diff --git a/.github/workflows/Build.yaml b/.github/workflows/Build.yaml index ee17ca54e5..e63ce9eb55 100644 --- a/.github/workflows/Build.yaml +++ b/.github/workflows/Build.yaml @@ -25,27 +25,27 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@c51e8eeb6c4fdcd08f65e43a051dacdbfaa69702 # rc with: egress-policy: audit - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@v2 + uses: gradle/wrapper-validation-action@b5418f5a58f5fd2eb486dd7efb368fe7be7eae45 # v2.1.3 - name: Copy CI gradle.properties run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'zulu' java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 - name: Check build-logic run: ./gradlew check -p build-logic @@ -73,7 +73,7 @@ jobs: ./gradlew dependencyGuardBaseline - name: Push new Dependency Guard baselines if available - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 if: steps.dependencyguard_baseline.outcome == 'success' with: file_pattern: '**/dependencies/*.txt' @@ -100,7 +100,7 @@ jobs: ./gradlew recordRoborazziDemoDebug - name: Push new screenshots if available - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 if: steps.screenshotsrecord.outcome == 'success' with: file_pattern: '*/*.png' @@ -123,14 +123,14 @@ jobs: -x collectProdNonMinifiedReleaseBaselineProfile - name: Upload build outputs (APKs) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: APKs path: '**/build/outputs/apk/**/*.apk' - name: Upload JVM local results (XML) if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: local-test-results path: '**/build/test-results/test*UnitTest/**.xml' @@ -140,7 +140,7 @@ jobs: - name: Upload lint reports (HTML) if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: lint-reports path: '**/build/reports/lint-results-*.html' @@ -157,7 +157,7 @@ jobs: steps: - name: Delete unnecessary tools 🔧 - uses: jlumbroso/free-disk-space@v1.3.1 + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: android: false # Don't remove Android tools tool-cache: true # Remove image tool cache - rm -rf "$AGENT_TOOLSDIRECTORY" @@ -168,7 +168,7 @@ jobs: large-packages: false # includes google-cloud-sdk and it's slow - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@c51e8eeb6c4fdcd08f65e43a051dacdbfaa69702 # rc with: egress-policy: audit @@ -180,22 +180,22 @@ jobs: ls /dev/kvm - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Copy CI gradle.properties run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'zulu' java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 - name: Build projects and run instrumentation tests - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0 with: api-level: ${{ matrix.api-level }} arch: x86_64 @@ -216,7 +216,7 @@ jobs: - name: Upload test reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: test-reports-${{ matrix.api-level }} path: '**/build/reports/androidTests' @@ -224,7 +224,7 @@ jobs: - name: Display local test coverage (only API 30) if: matrix.api-level == 30 id: jacoco - uses: madrapps/jacoco-report@v1.6.1 + uses: madrapps/jacoco-report@db72e7e7c96f98d239967958b0a0a6ca7d3bb45f # v1.6.1 with: title: Combined test coverage report min-coverage-overall: 40 @@ -235,7 +235,7 @@ jobs: - name: Upload local coverage reports (XML + HTML) (only API 30) if: matrix.api-level == 30 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-reports if-no-files-found: error diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml index 7de3cb11e7..d68ec04c71 100644 --- a/.github/workflows/Release.yml +++ b/.github/workflows/Release.yml @@ -5,12 +5,22 @@ on: tags: - 'v*' +permissions: + contents: read + jobs: build: + permissions: + contents: write # for actions/create-release to create a release runs-on: ubuntu-latest timeout-minutes: 120 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Enable KVM group perms run: | echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules @@ -19,16 +29,16 @@ jobs: ls /dev/kvm - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Validate Gradle Wrapper - uses: gradle/wrapper-validation-action@v2 + uses: gradle/wrapper-validation-action@b5418f5a58f5fd2eb486dd7efb368fe7be7eae45 # v2.1.3 - name: Copy CI gradle.properties run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'zulu' java-version: 17 @@ -48,7 +58,7 @@ jobs: -Pandroid.experimental.testOptions.managedDevices.maxConcurrentDevices=1 - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -58,7 +68,7 @@ jobs: prerelease: false - name: Upload app - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: