Skip to content

[No QA] Fix GitHub actions practices #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
roryabraham merged 6 commits into from
Oct 16, 2025
Merged

[No QA] Fix GitHub actions practices #733

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4efa624
Immutable action refs only
roryabraham Oct 14, 2025
12cbb70
Fix actionlint
roryabraham Oct 14, 2025
e457824
Merge branch 'main' into Rory-FixGitHubActionsPractices
roryabraham Oct 14, 2025
e5e8528
Two spaces instead of four in lint.yml
roryabraham Oct 14, 2025
57ca071
Remove accidental npm -> yarn change
roryabraham Oct 16, 2025
cf0c516
Update .github/workflows/lint.yml
roryabraham Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/build-android.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,13 @@ jobs:
group: build-android-${{ matrix.react-native-architecture }}-${{ github.ref }}
cancel-in-progress: true
steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

# v5.0.0
- name: Setup Java 17
uses: actions/setup-java@v4
uses: actions/setup-java@ead9eaa3cfe0b0fc2fa749519ae09c3d4f4080b0
with:
distribution: 'zulu'
java-version: 17
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/build-ios.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,13 @@ jobs:
group: build-ios-${{ matrix.react-native-architecture }}-${{ github.ref }}
cancel-in-progress: true
steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

# v4.3.0
- name: Restore node_modules from cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
with:
path: |
node_modules
Expand All @@ -49,8 +51,9 @@ jobs:
- name: Install node_modules
run: yarn install --immutable

# v4.3.0
- name: Restore Pods from cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
with:
path: |
example/ios/Pods
Expand All @@ -71,8 +74,9 @@ jobs:
working-directory: example/ios
run: rm -rf .xcode.env.local

# v4.3.0
- name: Restore build artifacts from cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
with:
path: ~/Library/Developer/Xcode/DerivedData
key: build-ios-derived-data-${{ matrix.react-native-architecture }}-${{ hashFiles('example/node_modules/react-native/package.json') }}
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/build-web.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ jobs:
group: build-web-${{ github.ref }}
cancel-in-progress: true
steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

- name: Install node_modules
run: yarn install --immutable
Expand Down
10 changes: 6 additions & 4 deletions .github/workflows/check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,15 @@ jobs:
group: check-root-${{ github.ref }}
cancel-in-progress: true
steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

- name: Use Node.js 18
uses: actions/setup-node@v4
# v6.0.0
- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
with:
node-version: 18
node-version-file: '.nvmrc'

- name: Install node_modules
run: yarn install --immutable
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,15 @@ jobs:
with:
text: ${{ github.event.comment.body }}
regex: '\s*I have read the CLA Document and I hereby sign the CLA\s*'

- uses: actions-ecosystem/action-regex-match@9c35fe9ac1840239939c59e5db8839422eed8a73
id: recheck
with:
text: ${{ github.event.comment.body }}
regex: '\s*recheck\s*'

- name: CLA Assistant
if: ${{ steps.recheck.outputs.match != '' || steps.sign.outputs.match != '' }} || github.event_name == 'pull_request_target'
if: ${{ steps.recheck.outputs.match != '' || steps.sign.outputs.match != '' || github.event_name == 'pull_request_target' }}
Copy link
Contributor Author

@roryabraham roryabraham Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition was always evaluating to true because there were characters outside of the ${{ }}

# Version: 2.1.2-beta
uses: cla-assistant/github-action@948230deb0d44dd38957592f08c6bd934d96d0cf
env:
Expand Down
14 changes: 9 additions & 5 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,23 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

- uses: actions/cache@v2
# v4.3.0
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
with:
path: ~/.yarn
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-

- name: Setup Node
uses: actions/setup-node@v1
# v6.0.0
- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
with:
node-version: "16.x"
node-version-file: '.nvmrc'

- name: Install node_modules
run: yarn install --immutable
Expand Down
126 changes: 65 additions & 61 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,70 +2,74 @@ name: Publish package to npmjs

# This workflow runs when code is pushed to `main` (i.e: when a pull request is merged)
on:
push:
branches: [main]
push:
Copy link
Contributor Author

@roryabraham roryabraham Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ignored differences in indentation across files because we aren't going to enforce a yaml style (yet). But 3-space indentation was too :eye_twitch: for me to handle

branches: [main]

# Ensure that only once instance of this workflow executes at a time.
# If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.
concurrency: ${{ github.workflow }}

jobs:
version:
runs-on: ubuntu-latest

# OSBotify will update the version on `main`, so this check is important to prevent an infinite loop
if: ${{ github.actor != 'OSBotify' }}

steps:
- uses: actions/checkout@v4
with:
ref: main
# The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify
# This is a workaround to allow pushes to a protected branch
token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

- name: Decrypt & Import OSBotify GPG key
run: |
cd .github
gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
gpg --import OSBotify-private-key.asc
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}

- name: Set up git for OSBotify
run: |
git config --global user.signingkey 367811D53E34168C
git config --global commit.gpgsign true
git config --global user.name OSBotify
git config --global user.email infra+osbotify@expensify.com

- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
registry-url: 'https://registry.npmjs.org'

- name: Install yarn packages
run: yarn install --immutable

- name: Update npm version
run: yarn version patch

- name: Set new version in GitHub ENV
run: echo "NEW_VERSION=$(jq '.version' package.json)" >> $GITHUB_ENV

- name: Commit version bump
run: git commit -am "Bump version to ${{ env.NEW_VERSION }}"

- name: Tag version bump
run: git tag ${{ env.NEW_VERSION }}

- name: Push branch and publish tags
run: git push --set-upstream origin main && git push --tags

- name: Build package
run: yarn pack

- name: Publish to npm
run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
version:
runs-on: ubuntu-latest

# OSBotify will update the version on `main`, so this check is important to prevent an infinite loop
if: ${{ github.actor != 'OSBotify' }}

steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493
with:
ref: main
# The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify
# This is a workaround to allow pushes to a protected branch
token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

- name: Decrypt & Import OSBotify GPG key
run: |
cd .github
gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
gpg --import OSBotify-private-key.asc
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}

- name: Set up git for OSBotify
run: |
git config --global user.signingkey 367811D53E34168C
git config --global commit.gpgsign true
git config --global user.name OSBotify
git config --global user.email infra+osbotify@expensify.com

# v6.0.0
- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
with:
node-version-file: '.nvmrc'
registry-url: 'https://registry.npmjs.org'

- name: Install yarn packages
run: yarn install --immutable

- name: Update npm version
run: yarn version patch

- name: Set new version in GitHub ENV
run: echo "NEW_VERSION=$(jq '.version' package.json)" >> "$GITHUB_ENV"

- name: Commit version bump
run: git commit -am "Bump version to ${{ env.NEW_VERSION }}"

- name: Tag version bump
run: git tag ${{ env.NEW_VERSION }}

- name: Push branch and publish tags
run: git push --set-upstream origin main && git push --tags

- name: Build package
run: yarn pack

- name: Publish to npm
run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
10 changes: 6 additions & 4 deletions .github/workflows/web-e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,15 @@ jobs:
group: web-e2e-test-${{ github.ref }}
cancel-in-progress: true
steps:
# v5.0.0
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493

- name: Use Node.js 18
uses: actions/setup-node@v4
# v6.0.0
- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
with:
node-version: 18
node-version-file: '.nvmrc'

- name: Install node_modules
run: yarn install --immutable
Expand Down