-action@0.8.0 + uses: styfle/cancel-workflow-action@3d86a7cc43670094ac248017207be0295edbc31d # ratchet:styfle/cancel-workflow-action@0.8.0 with: access_token: ${{ github.token }} - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{steps.set_outputs.outputs.github_ref}} fetch-depth: 0 submodules: false - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: Install python deps - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 1 max_attempts: 3 @@ -296,15 +296,15 @@ jobs: ssl_variant: openssl arch: x64 steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -314,7 +314,7 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install Desktop SDK & integration tests prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 15 @@ -322,15 +322,15 @@ jobs: command: scripts/gha/install_test_workflow_prereqs.sh -p Desktop -a '${{ matrix.arch }}' -s '${{ matrix.ssl_variant }}' - name: Add msbuild to PATH (Windows) if: startsWith(matrix.os, 'windows') - uses: microsoft/setup-msbuild@v1.1 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # ratchet:microsoft/setup-msbuild@v1.1 - name: Cache vcpkg C++ dependencies id: cache_vcpkg - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: external/vcpkg/installed key: dev-vcpkg-${{ env.VCPKG_TRIPLET }}-${{ hashFiles(format('{0}', env.VCPKG_RESPONSE_FILE)) }}-${{ hashFiles('.git/modules/external/vcpkg/HEAD') }} - name: Fetch prebuilt packaged SDK from previous run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 if: ${{ github.event.inputs.test_packaged_sdk != '' }} with: name: 'firebase_cpp_sdk.zip' @@ -390,7 +390,7 @@ jobs: MATRIX_ARCH: ${{ matrix.arch }} MATRIX_SSL_VARIANT: ${{ matrix.ssl_variant }} - name: Upload Desktop Cmake - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: cmake-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} @@ -409,14 +409,14 @@ jobs: MATRIX_ARCH: ${{ matrix.arch }} MATRIX_SSL_VARIANT: ${{ matrix.ssl_variant }} - name: Upload Desktop integration tests artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: testapps-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} path: testapps-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Upload Desktop build results artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: log-artifact-build-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} @@ -424,7 +424,7 @@ jobs: retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-build-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} @@ -466,10 +466,10 @@ jobs: matrix: os: ${{ fromJson(needs.check_and_prepare.outputs.matrix_os) }} steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true @@ -492,26 +492,26 @@ jobs: run: echo "JAVA_HOME=${JAVA_HOME_11_arm64}" >> $GITHUB_ENV - name: Add msbuild to PATH (Windows) if: startsWith(matrix.os, 'windows') - uses: microsoft/setup-msbuild@v1.1 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # ratchet:microsoft/setup-msbuild@v1.1 - name: Cache NDK id: cache_ndk - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 with: path: /tmp/android-ndk-r21e key: android-ndk-${{ matrix.os }}-r21e - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: Install Android SDK & integration tests prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 10 max_attempts: 3 command: scripts/gha/install_test_workflow_prereqs.sh -p Android - name: Fetch prebuilt packaged SDK from previous run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 if: ${{ github.event.inputs.test_packaged_sdk != '' }} with: name: 'firebase_cpp_sdk.zip' @@ -553,14 +553,14 @@ jobs: env: MATRIX_OS: ${{ matrix.os }} - name: Upload Android integration tests artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: testapps-android-${{ matrix.os }} path: testapps-android-${{ matrix.os }} retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Upload Android build results artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: log-artifact-build-android-${{ matrix.os }} @@ -568,7 +568,7 @@ jobs: retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-build-android-${{ matrix.os }} @@ -607,15 +607,15 @@ jobs: matrix: os: [macos-15] steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -625,13 +625,13 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install iOS SDK & integration tests prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 3 max_attempts: 3 command: scripts/gha/install_test_workflow_prereqs.sh -p iOS - name: Fetch prebuilt packaged SDK from previous run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 if: ${{ github.event.inputs.test_packaged_sdk != '' }} with: name: 'firebase_cpp_sdk.zip' @@ -673,14 +673,14 @@ jobs: echo "__SUMMARY_MISSING__" > build-results-ios-${{ matrix.os }}.log.json fi - name: Upload iOS integration tests artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: testapps-ios-${{ matrix.os }} path: testapps-ios-${{ matrix.os }} retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Upload iOS build results artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: log-artifact-build-ios-${{ matrix.os }} @@ -688,7 +688,7 @@ jobs: retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-build-ios-${{ matrix.os }} @@ -726,15 +726,15 @@ jobs: matrix: os: [macos-15] steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -744,13 +744,13 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install tvOS SDK & integration tests prerequisites - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 3 max_attempts: 3 command: scripts/gha/install_test_workflow_prereqs.sh -p tvOS - name: Fetch prebuilt packaged SDK from previous run - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 if: ${{ github.event.inputs.test_packaged_sdk != '' }} with: name: 'firebase_cpp_sdk.zip' @@ -789,14 +789,14 @@ jobs: echo "__SUMMARY_MISSING__" > build-results-tvos-${{ matrix.os }}.log.json fi - name: Upload tvOS integration tests artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: testapps-tvos-${{ matrix.os }} path: testapps-tvos-${{ matrix.os }} retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Upload tvOS build results artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 if: ${{ !cancelled() }} with: name: log-artifact-build-tvos-${{ matrix.os }} @@ -804,7 +804,7 @@ jobs: retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-build-tvos-${{ matrix.os }} @@ -866,16 +866,16 @@ jobs: ssl_variant: openssl arch: x64 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download Desktop integration tests artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: testapps/testapps-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} name: testapps-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -885,18 +885,18 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install prerequisites for testing - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 15 max_attempts: 3 command: scripts/gha/install_test_workflow_prereqs.sh -p Desktop -t true -a '${{ matrix.arch }}' -s '${{ matrix.ssl_variant }}' - name: Set up Node (18) - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3 with: node-version: 18.x - name: Setup Firestore Emulator - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 5 @@ -908,7 +908,7 @@ jobs: echo "$(npm root)" >> $GITHUB_PATH echo "$(npm root)/.bin" >> $GITHUB_PATH - name: Setup java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # ratchet:actions/setup-java@v3 with: distribution: 'temurin' java-version: '17' @@ -938,14 +938,14 @@ jobs: MATRIX_SSL_VARIANT: ${{ matrix.ssl_variant }} - name: Upload Desktop test results artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: log-artifact-test-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} path: testapps/test-results-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }}* retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-test-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} @@ -993,20 +993,20 @@ jobs: - android_device: "android_latest" test_type: "uitest" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download Android integration tests artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: testapps/testapps-android-${{ matrix.build_os }} name: testapps-android-${{ matrix.build_os }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: Install prerequisites for testing - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 5 @@ -1020,7 +1020,7 @@ jobs: env: MATRIX_ANDROID_DEVICE: ${{ matrix.android_device }} - name: Setup java 11 for test_simulator.py - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # ratchet:actions/setup-java@v3 with: distribution: 'temurin' java-version: '11' @@ -1038,7 +1038,7 @@ jobs: MATRIX_BUILD_OS: ${{ matrix.build_os }} - id: ftl_test if: steps.device-info.outputs.device_type == 'ftl' - uses: FirebaseExtended/github-actions/firebase-test-lab@v1.4 + uses: FirebaseExtended/github-actions/firebase-test-lab@41c787c37157e4c5932b951e531c041efa5bb7a4 # ratchet:FirebaseExtended/github-actions/firebase-test-lab@v1.4 timeout-minutes: 240 with: credentials_json: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_CREDENTIALS }} @@ -1063,38 +1063,34 @@ jobs: - name: Prepare results summary artifact if: ${{ !cancelled() }} shell: bash - run: | - # If testapps do not exist, then it's a build error not test error. - if [ -d "testapps/testapps-android-${MATRIX_BUILD_OS}" ] && [ ! -f "testapps/test-results-android-${MATRIX_BUILD_OS}-${MATRIX_ANDROID_DEVICE}-${{ matrix.test_type }}.log.json" ]; then - mkdir -p testapps && echo "__SUMMARY_MISSING__" > "testapps/test-results-android-${MATRIX_BUILD_OS}-${MATRIX_ANDROID_DEVICE}-${{ matrix.test_type }}.log.json" - fi + run: "# If testapps do not exist, then it's a build error not test error. \nif [ -d \"testapps/testapps-android-${MATRIX_BUILD_OS}\" ] && [ ! -f \"testapps/test-results-android-${MATRIX_BUILD_OS}-${MATRIX_ANDROID_DEVICE}-${{ matrix.test_type }}.log.json\" ]; then\n mkdir -p testapps && echo \"__SUMMARY_MISSING__\" > \"testapps/test-results-android-${MATRIX_BUILD_OS}-${MATRIX_ANDROID_DEVICE}-${{ matrix.test_type }}.log.json\"\nfi\n" env: MATRIX_BUILD_OS: ${{ matrix.build_os }} MATRIX_ANDROID_DEVICE: ${{ matrix.android_device }} - name: Upload Android test results artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: log-artifact-test-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }} path: testapps/test-results-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }}* retention-days: ${{ env.logArtifactRetentionDays }} - name: Upload Android test video artifact if: ${{ steps.device-info.outputs.device_type == 'virtual' && !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: mobile-simulator-test-video-artifact-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }} path: testapps/video-*-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }}.mp4 retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Upload Android test logcat artifact if: ${{ steps.device-info.outputs.device_type == 'virtual' && !