From 1e484835ba5a23501df53b67bfbabfbab0c5e21c Mon Sep 17 00:00:00 2001 From: Atakan Bayrak Date: Thu, 11 Jun 2026 12:01:12 +0300 Subject: [PATCH 1/2] security updates are created --- .github/actions/setup-node-deps/action.yml | 2 +- .github/workflows/build-storybook.yml | 33 ++++++++++++++++++++++ .github/workflows/chromatic-ui.yml | 24 ++++++++-------- 3 files changed, 45 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/build-storybook.yml diff --git a/.github/actions/setup-node-deps/action.yml b/.github/actions/setup-node-deps/action.yml index ebda907..b50d7fd 100644 --- a/.github/actions/setup-node-deps/action.yml +++ b/.github/actions/setup-node-deps/action.yml @@ -9,5 +9,5 @@ runs: node-version: 24.11.0 cache: 'npm' - name: Install deps - run: npm ci + run: npm ci --ignore-scripts shell: bash \ No newline at end of file diff --git a/.github/workflows/build-storybook.yml b/.github/workflows/build-storybook.yml new file mode 100644 index 0000000..46a0602 --- /dev/null +++ b/.github/workflows/build-storybook.yml @@ -0,0 +1,33 @@ +name: Build Storybook + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 # v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + fetch-depth: 0 + persist-credentials: 'false' + + - uses: ./.github/actions/setup-node-deps + + - name: Build Storybook + run: npm run build:storybook + + - name: Upload Storybook artifact + uses: actions/upload-artifact@v4 # v4 + with: + name: storybook-static + path: storybook-static/ + retention-days: 1 diff --git a/.github/workflows/chromatic-ui.yml b/.github/workflows/chromatic-ui.yml index fe15672..e7cddeb 100644 --- a/.github/workflows/chromatic-ui.yml +++ b/.github/workflows/chromatic-ui.yml @@ -1,8 +1,9 @@ name: UI on: - pull_request_target: - types: [opened, synchronize, reopened] + workflow_run: + workflows: ["Build Storybook"] + types: [completed] permissions: contents: read @@ -11,26 +12,23 @@ permissions: jobs: chromatic: name: Chromatic + if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest - environment: development continue-on-error: true steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Download Storybook artifact + uses: actions/download-artifact@v4 # v4 with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 0 - persist-credentials: 'false' - - - uses: ./.github/actions/setup-node-deps + name: storybook-static + path: storybook-static/ + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} - name: Run Chromatic uses: chromaui/action@latest with: projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} - onlyChanged: true - buildScriptName: 'build:storybook' + storybookBuildDir: storybook-static zip: true skip: "dependabot/**" autoAcceptChanges: "main" \ No newline at end of file From 653b554401aa8638d45f7fe3632bbb43da61bee7 Mon Sep 17 00:00:00 2001 From: Atakan Bayrak Date: Wed, 24 Jun 2026 11:22:04 +0300 Subject: [PATCH 2/2] hash version fix and vuln fixes --- .github/actions/check-core-team/action.yml | 6 ++-- .github/actions/setup-node-deps/action.yml | 2 +- .github/workflows/auto-assign.yml | 4 +-- .github/workflows/auto-label.yml | 4 +-- .github/workflows/build-storybook.yml | 4 +-- .github/workflows/chromatic-ui.yml | 34 ++++++++++++++-------- .github/workflows/code-validator.yml | 2 +- .github/workflows/pr-validator.yml | 8 ++--- .github/workflows/publish.yml | 6 ++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/workflow-protection.yml | 2 +- 11 files changed, 43 insertions(+), 31 deletions(-) diff --git a/.github/actions/check-core-team/action.yml b/.github/actions/check-core-team/action.yml index 7f8b53c..96023ec 100644 --- a/.github/actions/check-core-team/action.yml +++ b/.github/actions/check-core-team/action.yml @@ -16,10 +16,12 @@ runs: steps: - name: Check membership id: check - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + env: + PR_AUTHOR: ${{ inputs.pr-author }} with: script: | - const author = '${{ inputs.pr-author }}'; + const author = process.env.PR_AUTHOR; try { const { data } = await github.rest.repos.getCollaboratorPermissionLevel({ owner: context.repo.owner, diff --git a/.github/actions/setup-node-deps/action.yml b/.github/actions/setup-node-deps/action.yml index b50d7fd..3f62a77 100644 --- a/.github/actions/setup-node-deps/action.yml +++ b/.github/actions/setup-node-deps/action.yml @@ -4,7 +4,7 @@ runs: using: "composite" steps: - name: Setup Node & Cache - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24.11.0 cache: 'npm' diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index 525dbcd..0e70799 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -12,7 +12,7 @@ jobs: assign-and-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: 'false' @@ -24,4 +24,4 @@ jobs: - name: Assign PR to author if: steps.check_team.outputs.is-internal == 'true' - uses: toshimaru/auto-author-assign@v3.0.1 \ No newline at end of file + uses: