MOBILE-121: bump GitHub action versions#58
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s GitHub Actions setup by pinning/bumping action versions, tightening default workflow permissions, and adding Dependabot automation for GitHub Actions updates. It also includes a couple of repository maintenance changes (lockfile/dependency updates and a bash script hardening).
Changes:
- Pin/bump GitHub Actions used across workflows (checkout/setup-node/github-script/etc.) and add explicit
permissionsblocks. - Refactor workflow steps to use safer env passing and modern outputs (
$GITHUB_OUTPUT) in reusable publish flows. - Add
.github/dependabot.ymlfor weekly grouped GitHub Actions updates; update/remove lockfiles (exampleyarn.lockupdate; rootpackage-lock.jsonremoved).
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| package-lock.json | Removed root npm lockfile. |
| git-release-branch.sh | Hardened bash script (strict mode, quoting); still updates target-version + changelog. |
| examples/MindboxExpoExample/yarn.lock | Updated example dependency locks (plugin + SDK versions). |
| .github/workflows/unpublish-expo-release.yml | Pinned setup-node and switched to lts/*; added minimal permissions. |
| .github/workflows/release-version-check.yml | Added permissions, pinned actions/checkout, safer env writes. |
| .github/workflows/publish-reusable.yml | Pinned actions, tightened default permissions, updated outputs handling, added job-level permissions where needed. |
| .github/workflows/publish-common-trigger.yml | Tightened permissions and explicitly passed required secret into reusable workflow. |
| .github/workflows/pr-description-validate.yml | Pinned actions and adjusted permissions (but needs fixes for issue_comment compatibility). |
| .github/workflows/manual-prepare_release_branch.yml | Pinned actions, tightened permissions, refactored branch validation and output handling. |
| .github/dependabot.yml | Added Dependabot configuration for GitHub Actions updates. |
Comments suppressed due to low confidence (1)
.github/workflows/pr-description-validate.yml:40
- On
issue_commenteventsgithub.event.pull_request.numberis not present (the payload hasissue.numberinstead), so this will fail to find/update the comment. Use a fallback togithub.event.issue.number.
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://tracker.yandex.ru/MOBILE-121
Deprecation fixes
checkoutv4→v6.0.3,setup-nodev4→v6.4.0,github-scriptv6/v7 (Node 16!)→v9,read-file-action→v1.1.8,find-commentv3→v4,create-or-update-commentv4→v5.::set-output→>> "$GITHUB_OUTPUT";unpublishnode 20 (EOL) →lts/*.Dependabot
.github/dependabot.yml