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: mobile-simulator-test-logcat-artifact-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }} path: testapps/logcat-*-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }}.txt retention-days: ${{ env.logArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-test-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }} @@ -1123,11 +1119,11 @@ jobs: MATRIX_BUILD_OS: ${{ matrix.build_os }} MATRIX_ANDROID_DEVICE: ${{ matrix.android_device }} JOB_STATUS: ${{ job.status }} - test_ios: name: test-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }} needs: [check_and_prepare, build_ios] runs-on: macos-15 + if: contains(needs.check_and_prepare.outputs.matrix_platform, 'iOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() strategy: fail-fast: false @@ -1139,16 +1135,16 @@ jobs: test_type: "uitest" build_os: [macos-15] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download iOS integration tests artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: testapps/testapps-ios-${{ matrix.build_os }} name: testapps-ios-${{ matrix.build_os }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -1158,7 +1154,7 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install prerequisites for testing - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 3 max_attempts: 3 @@ -1171,17 +1167,17 @@ jobs: env: MATRIX_IOS_DEVICE: ${{ matrix.ios_device }} - name: Set up Node (18) - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # ratchet:actions/setup-node@v3 with: node-version: 18.x - name: Setup java for Firestore emulator - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # ratchet:actions/setup-java@v3 with: distribution: 'temurin' java-version: '17' - name: Setup Firestore Emulator if: steps.device-info.outputs.device_type == 'virtual' && contains(needs.check_and_prepare.outputs.apis, 'firestore') - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 5 @@ -1229,7 +1225,7 @@ jobs: MATRIX_IOS_DEVICE: ${{ matrix.ios_device }} - id: ftl_test if: steps.device-info.outputs.device_type == 'ftl' - uses: FirebaseExtended/github-actions/firebase-test-lab@v1.4 + uses: FirebaseExtended/github-actions/firebase-test-lab@41c787c37157e4c5932b951e531c041efa5bb7a4 # ratchet:FirebaseExtended/github-actions/firebase-test-lab@v1.4 timeout-minutes: 180 with: credentials_json: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_CREDENTIALS }} @@ -1253,11 +1249,7 @@ jobs: - name: Prepare results summary artifact if: ${{ !cancelled() }} shell: bash - run: | - # If testapps do not exist, then it's a build error not test error. - if [ -d "testapps/testapps-ios-${{ matrix.build_os }}" ] && [ ! -f "testapps/test-results-ios-${{ matrix.build_os }}-${MATRIX_IOS_DEVICE}-${{ matrix.test_type }}.log.json" ]; then - mkdir -p testapps && echo "__SUMMARY_MISSING__" > "testapps/test-results-ios-${{ matrix.build_os }}-${MATRIX_IOS_DEVICE}-${{ matrix.test_type }}.log.json" - fi + run: "# If testapps do not exist, then it's a build error not test error. \nif [ -d \"testapps/testapps-ios-${{ matrix.build_os }}\" ] && [ ! -f \"testapps/test-results-ios-${{ matrix.build_os }}-${MATRIX_IOS_DEVICE}-${{ matrix.test_type }}.log.json\" ]; then\n mkdir -p testapps && echo \"__SUMMARY_MISSING__\" > \"testapps/test-results-ios-${{ matrix.build_os }}-${MATRIX_IOS_DEVICE}-${{ matrix.test_type }}.log.json\"\nfi\n" env: MATRIX_IOS_DEVICE: ${{ matrix.ios_device }} - name: Delete keychain (macOS Simulator) @@ -1271,21 +1263,21 @@ jobs: security delete-keychain tmp-keychain || true - name: Upload iOS test results artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: log-artifact-test-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }} path: testapps/test-results-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }}* retention-days: ${{ env.logArtifactRetentionDays }} - name: Upload iOS test video artifact if: ${{ steps.device-info.outputs.device_type == 'virtual' && !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: mobile-simulator-test-video-artifact-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }} path: testapps/video-*-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }}.mp4 retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-test-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }} @@ -1313,7 +1305,6 @@ jobs: env: MATRIX_IOS_DEVICE: ${{ matrix.ios_device }} JOB_STATUS: ${{ job.status }} - test_tvos: name: test-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }} needs: [check_and_prepare, build_tvos] @@ -1322,19 +1313,20 @@ jobs: strategy: fail-fast: false matrix: + tvos_device: ${{ fromJson(needs.check_and_prepare.outputs.tvos_device) }} build_os: [macos-15] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Download tvOS integration tests artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: testapps/testapps-tvos-${{ matrix.build_os }} name: testapps-tvos-${{ matrix.build_os }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: setup default Xcode version (macos) @@ -1344,19 +1336,19 @@ jobs: # Remove default Xcode version to prevent the wrong SDK from being used. rm -rf /Applications/Xcode.app - name: Install prerequisites for testing - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: timeout_minutes: 3 max_attempts: 3 command: scripts/gha/install_test_workflow_prereqs.sh -p tvOS -t true - name: Setup java for Firestore emulator - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # ratchet:actions/setup-java@v4 with: distribution: 'temurin' java-version: '21' - name: Setup Firestore Emulator if: contains(needs.check_and_prepare.outputs.apis, 'firestore') - uses: nick-invision/retry@v2 + uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: shell: bash timeout_minutes: 5 @@ -1421,21 +1413,21 @@ jobs: security delete-keychain tmp-keychain || true - name: Upload tvOS test results artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: