Merge pull request #5333 from Shopify/security-code-scanner-workflow

Add workflow for Security Code Scanner

Author: gonzaloriestra

.github/workflows/changelog-reminder.yml

@@ -1,7 +1,7 @@
 on:
   pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
-    paths: ['packages/*/src/**']
+    types: [ opened, synchronize, reopened, ready_for_review ]
+    paths: [ 'packages/*/src/**' ]
 name: Changelog Reminder
 jobs:
   remind:

.github/workflows/checks.yml

@@ -19,8 +19,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         name: Checkout [main]

.github/workflows/cla.yml

@@ -17,7 +17,7 @@ jobs:
       )
       || (github.event.pull_request && !github.event.pull_request.merged)
     steps:
-      - uses: Shopify/shopify-cla-action@c6bc827f3c22da647ed72a556b0b30b8641786eb # pin@v1
+      - uses: Shopify/shopify-cla-action@9938f4b43524d1cfa7471ce9a803edf226697284 # pin@v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           cla-token: ${{ secrets.CLA_TOKEN }}

.github/workflows/pages.yml

@@ -2,14 +2,14 @@ name: Build and Deploy GitHub Pages Site
 
 on:
   push:
-    branches: ["main"]
+    branches: [ "main" ]
     paths:
       - packages/cli-kit/package.json
       - "docs/**"
 
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+    # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
   pages: write
@@ -44,7 +44,7 @@ jobs:
         uses: actions/jekyll-build-pages@v1
         with:
           source: ./docs
-          destination:	./docs/_site
+          destination: ./docs/_site
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:

.github/workflows/security-code-scanner.yml

@@ -0,0 +1,9 @@
+name: 'Shopify Security Code Scanner'
+
+on: [ push ]
+
+jobs:
+  Security-Code-Scanner:
+    uses: shopify/security-code-scanner/.github/workflows/main.yml@5f7400975eed0698f96a6f718438353ae643a9d0 # pin@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/shopify-cli.yml

@@ -38,6 +38,7 @@ on:
   pull_request:
   merge_group:
 
+
 concurrency:
   group: shopify-cli-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -59,8 +60,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest', 'windows-latest', 'macos-latest']
-        node: ['18.20.3', '20.14.0', '22.2.0']
+        os: [ 'ubuntu-latest', 'windows-latest', 'macos-latest' ]
+        node: [ '18.20.3', '20.14.0', '22.2.0' ]
     steps:
       - uses: actions/checkout@v3
         name: Checkout [${{ github.ref_name }}]
@@ -112,9 +113,9 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
-        target: ['build', 'type-check']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
+        target: [ 'build', 'type-check' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -135,8 +136,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -163,8 +164,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -187,8 +188,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -200,7 +201,7 @@ jobs:
         with:
           node-version: ${{ matrix.node }}
       - name: Post the knip results
-        uses: codex-/knip-reporter@1ccefdf649b847793412fbfba286dc0b05defc1e # pin@v2
+        uses: codex-/knip-reporter@f717532b6707d95de06b9bb2eb8ece46393f018f # pin@v2
         with:
           verbose: true
 
@@ -211,8 +212,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['macos-latest'] # Codegen uses a find command that needs to work on CI and macOS; using the same env keeps this simple
-        node: ['18.20.3']
+        os: [ 'macos-latest' ] # Codegen uses a find command that needs to work on CI and macOS; using the same env keeps this simple
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -271,8 +272,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest', 'windows-latest', 'macos-latest']
-        node: ['18.20.3', '20.14.0', '22.2.0']
+        os: [ 'ubuntu-latest', 'windows-latest', 'macos-latest' ]
+        node: [ '18.20.3', '20.14.0', '22.2.0' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -293,8 +294,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest', 'macos-latest', 'windows-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest', 'macos-latest', 'windows-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -317,8 +318,8 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        os: ['ubuntu-latest']
-        node: ['18.20.3']
+        os: [ 'ubuntu-latest' ]
+        node: [ '18.20.3' ]
     steps:
       - uses: actions/checkout@v3
         with:
@@ -340,7 +341,6 @@ jobs:
         with:
           base-branch-name: '${{ github.base_ref }}'
 
-
   manually-triggered:
     name: '[Manual] Test with Node ${{ inputs.node-version }} in ${{ inputs.os }}'
     runs-on: ${{ inputs.os }}
@@ -363,6 +363,6 @@ jobs:
         run: pnpm test:features --output-style=stream
       - name: Setup tmate session
         if: ${{ failure() && inputs.debug-enabled }}
-        uses: mxschmitt/action-tmate@1005f9c9db5f1b055a495e72c6e589764984baf6 # pin@v3
+        uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # pin@v3
         with:
           limit-access-to-actor: true

.github/workflows/snapit.yml

@@ -26,13 +26,18 @@ jobs:
       - name: Force snapshot changeset
         run: "mv .changeset/force-snapshot-build.md.ignore .changeset/force-snapshot-build.md"
       - name: Create snapshot version
-        uses: Shopify/snapit@0c0d2dd62c9b0c94b7d03e1f54e72f18548e7752 # pin to a specific commit
+        uses: Shopify/snapit@938148c6c89d82cf32e0a377f8f7c0bff39bc989 # pin@main
         with:
           global_install: 'true'
           github_comment_included_packages: '@shopify/cli'
-          custom_message_suffix: "\n> After installing, validate the version by running just `shopify` in your terminal\n> If the versions don't match, you might have multiple global instances installed.\n> Use `which shopify` to find out which one you are running and uninstall it."
+          custom_message_suffix: "
+
+            > After installing, validate the version by running just `shopify` in your terminal
+
+            > If the versions don't match, you might have multiple global instances installed.
+
+            > Use `which shopify` to find out which one you are running and uninstall it."
           build_script: "pnpm nx run-many --target=bundle --all --skip-nx-cache --output-style=stream"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-

.github/workflows/update-graphql-deps.yml

@@ -3,7 +3,8 @@ name: Update GraphQL Dependencies
 on:
   schedule:
     - cron: '13 0,6,12,18 * * *' # Runs at 00:13, 06:13, 12:13, and 18:13 UTC
-  workflow_dispatch:  # Allows manual triggering from the GitHub UI
+  workflow_dispatch:
+    # Allows manual triggering from the GitHub UI
 
 env:
   DEBUG: '1'

.github/workflows/workflow-cleaner.yml

@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Delete workflow runs
-        uses: Mattraks/delete-workflow-runs@5ebc537fc6b4f5c1634865f0030271fb6776b28d # pin@v2
+        uses: Mattraks/delete-workflow-runs@4c9f24749b7996562658e3d6e10662489e22caca # pin@v2
         with:
           token: ${{ github.token }}
           repository: ${{ github.repository }}