toshimaru/auto-author-assign@4d585cc37690897bd9015942ed6e766aa7cdb97f # v3.0.1 \ No newline at end of file diff --git a/.github/workflows/auto-label.yml b/.github/workflows/auto-label.yml index cabf23a..1464ae3 100644 --- a/.github/workflows/auto-label.yml +++ b/.github/workflows/auto-label.yml @@ -15,7 +15,7 @@ jobs: auto_label: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: 'false' @@ -26,7 +26,7 @@ jobs: pr-author: ${{ github.event.pull_request.user.login || github.event.issue.user.login }} - name: Apply triage label - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 env: IS_INTERNAL: ${{ steps.check_team.outputs.is-internal }} with: diff --git a/.github/workflows/build-storybook.yml b/.github/workflows/build-storybook.yml index 46a0602..8f138b4 100644 --- a/.github/workflows/build-storybook.yml +++ b/.github/workflows/build-storybook.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -26,7 +26,7 @@ jobs: run: npm run build:storybook - name: Upload Storybook artifact - uses: actions/upload-artifact@v4 # v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: storybook-static path: storybook-static/ diff --git a/.github/workflows/chromatic-ui.yml b/.github/workflows/chromatic-ui.yml index e7cddeb..62a80c8 100644 --- a/.github/workflows/chromatic-ui.yml +++ b/.github/workflows/chromatic-ui.yml @@ -1,9 +1,8 @@ name: UI on: - workflow_run: - workflows: ["Build Storybook"] - types: [completed] + pull_request_target: + types: [opened, synchronize, reopened] permissions: contents: read @@ -12,23 +11,34 @@ permissions: jobs: chromatic: name: Chromatic - if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest + environment: development continue-on-error: true steps: - - name: Download Storybook artifact - uses: actions/download-artifact@v4 # v4 + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: - name: storybook-static - path: storybook-static/ - github-token: ${{ secrets.GITHUB_TOKEN }} - run-id: ${{ github.event.workflow_run.id }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} + fetch-depth: 0 + persist-credentials: 'false' + + - name: Setup Node & Cache + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: 24.11.0 + cache: 'npm' + + - name: Install deps + run: npm ci --ignore-scripts + shell: bash - name: Run Chromatic - uses: chromaui/action@latest + uses: chromaui/action@7804f34e4e59c0d9b3c856848f46ad96d7897429 # v17.5.0 with: projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} - storybookBuildDir: storybook-static + onlyChanged: true + buildScriptName: 'build:storybook' zip: true skip: "dependabot/**" autoAcceptChanges: "main" \ No newline at end of file diff --git a/.github/workflows/code-validator.yml b/.github/workflows/code-validator.yml index 9471df8..603d81b 100644 --- a/.github/workflows/code-validator.yml +++ b/.github/workflows/code-validator.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} diff --git a/.github/workflows/pr-validator.yml b/.github/workflows/pr-validator.yml index b5f45fc..f972dae 100644 --- a/.github/workflows/pr-validator.yml +++ b/.github/workflows/pr-validator.yml @@ -17,7 +17,7 @@ jobs: name: PR Compliance Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} @@ -33,7 +33,7 @@ jobs: # 2. LINT PR TITLE - name: Validate PR title - uses: amannn/action-semantic-pull-request@v5 + uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -53,7 +53,7 @@ jobs: # 3. SYNC RELEASE LABELS - name: Sync release labels - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const title = context.payload.pull_request.title; @@ -93,7 +93,7 @@ jobs: # 4. CHECK INTERNAL ISSUE REFERENCE - name: Check internal issue reference if: steps.team-check.outputs.is-internal == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const prBody = context.payload.pull_request.body || ''; diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 997d11f..f752b25 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,12 +16,12 @@ jobs: steps: - name: Generate bot app token id: generate_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ secrets.RELEASER_ID }} private-key: ${{ secrets.RELEASER_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: main token: ${{ steps.generate_token.outputs.token }} @@ -96,7 +96,7 @@ jobs: run: npm publish --provenance --access public - name: Deploy Storybook - uses: cloudflare/wrangler-action@v3.14.1 + uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 1ccefb9..c9ced77 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,6 +16,6 @@ jobs: name: Update Draft Release runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/workflow-protection.yml b/.github/workflows/workflow-protection.yml index e22aa2f..a79ea8e 100644 --- a/.github/workflows/workflow-protection.yml +++ b/.github/workflows/workflow-protection.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Check for unauthorized .github/ changes - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | let page = 1;