log-artifact-test-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }} path: testapps/test-results-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }}* retention-days: ${{ env.logArtifactRetentionDays }} - name: Upload tvOS test video artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 with: name: mobile-simulator-test-video-artifact-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }} path: testapps/video-*-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }}.mp4 retention-days: ${{ env.binaryArtifactRetentionDays }} - name: Download log artifacts if: ${{ needs.check_and_prepare.outputs.pr_number && failure() && !cancelled() }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results name: log-artifact-test-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }} @@ -1463,24 +1455,24 @@ jobs: env: MATRIX_TVOS_DEVICE: ${{ matrix.tvos_device }} JOB_STATUS: ${{ job.status }} - summarize_results: name: "summarize-results" needs: [check_and_prepare, test_desktop, test_android, test_ios, test_tvos] runs-on: ubuntu-22.04 if: ${{ !cancelled() }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: Install python deps run: pip install -r scripts/gha/python_requirements.txt - name: Download log artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: path: test_results pattern: log-artifact-* @@ -1488,7 +1480,7 @@ jobs: # Use a different token to remove the "in-progress" label, # to allow the removal to trigger the "Check Labels" workflow. - name: Generate token for GitHub API - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} @@ -1540,25 +1532,25 @@ jobs: NEEDS_CHECK_AND_PREPARE_OUTPUTS_GITHUB_REF: ${{needs.check_and_prepare.outputs.github_ref}} - name: Summarize results into GitHub log run: python scripts/gha/summarize_test_results.py --dir test_results --github_log - attempt_retry: name: "attempt-retry" needs: [check_and_prepare, summarize_results] runs-on: ubuntu-22.04 if: ${{ failure() && needs.check_and_prepare.outputs.trigger == 'scheduled_trigger' }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: + ref: ${{needs.check_and_prepare.outputs.github_ref}} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: ${{ env.pythonVersion }} - name: Install python deps run: pip install -r scripts/gha/python_requirements.txt # The default token can't run workflows, so get an alternate token. - name: Generate token for GitHub API - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index c87c4b048a..b7a502284b 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -23,7 +23,7 @@ jobs: outputs: matrix_xcode_version: ${{ steps.export-result.outputs.matrix_xcode_version }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false - name: Use expanded matrix @@ -44,7 +44,7 @@ jobs: os: [ 'macos-15' ] xcode_version: ${{ fromJson(needs.prepare_matrix.outputs.matrix_xcode_version) }} steps: - - uses: lukka/get-cmake@latest + - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: cmakeVersion: "~3.31.0" - name: Store git credentials for all git commands @@ -58,12 +58,12 @@ jobs: if: runner.os == 'macOS' run: sudo xcode-select -s /Applications/Xcode_${{ matrix.xcode_version }}.app/Contents/Developer - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 architecture: "arm64" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9afbc9ad46..90fc3a298e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,18 +12,18 @@ jobs: lint_warnings_check_and_comment: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: repository: cpplint/cpplint ref: "1.5.5" path: cpplint - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false path: firebase - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Install prerequisites diff --git a/.github/workflows/retry-test-failures.yml b/.github/workflows/retry-test-failures.yml index a5e79306b0..ddd5811861 100644 --- a/.github/workflows/retry-test-failures.yml +++ b/.github/workflows/retry-test-failures.yml @@ -13,18 +13,18 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{ matrix.branch_name }} fetch-depth: 0 diff --git a/.github/workflows/reviewer-roulette.yml b/.github/workflows/reviewer-roulette.yml index a23d173780..f715a429dd 100644 --- a/.github/workflows/reviewer-roulette.yml +++ b/.github/workflows/reviewer-roulette.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Unset label - uses: buildsville/add-remove-label@v1 + uses: buildsville/add-remove-label@6008d7bd99d3baeb7c04033584e68f8ec80b198b # ratchet:buildsville/add-remove-label@v1 with: token: ${{ github.token }} label: "${{ github.event.label.name }}" @@ -76,13 +76,13 @@ jobs: - name: Choose random reviewer if: ${{ steps.get-reviewers.outputs.reviewer_list != '[]' }} id: choose-random - uses: KhannaAbhinav/random-selector-action@v1 + uses: KhannaAbhinav/random-selector-action@1a64ecbd9aac544c4607fcb59ddb59f65e71e3ff # ratchet:KhannaAbhinav/random-selector-action@v1 with: data: ${{ steps.get-reviewers.outputs.reviewer_list }} - name: Assign Reviewers to PR if: ${{ steps.get-reviewers.outputs.reviewer_list != '[]' }} - uses: itsOliverBott/assign-pr-reviewers@release + uses: itsOliverBott/assign-pr-reviewers@bfe99c76aab72b700a61b84a2703e923a16d9390 # ratchet:itsOliverBott/assign-pr-reviewers@release with: token: ${{ github.token }} users: ${{ fromJSON(steps.choose-random.outputs.selectedValuesList)[0] }} diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 07849f8513..8dda62f65f 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -30,19 +30,19 @@ jobs: runs-on: macos-15 steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - name: Check out base branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: fetch-depth: 0 ref: ${{ github.event.inputs.baseBranch }} @@ -226,7 +226,7 @@ jobs: GITHUB_EVENT_INPUTS_BASEBRANCH: ${{ github.event.inputs.baseBranch }} - name: Set test trigger label. - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # ratchet:actions-ecosystem/action-add-labels@v1 if: ${{ github.event.inputs.triggerTests == 1 && steps.push-branch.outputs.branch_pushed == 1 }} with: github_token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml index e6b5b37f50..69dabb579d 100644 --- a/.github/workflows/update-feature-branches.yml +++ b/.github/workflows/update-feature-branches.