diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..8c9634c8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + cooldown: + default-days: 4 + schedule: + interval: "daily" # Every weekday, Monday to Friday + + - package-ecosystem: "npm" + directory: "/" + cooldown: + default-days: 4 + schedule: + interval: "weekly" # By default on a Monday diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 941bfb40..7d0dc46f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,12 +41,15 @@ jobs: os: [ubuntu-latest, windows-latest, macos-15] steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + fetch-depth: 1 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '17' @@ -61,7 +64,7 @@ jobs: # It contains mixed content from the npm package "cordova-js" and "./cordova-js-src". # The report might not be resolvable because of the external package. # If the report is related to this repository, it would be detected when scanning "./cordova-js-src". - - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: languages: javascript, java-kotlin queries: security-and-quality @@ -74,12 +77,11 @@ jobs: - name: npm install and test run: | - npm i - npm t + npm cit env: CI: true - - uses: github/codeql-action/analyze@v4 + - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 # v4.6.0 - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 98ecf5a2..a04a9bda 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -31,10 +31,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + fetch-depth: 1 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 + package-manager-cache: false + cache: '' - name: Setup environment variables run: | @@ -68,14 +73,14 @@ jobs: - name: Verify Target Release Version run: | PACKAGE_VERSION=$(jq -r '.version' package.json) - if [ $PACKAGE_VERSION != "$TARGET_RELEASE_VERSION" ]; then + if [ "$PACKAGE_VERSION" != "$TARGET_RELEASE_VERSION" ]; then echo "Mismatch version detected between tag version ($TARGET_RELEASE_VERSION) and package version ($PACKAGE_VERSION)" exit 1 fi if [ -f "plugin.xml" ]; then - PLUGIN_VERSION=$(yq -p=xml -o=json '.plugin.+@version' plugin.xml) - if [ $PLUGIN_VERSION != "$TARGET_RELEASE_VERSION" ]; then + PLUGIN_VERSION=$(yq -p=xml -o=json '.plugin.+@version' plugin.xml | jq -r .) + if [ "$PLUGIN_VERSION" != "$TARGET_RELEASE_VERSION" ]; then echo "Mismatch version detected between tag version ($TARGET_RELEASE_VERSION) and plugin version ($PLUGIN_VERSION)" exit 1 fi @@ -83,7 +88,7 @@ jobs: - name: Generate "tgz" npm convenience package run: |- - npm install + npm ci NPM_PKG_NAME=$(npm pack --json | jq -r '.[0].filename') mv ./.asf-release/$NPM_PKG_NAME ./.asf-release/${NPM_PACKAGE_NAME}.tgz env: @@ -142,7 +147,7 @@ jobs: CORDOVA_GPG_SECRET_KEY: ${{ secrets.CORDOVA_GPG_SECRET_KEY }} - name: Upload to Apache Trusted Release (ATR) - uses: apache/tooling-actions/upload-to-atr@b7e972c11790ee16eca101900af1b3c7fd1b106e + uses: apache/tooling-actions/upload-to-atr@f5f4c0e7ddfbde6b1f8288cef36324c6def68051 with: project: ${{ env.REPO_NAME }} version: ${{ env.TARGET_RELEASE_VERSION }} diff --git a/.github/workflows/release-audit.yml b/.github/workflows/release-audit.yml index 52798d4a..d3d7067c 100644 --- a/.github/workflows/release-audit.yml +++ b/.github/workflows/release-audit.yml @@ -34,13 +34,16 @@ jobs: runs-on: ubuntu-latest steps: # Checkout project - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + fetch-depth: 1 # Check license headers (v2.0.0) - uses: erisu/apache-rat-action@46fb01ce7d8f76bdcd7ab10e7af46e1ea95ca01c # Setup environment with node - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24