diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e47a411..5712ed5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + concurrency: group: build-${{ github.ref }} cancel-in-progress: true @@ -19,30 +22,23 @@ jobs: target: [web, mobile] steps: - - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 24 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Setup Bun - uses: oven-sh/setup-bun@v2 - with: - bun-version: latest + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1 - name: Install dependencies - run: bun install --frozen-lockfile + run: mise run install - name: Build shared - run: bun run --cwd packages/shared build + run: mise run build:shared - name: Build web if: matrix.target == 'web' - run: bun run --cwd apps/web build + run: mise run build:web - name: Build mobile (Expo export) if: matrix.target == 'mobile' env: EXPO_NO_TELEMETRY: '1' - run: bun run --cwd apps/mobile build + run: mise run build:mobile diff --git a/.github/workflows/deploy-mobile-eas.yml b/.github/workflows/deploy-mobile-eas.yml new file mode 100644 index 0000000..2fe75b0 --- /dev/null +++ b/.github/workflows/deploy-mobile-eas.yml @@ -0,0 +1,49 @@ +name: Deploy Mobile (EAS Update) + +on: + push: + branches: + - main + tags: + - v* + +permissions: + contents: read + +concurrency: + group: deploy-mobile-eas-${{ github.ref }} + cancel-in-progress: true + +jobs: + eas_update: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1 + + - name: Install dependencies + run: mise run install + + - name: Build shared + run: mise run build:shared + + - name: Verify Expo token + env: + EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }} + run: | + if [ -z "$EXPO_TOKEN" ]; then + echo "Missing EXPO_TOKEN secret. Create an Expo access token and add it to repo secrets." >&2 + exit 1 + fi + + - name: Publish update (EAS) + working-directory: apps/mobile + env: + EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }} + EXPO_NO_TELEMETRY: '1' + run: | + bunx eas-cli@latest --version + bunx eas-cli@latest update --auto --non-interactive diff --git a/.github/workflows/web-ghcr.yml b/.github/workflows/deploy-web-ghcr.yml similarity index 68% rename from .github/workflows/web-ghcr.yml rename to .github/workflows/deploy-web-ghcr.yml index f69330c..1c66ca3 100644 --- a/.github/workflows/web-ghcr.yml +++ b/.github/workflows/deploy-web-ghcr.yml @@ -1,4 +1,4 @@ -name: Publish Web Image (GHCR) +name: Deploy Web Image (GHCR) on: push: @@ -20,13 +20,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -34,7 +34,7 @@ jobs: - name: Extract image metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ghcr.io/${{ github.repository }}/web tags: | @@ -43,7 +43,7 @@ jobs: type=ref,event=tag - name: Build and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . file: apps/web/Dockerfile diff --git a/.github/workflows/mobile-eas.yml b/.github/workflows/mobile-eas.yml index 2ac0053..6c02fac 100644 --- a/.github/workflows/mobile-eas.yml +++ b/.github/workflows/mobile-eas.yml @@ -31,29 +31,25 @@ on: - production - preview +permissions: + contents: read + jobs: eas: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 24 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Setup Bun - uses: oven-sh/setup-bun@v2 - with: - bun-version: latest + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1 - name: Install dependencies - run: bun install --frozen-lockfile + run: mise run install - name: Verify Expo token env: - EXPO_TOKEN: ${{ secrets['EXPO_TOKEN'] }} + EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }} run: | if [ -z "$EXPO_TOKEN" ]; then echo "Missing EXPO_TOKEN secret. Create an Expo access token and add it to repo secrets." >&2 @@ -63,7 +59,7 @@ jobs: - name: Run EAS working-directory: apps/mobile env: - EXPO_TOKEN: ${{ secrets['EXPO_TOKEN'] }} + EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }} EXPO_NO_TELEMETRY: '1' run: | bunx eas-cli@latest --version diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 040a74a..c5c7475 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: draft: runs-on: ubuntu-latest steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 with: token: ${{ secrets.GITHUB_TOKEN }} release-type: node diff --git a/.mise.toml b/.mise.toml index 25c6b79..9d53e5f 100644 --- a/.mise.toml +++ b/.mise.toml @@ -6,7 +6,7 @@ bun = "latest" NODE_ENV = "development" [tasks.install] -run = "bun install" +run = "bun install --frozen-lockfile" description = "Install dependencies" [tasks.lint]