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Check out repo (if needed) if: ${{ github.event.inputs.branch_list == '' }} - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 - name: Get list of feature branches id: get-branches @@ -69,18 +69,18 @@ jobs: branch_name: ${{ fromJson(needs.list_feature_branches.outputs.branch_list) }} steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 id: generate-token with: app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} - name: Setup python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: python-version: 3.9 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{ matrix.branch_name }} fetch-depth: 0 @@ -137,7 +137,7 @@ jobs: STEPS_GENERATE_TOKEN_OUTPUTS_TOKEN: ${{ steps.generate-token.outputs.token }} - name: Set test trigger label. - uses: actions-ecosystem/action-add-labels@v1 + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # ratchet:actions-ecosystem/action-add-labels@v1 if: ${{ steps.create-pr.outputs.created_pr_number }} with: github_token: ${{ steps.generate-token.outputs.token }} From fab6c892185f5310ba833bc92f4640fe6b54af0f Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Thu, 11 Jun 2026 15:44:01 -0700 Subject: [PATCH 2/4] run zizmor fix --- .github/workflows/android.yml | 2 ++ .github/workflows/build-report.yml | 1 + .github/workflows/checks.yml | 4 ++++ .github/workflows/checks_secure.yml | 1 + .github/workflows/cpp-packaging.yml | 11 +++++++++++ .github/workflows/desktop.yml | 3 +++ .github/workflows/integration_tests.yml | 11 +++++++++++ .github/workflows/ios.yml | 2 ++ .github/workflows/lint.yml | 2 ++ .github/workflows/retry-test-failures.yml | 1 + .github/workflows/update-dependencies.yml | 1 + .github/workflows/update-feature-branches.yml | 3 +++ 12 files changed, 42 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index e2617fb6f9..d01236c6da 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -30,6 +30,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Use expanded matrix if: github.event.inputs.use_expanded_matrix == '1' run: | @@ -94,6 +95,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true + persist-credentials: false - name: Set env variables for subsequent steps (all) shell: bash diff --git a/.github/workflows/build-report.yml b/.github/workflows/build-report.yml index 8c9473bc25..95b281dc53 100644 --- a/.github/workflows/build-report.yml +++ b/.github/workflows/build-report.yml @@ -32,6 +32,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: fetch-depth: 0 + persist-credentials: false - name: Install Desktop SDK prerequisites uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # ratchet:nick-invision/retry@v2 with: diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index b1be6be7cf..45fa2fcb4c 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -24,6 +24,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -59,6 +60,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -98,6 +100,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Run check_copyright.sh run: | set -e @@ -113,6 +116,7 @@ jobs: with: fetch-depth: 0 submodules: false + persist-credentials: false - name: Check whether release notes have been updated # Skip this if the PR has the skipReleaseNotes label or if it's a merge to other than main. if: ${{!contains(github.event.pull_request.labels.*.name, env.skipReleaseNotesLabel) && (github.event.pull_request.base.ref == 'main')}} diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml index 53309c0ca2..7e92db6f1e 100644 --- a/.github/workflows/checks_secure.yml +++ b/.github/workflows/checks_secure.yml @@ -29,6 +29,7 @@ jobs: if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository with: submodules: false + persist-credentials: false - name: Setup python if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml index f2395dec2c..a60ed78aa0 100644 --- a/.github/workflows/cpp-packaging.yml +++ b/.github/workflows/cpp-packaging.yml @@ -144,6 +144,7 @@ jobs: repository: llvm/llvm-project path: llvm-src ref: ${{ env.llvmVer }} + persist-credentials: false - name: Build LLVM (Mac only) # Only build LLVM if we don't already have binaries from the cache. @@ -166,6 +167,7 @@ jobs: repository: nico/demumble path: demumble-src ref: ${{ env.demumbleVer }} + persist-credentials: false - name: build demumble run: | @@ -212,6 +214,7 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 @@ -267,6 +270,7 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src + persist-credentials: false - name: Store git credentials for all git commands # Forces all git commands to use authenticated https, to prevent throttling. @@ -381,6 +385,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true + persist-credentials: false - name: Set env variables for subsequent steps (all) shell: bash @@ -524,6 +529,7 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src + persist-credentials: false - name: download packaging-tool artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -732,6 +738,7 @@ jobs: uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: