Skip to content

MOBILE-121: bump GitHub action versions#58

Merged
sergeysozinov merged 2 commits into
developfrom
feature/MOBILE-121
Jun 16, 2026
Merged

MOBILE-121: bump GitHub action versions#58
sergeysozinov merged 2 commits into
developfrom
feature/MOBILE-121

Conversation

@sergeysozinov

@sergeysozinov sergeysozinov commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

https://tracker.yandex.ru/MOBILE-121

Deprecation fixes

  • Bumped all actions to current: checkout v4→v6.0.3, setup-node v4→v6.4.0,
    github-script v6/v7 (Node 16!)→v9, read-file-action→v1.1.8,
    find-comment v3→v4, create-or-update-comment v4→v5.
  • ::set-output>> "$GITHUB_OUTPUT"; unpublish node 20 (EOL) → lts/*.

Dependabot

  • Added .github/dependabot.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s GitHub Actions setup by pinning/bumping action versions, tightening default workflow permissions, and adding Dependabot automation for GitHub Actions updates. It also includes a couple of repository maintenance changes (lockfile/dependency updates and a bash script hardening).

Changes:

  • Pin/bump GitHub Actions used across workflows (checkout/setup-node/github-script/etc.) and add explicit permissions blocks.
  • Refactor workflow steps to use safer env passing and modern outputs ($GITHUB_OUTPUT) in reusable publish flows.
  • Add .github/dependabot.yml for weekly grouped GitHub Actions updates; update/remove lockfiles (example yarn.lock update; root package-lock.json removed).

Reviewed changes

Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
package-lock.json Removed root npm lockfile.
git-release-branch.sh Hardened bash script (strict mode, quoting); still updates target-version + changelog.
examples/MindboxExpoExample/yarn.lock Updated example dependency locks (plugin + SDK versions).
.github/workflows/unpublish-expo-release.yml Pinned setup-node and switched to lts/*; added minimal permissions.
.github/workflows/release-version-check.yml Added permissions, pinned actions/checkout, safer env writes.
.github/workflows/publish-reusable.yml Pinned actions, tightened default permissions, updated outputs handling, added job-level permissions where needed.
.github/workflows/publish-common-trigger.yml Tightened permissions and explicitly passed required secret into reusable workflow.
.github/workflows/pr-description-validate.yml Pinned actions and adjusted permissions (but needs fixes for issue_comment compatibility).
.github/workflows/manual-prepare_release_branch.yml Pinned actions, tightened permissions, refactored branch validation and output handling.
.github/dependabot.yml Added Dependabot configuration for GitHub Actions updates.
Comments suppressed due to low confidence (1)

.github/workflows/pr-description-validate.yml:40

  • On issue_comment events github.event.pull_request.number is not present (the payload has issue.number instead), so this will fail to find/update the comment. Use a fallback to github.event.issue.number.
      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
      id: fc
      with:
        issue-number: ${{ github.event.pull_request.number }}
        comment-author: 'github-actions[bot]'

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread git-release-branch.sh
Comment thread .github/workflows/pr-description-validate.yml
Comment thread .github/workflows/publish-reusable.yml Outdated
Comment thread .github/dependabot.yml
Comment thread .github/workflows/pr-description-validate.yml
@sergeysozinov sergeysozinov merged commit d2c4d0b into develop Jun 16, 2026
9 checks passed
@sergeysozinov sergeysozinov deleted the feature/MOBILE-121 branch June 16, 2026 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants