diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4e67511c69..23ce9fb3fa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,14 @@ updates: target-branch: 'main' versioning-strategy: 'increase' open-pull-requests-limit: 10 + + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'daily' + time: '06:00' + allow: + - dependency-name: 'MetaMask/*' + - dependency-name: 'actions/*' + target-branch: 'main' + open-pull-requests-limit: 10 diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 5b3abba1e4..4f262ee19c 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -20,7 +20,7 @@ jobs: node-version: [20.x, 22.x] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false node-version: ${{ matrix.node-version }} @@ -29,7 +29,7 @@ jobs: run: yarn workspace @metamask/snaps-execution-environments run build:lavamoat:test - name: Save "@metamask/snaps-execution-environments" build id: cache-snaps-execution-environments-build - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} retention-days: 1 @@ -52,13 +52,13 @@ jobs: needs: prepare steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false - name: Build run: yarn build:ci - name: Save build files - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: build-source-${{ runner.os }}-${{ github.sha }} retention-days: 1 @@ -79,7 +79,7 @@ jobs: needs: prepare steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false - name: Build @@ -98,11 +98,11 @@ jobs: needs: build steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false - name: Restore build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: build-source-${{ runner.os }}-${{ github.sha }} - name: Generate LavaMoat policy @@ -121,7 +121,7 @@ jobs: needs: prepare steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false - name: Lint @@ -149,16 +149,16 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.test-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false node-version: ${{ matrix.node-version }} - name: Restore "@metamask/snaps-execution-environments" build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - name: Restore build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: build-source-${{ runner.os }}-${{ github.sha }} - name: Install browsers @@ -183,7 +183,7 @@ jobs: shell: bash - name: Upload coverage artifact if: ${{ matrix.node-version == '22.x' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: coverage-${{ steps.get-coverage-folder.outputs.artifact-name }} path: | @@ -204,9 +204,9 @@ jobs: runs-on: ubuntu-latest needs: test steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download coverage artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: coverage-* merge-multiple: true @@ -229,16 +229,16 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.e2e-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false node-version: ${{ matrix.node-version }} - name: Restore "@metamask/snaps-execution-environments" build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - name: Restore build files - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: build-source-${{ runner.os }}-${{ github.sha }} - name: Build snap @@ -264,7 +264,7 @@ jobs: os: [macOS-latest, windows-latest] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false platform-specific-caching: true diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 626b3890fb..cd38820a63 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,7 +16,8 @@ jobs: name: Check workflows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v6 - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.7.7 @@ -26,16 +27,40 @@ jobs: shell: bash analyse-code: - name: Code scanner + name: Analyse code needs: check-workflows - uses: ./.github/workflows/security-code-scanner.yml + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + with: + scanner-ref: v2 + paths-ignored: | + .storybook/ + **/__snapshots__/ + **/*.snap + **/*.stories.js + **/*.stories.tsx + **/*.test.browser.ts* + **/*.test.js* + **/*.test.ts* + **/fixtures/ + **/__fixtures__/ + **/jest.config.js + **/jest.environment.js + **/mocks/ + **/__mocks__/ + **/test*/ + docs/ + e2e/ + merged-packages/ + node_modules/ + storybook/ + test*/ + secrets: + project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} permissions: actions: read contents: read security-events: write - secrets: - SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} - APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} update-pull-request: name: Update pull request diff --git a/.github/workflows/publish-environment.yml b/.github/workflows/publish-environment.yml index 7e294fbf83..d8d83c6063 100644 --- a/.github/workflows/publish-environment.yml +++ b/.github/workflows/publish-environment.yml @@ -20,7 +20,7 @@ jobs: if: ${{ inputs.destination_dir == '' }} run: exit 1 - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true - name: Build dependencies diff --git a/.github/workflows/publish-github-pages.yml b/.github/workflows/publish-github-pages.yml index ebc047e44d..b0def343f9 100644 --- a/.github/workflows/publish-github-pages.yml +++ b/.github/workflows/publish-github-pages.yml @@ -34,7 +34,7 @@ jobs: if: ${{ inputs.publish_dir == '' }} run: exit 1 - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true - name: Run build script diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 3316533d2c..f386aa4440 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -12,7 +12,7 @@ jobs: outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Determine whether this PR is from a fork id: is-fork run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT" @@ -29,14 +29,14 @@ jobs: if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true - name: Get commit SHA diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index ab4fcdfa02..c53f305427 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -34,7 +34,7 @@ jobs: tag: ${{ steps.get-release-tag.outputs.tag }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} @@ -69,7 +69,7 @@ jobs: - name: Build test-snaps run: yarn workspace @metamask/test-snaps build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: publish-release-artifacts-${{ github.sha }} include-hidden-files: true @@ -84,12 +84,12 @@ jobs: needs: publish-release steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} - name: Restore build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: publish-release-artifacts-${{ github.sha }} - name: Dry run publish to NPM @@ -108,12 +108,12 @@ jobs: - get-release-tag steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} - name: Restore build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: publish-release-artifacts-${{ github.sha }} - name: Publish ${{ needs.get-release-tag.outputs.tag }} to NPM @@ -130,7 +130,7 @@ jobs: IS_ENVIRONMENT_RELEASE: ${{ steps.is-environment-release.outputs.IS_ENVIRONMENT_RELEASE }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} @@ -152,7 +152,7 @@ jobs: version: ${{ steps.version.outputs.VERSION }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} @@ -219,7 +219,7 @@ jobs: TEST_SNAPS_VERSION: ${{ steps.set-output.outputs.TEST_SNAPS_VERSION }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: true ref: ${{ github.sha }} diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml deleted file mode 100644 index 9f0aa9fed7..0000000000 --- a/.github/workflows/security-code-scanner.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: MetaMask Security Code Scanner - -on: - workflow_call: - secrets: - SECURITY_SCAN_METRICS_TOKEN: - required: false - APPSEC_BOT_SLACK_WEBHOOK: - required: false - workflow_dispatch: - -jobs: - run-security-scan: - name: Run security scan - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Analyse code - uses: MetaMask/action-security-code-scanner@v1 - with: - repo: ${{ github.repository }} - paths_ignored: | - tests/ - '**/test/' - '**/test-utils/' - '**/__mocks__/' - '**/__snapshots__/' - '**/__fixtures__/' - '**/*.test.js*' - '**/*.test.ts*' - '**/*.test.browser.ts*' - docs/ - '**/jest.environment.js' - '**/jest.config.js' - node_modules - project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} - slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 4097f79fa7..a0d581f67f 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -31,7 +31,7 @@ jobs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Determine whether this PR is from a fork id: is-fork run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT" @@ -48,7 +48,7 @@ jobs: if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' && inputs.dependabot == false }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: React to the comment run: | gh api \ @@ -73,14 +73,14 @@ jobs: COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false cache-node-modules: true @@ -96,14 +96,14 @@ jobs: YARN_LOCK_CHANGED: ${{ steps.check-yarn-lock.outputs.YARN_LOCK_CHANGED }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false - name: Deduplicate yarn.lock @@ -113,7 +113,7 @@ jobs: run: | git diff --exit-code yarn.lock || echo "YARN_LOCK_CHANGED=true" >> "$GITHUB_OUTPUT" - name: Save yarn.lock - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} path: yarn.lock @@ -126,25 +126,25 @@ jobs: - dedupe-yarn-lock steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: # If the Yarn lock changed we need to reinstall the dependencies. is-high-risk-environment: ${{ needs.dedupe-yarn-lock.outputs.YARN_LOCK_CHANGED == 'true' }} - name: Build packages run: yarn build:ci - name: Save packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: packages-${{ needs.prepare.outputs.COMMIT_SHA }} path: | @@ -160,29 +160,29 @@ jobs: - build steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Restore packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: packages-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: # If the Yarn lock changed we need to reinstall the dependencies. is-high-risk-environment: ${{ needs.dedupe-yarn-lock.outputs.YARN_LOCK_CHANGED == 'true' }} - name: Regenerate LavaMoat policies run: yarn build:lavamoat:policy - name: Save LavaMoat policies - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: lavamoat-policies-${{ needs.prepare.outputs.COMMIT_SHA }} path: | @@ -198,29 +198,29 @@ jobs: - build steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Checkout pull request run: gh pr checkout "${PR_NUMBER}" env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Restore packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: packages-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v1 + uses: MetaMask/action-checkout-and-setup@v2 with: # If the Yarn lock changed we need to reinstall the dependencies. is-high-risk-environment: ${{ needs.dedupe-yarn-lock.outputs.YARN_LOCK_CHANGED == 'true' }} - name: Update examples run: yarn build:examples - name: Save examples - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: examples-${{ needs.prepare.outputs.COMMIT_SHA }} path: | @@ -239,7 +239,7 @@ jobs: - update-examples steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: # Use PAT to ensure that the commit later can trigger status check # workflows. @@ -257,7 +257,7 @@ jobs: id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Restore yarn.lock - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Set commit prefix @@ -268,7 +268,7 @@ jobs: git add yarn.lock git commit -m "${COMMIT_PREFIX}Deduplicate yarn.lock" || true - name: Restore LavaMoat policies - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: lavamoat-policies-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Commit LavaMoat policies @@ -276,7 +276,7 @@ jobs: git add packages/snaps-execution-environments/lavamoat git commit -m "${COMMIT_PREFIX}Update LavaMoat policies" || true - name: Restore examples - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: examples-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Commit examples