path: sdk-src + persist-credentials: false - name: download artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 @@ -857,6 +864,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 @@ -930,6 +939,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: diff --git a/.github/workflows/desktop.yml b/.github/workflows/desktop.yml index c609d8537d..5b246a3aac 100644 --- a/.github/workflows/desktop.yml +++ b/.github/workflows/desktop.yml @@ -32,6 +32,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Use expanded matrix if: github.event.inputs.expanded_matrix == '1' run: | @@ -118,6 +119,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true + persist-credentials: false - name: Set env vars (ubuntu) if: startsWith(matrix.os, 'ubuntu') @@ -329,6 +331,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true + persist-credentials: false - name: Cache vcpkg C++ dependencies id: cache_vcpkg uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # ratchet:actions/cache@v3 diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index d3838f3190..2ca8dc9f42 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -153,6 +153,7 @@ jobs: ref: ${{steps.set_outputs.outputs.github_ref}} fetch-depth: 0 submodules: false + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -303,6 +304,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -473,6 +475,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true + persist-credentials: false - run: df -h - name: Free Disk Space (Ubuntu) if: runner.os == 'Linux' @@ -614,6 +617,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -733,6 +737,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} submodules: true + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -869,6 +874,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Download Desktop integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: @@ -996,6 +1002,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Download Android integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: @@ -1138,6 +1145,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Download iOS integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: @@ -1320,6 +1328,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Download tvOS integration tests artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4 with: @@ -1465,6 +1474,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: @@ -1542,6 +1552,7 @@ jobs: with: ref: ${{needs.check_and_prepare.outputs.github_ref}} + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 with: diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index b7a502284b..60227d9389 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -26,6 +26,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false + persist-credentials: false - name: Use expanded matrix if: github.event.inputs.use_expanded_matrix == '1' run: | @@ -61,6 +62,7 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: true + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 90fc3a298e..c7adaaae83 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,10 +17,12 @@ jobs: repository: cpplint/cpplint ref: "1.5.5" path: cpplint + persist-credentials: false - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: submodules: false path: firebase + persist-credentials: false - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 diff --git a/.github/workflows/retry-test-failures.yml b/.github/workflows/retry-test-failures.yml index ddd5811861..d1d2a50f1d 100644 --- a/.github/workflows/retry-test-failures.yml +++ b/.github/workflows/retry-test-failures.yml @@ -29,6 +29,7 @@ jobs: ref: ${{ matrix.branch_name }} fetch-depth: 0 submodules: false + persist-credentials: false - name: Install prerequisites run: | diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 8dda62f65f..1693fb2a19 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -46,6 +46,7 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.inputs.baseBranch }} + persist-credentials: false - name: Install prerequisites run: | diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml index 69dabb579d..ecdf61379c 100644 --- a/.github/workflows/update-feature-branches.yml +++ b/.github/workflows/update-feature-branches.yml @@ -32,6 +32,8 @@ jobs: - name: Check out repo (if needed) if: ${{ github.event.inputs.branch_list == '' }} uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 + with: + persist-credentials: false - name: Get list of feature branches id: get-branches @@ -85,6 +87,7 @@ jobs: ref: ${{ matrix.branch_name }} fetch-depth: 0 submodules: false + persist-credentials: false - name: Install prerequisites run: | From f3aa324b1cbef39600c1c82edec4697ea702b589 Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Thu, 11 Jun 2026 15:52:40 -0700 Subject: [PATCH 3/4] fix high priority findings --- .github/workflows/checks.yml | 9 ++++- .github/workflows/checks_secure.yml | 3 ++ .github/workflows/cpp-packaging.yml | 4 +- .github/workflows/integration_tests.yml | 37 ++++++++++++++++++- .github/workflows/reviewer-roulette.yml | 6 ++- .github/workflows/update-feature-branches.yml | 5 ++- 6 files changed, 58 insertions(+), 6 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 45fa2fcb4c..6fd93afc78 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -4,7 +4,8 @@ on: pull_request: types: [opened, reopened, synchronize, labeled, unlabeled] -permissions: write-all +permissions: + contents: read env: triggerLabelFull: "tests-requested: full" @@ -44,6 +45,9 @@ jobs: check_integration_test_labels: # This check fails if integration tests are queued, in progress, or failed. runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: