CI: Update GitHub actions (#131)

anaxite · web-flow · commit 37844a6d8da9 · 2025-11-22T21:16:51.000-05:00
* ci: update GitHub actions

- Update most GitHub actions to newer versions
- Pin most actions to commit SHA for security

* ci: replace `dorny/paths-filter` action

- Replace `dorny/paths-filter` with `tj-actions/changed-files` for maintained status. Use SHA pinning for security
- Add `src/pages/**` to file watchlist

* ci: rewrite SVG optimizer action

`ericcornelissen/svgo-action` is deprecated, and should be replaced.
There is no easy action to replace it; instead, use more targeted logic.

* ci: Make dependabot check GitHub actions monthly

* ci: Remove unnecessary `fetch-depth` property from checkout actions

* ci: Set bash as the default shell for actions that use it

* chore (config): consolidate `markdown` config block

There were two markdown blocks. Now there are one.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,3 +10,7 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -6,16 +6,17 @@ on:
       - main
     # Review gh actions docs if you want to further define triggers, paths, etc
     # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on
-
+defaults:
+  run:
+    shell: bash
 jobs:
   build:
     name: Test deployment
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 #v6.0.0
         with:
           cache: npm
 
@@ -30,7 +31,7 @@ jobs:
           POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
           
   #     - name: Upload Build Artifact
-  #       uses: actions/upload-pages-artifact@v3
+  #       uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b #v4.0.0
   #       with:
   #         path: build                                        
   # deploy:
@@ -51,10 +52,10 @@ jobs:
   #   steps:
   #     - name: Deploy to GitHub Pages
   #       id: deployment
-  #       uses: actions/deploy-pages@v4
+  #       uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e #v4.0.5
 
   #     - name: Add deployment URL as comment on PR
-  #       uses: actions/github-script@v7
+  #       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0
   #       with:
   #         github-token: ${{ secrets.GITHUB_TOKEN }}
   #         script: |
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -7,16 +7,17 @@ on:
   # repository_dispatch:  # TODO: Configure repository_dispatch event in update-common.yml
   #   types:
   #     - update-common-package-complete
-
+defaults:
+  run:
+    shell: bash
 jobs:
   build:
     name: Build Docusaurus
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 #v6.0.0
         with:
           cache: npm
 
@@ -31,7 +32,7 @@ jobs:
           POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
 
       - name: Upload Build Artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b #v4.0.0
         with:
           path: build
 
@@ -53,7 +54,7 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e #v4.0.5
 
   sync_inkeep:
     name: Sync Content with Inkeep
@@ -65,17 +66,17 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-    - name: Check for changes
-      uses: dorny/paths-filter@v2
-      id: changes
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+    - name: Check for changed pages
+      uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+      id: changed-pages
       with:
-        filters: |
-          docs:
-            - 'docs/**'      
+        files: |
+          docs/**
+          src/pages/**
     - name: Sync Sources
-      if: steps.changes.outputs.docs == 'true'
-      uses: inkeep/pr-commenter-action@v10
+      if: steps.changed-pages.outputs.any_changed == 'true'
+      uses: inkeep/pr-commenter-action@84ccc7c74b72f628ec7e2b572e0cb7afd5898594 #v10
       env:
         GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       with:
diff --git a/.github/workflows/doc-detective.yml b/.github/workflows/doc-detective.yml
@@ -14,7 +14,7 @@ jobs:
   runTests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: doc-detective/github-action@v1
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+      - uses: doc-detective/github-action@7cd1f3609abc91634935dbc990bfa7b6e6326f71 #latest, May 7 2025
         with:
             exit_on_fail: true
diff --git a/.github/workflows/ekline.yml b/.github/workflows/ekline.yml
@@ -10,8 +10,8 @@ jobs:
     name: runner / EkLine Reviewer (github-pr-review)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: ekline-io/ekline-github-action@v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+      - uses: ekline-io/ekline-github-action@6f79f8e33a245e231d3cc822e51a6a1d93d78638 #v6.46.2
         with:
           content_dir: ./docs
           ek_token: ${{ secrets.ek_token }}
diff --git a/.github/workflows/optimize-svg.yml b/.github/workflows/optimize-svg.yml
@@ -0,0 +1,47 @@
+name: Optimize new SVG images
+on:
+  pull_request:
+    branches:
+      - main
+defaults:
+  run:
+    shell: bash
+jobs:
+  svgs:
+    name: Optimize SVGs
+    runs-on: ubuntu-latest
+    permissions:
+      # Give the default GITHUB_TOKEN write permission to commit and push the
+      # added or changed files to the repository.
+      contents: write
+    steps:
+    
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+
+      - name: Check for changed SVGs
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        id: changed-files
+        with:
+          safe_output: false # set to false because we are using an environment variable to store the output and avoid command injection.
+          files: |
+            **/*.svg
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 #v6.0.0
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Optimize files
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: |
+          npm install -g svgo
+          for file in ${ALL_CHANGED_FILES}; do
+            npx svgo --multipass "$file" --output "$file"
+          done
+
+      - name: Commit optimized SVGs
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 #v7.0.0
+        with:
+          commit_message: "auto: optimize SVGs"
diff --git a/.github/workflows/optimize.yml b/.github/workflows/optimize.yml
diff --git a/.github/workflows/update-common.yml b/.github/workflows/update-common.yml
@@ -10,15 +10,17 @@ on:
         description: 'The doc-detective-common version.'
         required: false
         default: 'latest'
-
+defaults:
+  run:
+    shell: bash
 jobs:
   update:
     permissions:
       contents: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
       with:
         token: ${{ secrets.DD_DEP_UPDATE_TOKEN }}
 
@@ -129,7 +131,7 @@ jobs:
 
     - name: Create release with detailed notes
       if: steps.commit.outputs.has_changes == 'true'
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe #v2.4.2
       with:
         body: |
           # What's new
diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml
@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
 
       - name: Set up dependencies
         run: npm install -g mdx2vast
 
       - name: Run Vale
-        uses: errata-ai/vale-action@v2.1.1
+        uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c #v2.1.1
         with:
           files: "docs/"
           fail_on_error: false
diff --git a/docusaurus.config.ts b/docusaurus.config.ts