read steps: - uses: docker://index.docker.io/agilepathway/pull-request-label-checker@sha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61 # ratchet:docker://agilepathway/pull-request-label-checker:latest with: @@ -53,6 +57,9 @@ jobs: generated_docs_check: # This check succeeds if Doxygen documentation generates without errors. runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write steps: - uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # ratchet:lukka/get-cmake@latest with: diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml index 7e92db6f1e..97fccc158d 100644 --- a/.github/workflows/checks_secure.yml +++ b/.github/workflows/checks_secure.yml @@ -2,6 +2,9 @@ name: Checks (secure) # These are run on base branch with read/write access. on: + # This trigger is only safe-ish to use if steps are gated behind the + # action-has-permission check. + # zizmor: ignore[dangerous-triggers] pull_request_target: types: [synchronize] diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml index a60ed78aa0..db1c0b8f07 100644 --- a/.github/workflows/cpp-packaging.yml +++ b/.github/workflows/cpp-packaging.yml @@ -566,7 +566,7 @@ jobs: tools_platform=darwin fi verbose_flag= - if [[ -n "${{ github.event.inputs.verboseBuild }}" && "${{ github.event.inputs.verboseBuild }}" -ne 0 ]]; then + if [[ -n "${GITHUB_EVENT_INPUTS_VERBOSEBUILD}" && "${GITHUB_EVENT_INPUTS_VERBOSEBUILD}" -ne 0 ]]; then verbose_flag=-v fi declare -a additional_flags @@ -606,6 +606,8 @@ jobs: fi cd firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix }}-package tar -czhf ../firebase-cpp-sdk-${{ matrix.sdk_platform }}${{ matrix.suffix }}-package.tgz . + env: + GITHUB_EVENT_INPUTS_VERBOSEBUILD: ${{ github.event.inputs.verboseBuild }} - name: Print package contents shell: bash diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 2ca8dc9f42..62442df752 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -42,7 +42,8 @@ on: firestore_dep_source: description: 'Optional: Where to get firestore iOS SDK from: "RELEASED", "TIP" or " from firestore-ios-sdk"' -permissions: write-all +permissions: + contents: read env: triggerLabelPrefix: "tests-requested: " @@ -57,6 +58,10 @@ env: jobs: check_and_prepare: runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write + actions: write outputs: trigger: ${{ steps.set_outputs.outputs.trigger }} github_ref: ${{ steps.set_outputs.outputs.github_ref }} @@ -265,6 +270,9 @@ jobs: name: build-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} needs: [check_and_prepare] runs-on: ${{ matrix.os }} + permissions: + contents: read + pull-requests: write # Skip this if there is an empty matrix (which can happen if "auto" was set above). # But check cancelled() && !failure() so it runs even if check_trigger was skipped. if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Desktop') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure() @@ -462,6 +470,9 @@ jobs: name: build-android-${{ matrix.os }} needs: [check_and_prepare] runs-on: ${{ matrix.os }} + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Android') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure() strategy: fail-fast: false @@ -604,6 +615,9 @@ jobs: name: build-ios-${{ matrix.os }} needs: [check_and_prepare] runs-on: ${{ matrix.os }} + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'iOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure() strategy: fail-fast: false @@ -724,6 +738,9 @@ jobs: name: build-tvos-${{ matrix.os }} needs: [check_and_prepare] runs-on: ${{ matrix.os }} + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'tvOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() && !failure() strategy: fail-fast: false @@ -841,6 +858,9 @@ jobs: name: test-desktop-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.ssl_variant }} needs: [check_and_prepare, build_desktop] runs-on: ${{ matrix.os }} + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Desktop') && needs.check_and_prepare.outputs.apis != '' && !cancelled() strategy: fail-fast: false @@ -986,6 +1006,9 @@ jobs: name: test-android-${{ matrix.build_os }}-${{ matrix.android_device }}-${{ matrix.test_type }} needs: [check_and_prepare, build_android] runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'Android') && needs.check_and_prepare.outputs.apis != '' && !cancelled() strategy: fail-fast: false @@ -1130,6 +1153,9 @@ jobs: name: test-ios-${{ matrix.build_os }}-${{ matrix.ios_device }}-${{ matrix.test_type }} needs: [check_and_prepare, build_ios] runs-on: macos-15 + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'iOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() strategy: @@ -1317,6 +1343,9 @@ jobs: name: test-tvos-${{ matrix.build_os }}-${{ matrix.tvos_device }} needs: [check_and_prepare, build_tvos] runs-on: macos-15 + permissions: + contents: read + pull-requests: write if: contains(needs.check_and_prepare.outputs.matrix_platform, 'tvOS') && needs.check_and_prepare.outputs.apis != '' && !cancelled() strategy: fail-fast: false @@ -1468,6 +1497,10 @@ jobs: name: "summarize-results" needs: [check_and_prepare, test_desktop, test_android, test_ios, test_tvos] runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write + issues: write if: ${{ !cancelled() }} steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 @@ -1546,6 +1579,8 @@ jobs: name: "attempt-retry" needs: [check_and_prepare, summarize_results] runs-on: ubuntu-22.04 + permissions: + contents: read if: ${{ failure() && needs.check_and_prepare.outputs.trigger == 'scheduled_trigger' }} steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 diff --git a/.github/workflows/reviewer-roulette.yml b/.github/workflows/reviewer-roulette.yml index f715a429dd..e8d3e96a58 100644 --- a/.github/workflows/reviewer-roulette.yml +++ b/.github/workflows/reviewer-roulette.yml @@ -41,8 +41,8 @@ jobs: # Get the current reviewers and the author of the PR, to exclude them from the list. # Duplicates don't matter, so get the list of requested reviewers *and* the list of # completed reviews. - requested_reviewers='${{ join(github.event.pull_request.requested_reviewers.*.login, ' ') }} ' - completed_reviewers='${{ join(fromJSON(env.PR_REVIEWS).*.user.login, ' ') }} ' + requested_reviewers='${REQUESTED_REVIEWERS} ' + completed_reviewers='${COMPLETED_REVIEWERS} ' author="${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}" echo "Requested reviewers: ${requested_reviewers}" echo "Completed reviewers: ${completed_reviewers}" @@ -71,6 +71,8 @@ jobs: echo "::warning ::No reviewers available" fi env: + COMPLETED_REVIEWERS: ${{ join(fromJSON(env.PR_REVIEWS).*.user.login, ' ') }} + REQUESTED_REVIEWERS: ${{ join(github.event.pull_request.requested_reviewers.*.login, ' ') }} GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }} - name: Choose random reviewer diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml index ecdf61379c..548b11c1ac 100644 --- a/.github/workflows/update-feature-branches.yml +++ b/.github/workflows/update-feature-branches.yml @@ -13,7 +13,8 @@ on: schedule: - cron: "0 16 * * 1" # Mondays, 4pm UTC = 9am PST / 10am PDT -permissions: write-all +permissions: + contents: read env: defaultBranchPattern: "feature_branch/*" @@ -64,6 +65,8 @@ jobs: name: create-merge-pr-${{ matrix.branch_name }} needs: [ list_feature_branches ] runs-on: ubuntu-22.04 + permissions: + contents: write if: ${{ needs.list_feature_branches.outputs.branch_list != '[]' }} strategy: fail-fast: false From a789e0e8d1771637630436e54c30382d3c938b57 Mon Sep 17 00:00:00 2001 From: Morgan Chen Date: Thu, 11 Jun 2026 16:16:50 -0700 Subject: [PATCH 4/4] remove uses of deprecated action --- .github/workflows/cpp-packaging.yml | 16 ++++++++++------ .github/workflows/integration_tests.yml | 16 ++++++++++------ .github/workflows/retry-test-failures.yml | 8 +++++--- .github/workflows/update-dependencies.yml | 9 ++++++--- .github/workflows/update-feature-branches.yml | 9 ++++++--- 5 files changed, 37 insertions(+), 21 deletions(-) diff --git a/.github/workflows/cpp-packaging.yml b/.github/workflows/cpp-packaging.yml index db1c0b8f07..1766c6dcb4 100644 --- a/.github/workflows/cpp-packaging.yml +++ b/.github/workflows/cpp-packaging.yml @@ -884,11 +884,13 @@ jobs: # # This method is preferred over the "personal access token" solution, as the GitHub App's scope is limited to just # the firebase-cpp-sdk repository. - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-actions: write - name: Use GitHub API to start workflow shell: bash run: | @@ -951,11 +953,13 @@ jobs: run: pip install -r scripts/gha/python_requirements.txt # The default token can't run workflows, so get an alternate token. - name: Generate token for GitHub API - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-actions: write - name: Retry failed tests run: | echo "::warning ::Attempting to retry failed jobs" diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 62442df752..46fe0b5262 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -1523,11 +1523,13 @@ jobs: # Use a different token to remove the "in-progress" label, # to allow the removal to trigger the "Check Labels" workflow. - name: Generate token for GitHub API - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-pull-requests: write - name: Update PR label and comment if: ${{ needs.check_and_prepare.outputs.pr_number }} shell: bash @@ -1596,11 +1598,13 @@ jobs: run: pip install -r scripts/gha/python_requirements.txt # The default token can't run workflows, so get an alternate token. - name: Generate token for GitHub API - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-actions: write - name: Retry failed tests run: | echo "::warning ::Attempting to retry failed tests" diff --git a/.github/workflows/retry-test-failures.yml b/.github/workflows/retry-test-failures.yml index d1d2a50f1d..2f873866ac 100644 --- a/.github/workflows/retry-test-failures.yml +++ b/.github/workflows/retry-test-failures.yml @@ -13,11 +13,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-actions: write - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 1693fb2a19..9c85437fbb 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -30,11 +30,14 @@ jobs: runs-on: macos-15 steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4 diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml index 548b11c1ac..bf5aeddff3 100644 --- a/.github/workflows/update-feature-branches.yml +++ b/.github/workflows/update-feature-branches.yml @@ -74,11 +74,14 @@ jobs: branch_name: ${{ fromJson(needs.list_feature_branches.outputs.branch_list) }} steps: - name: Get token for firebase-workflow-trigger - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # ratchet:tibdex/github-app-token@v1 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # ratchet:actions/create-github-app-token@v1 id: generate-token with: - app_id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} - private_key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + # we should migrate to client-id + app-id: ${{ secrets.WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.WORKFLOW_TRIGGER_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Setup python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # ratchet:actions/setup-python@v4