StepSecurity Bot
d53693fb58
Fix GitHub Actions not pinned by hash ( #178917 )
...
Use explicit pinned dependencies per:
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies )
This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo ) at the request of
@guidezpl. Please merge the Pull Request to incorporate the requested
changes.
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Pierre-Louis <plg@google.com>
Co-authored-by: Zachary Anderson <zanderso@users.noreply.github.com>
2025-11-28 18:44:11 +00:00
dependabot[bot]
4114d7411e
Bump actions/checkout from 5 to 6 in the all-github-actions group ( #179049 )
...
Bumps the all-github-actions group with 1 update:
[actions/checkout](https://github.com/actions/checkout ).
Updates `actions/checkout` from 5 to 6
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases ">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc "><code>@salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248 ">actions/checkout#2248</a></li>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple "><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286 ">actions/checkout#2286</a></li>
<li>v6-beta by <a
href="https://github.com/ericsciple "><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2298 ">actions/checkout#2298</a></li>
<li>update readme/changelog for v6 by <a
href="https://github.com/ericsciple "><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2311 ">actions/checkout#2311</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v5.0.0...v6.0.0 ">https://github.com/actions/checkout/compare/v5.0.0...v6.0.0 </a></p>
<h2>v6-beta</h2>
<h2>What's Changed</h2>
<p>Updated persist-credentials to store the credentials under
<code>$RUNNER_TEMP</code> instead of directly in the local git
config.</p>
<p>This requires a minimum Actions Runner version of <a
href="https://github.com/actions/runner/releases/tag/v2.329.0 ">v2.329.0</a>
to access the persisted credentials for <a
href="https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action ">Docker
container action</a> scenarios.</p>
<h2>v5.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple "><code>@ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301 ">actions/checkout#2301</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v5...v5.0.1 ">https://github.com/actions/checkout/compare/v5...v5.0.1 </a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1af3b93b68https://redirect.github.com/actions/checkout/issues/2311 ">#2311</a>)</li>
<li><a
href="71cf2267d8https://redirect.github.com/actions/checkout/issues/2298 ">#2298</a>)</li>
<li><a
href="069c695914https://redirect.github.com/actions/checkout/issues/2286 ">#2286</a>)</li>
<li><a
href="ff7abcd0c3https://redirect.github.com/actions/checkout/issues/2248 ">#2248</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/v5...v6 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-24 21:28:58 +00:00
dependabot[bot]
20dd20932d
Bump actions/checkout from 4 to 5 in the all-github-actions group ( #173606 )
...
Bumps the all-github-actions group with 1 update:
[actions/checkout](https://github.com/actions/checkout ).
Updates `actions/checkout` from 4 to 5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases ">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc "><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226 ">actions/checkout#2226</a></li>
<li>Prepare v5.0.0 release by <a
href="https://github.com/salmanmkc "><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2238 ">actions/checkout#2238</a></li>
</ul>
<h2>⚠️ Minimum Compatible Runner Version</h2>
<p><strong>v2.327.1</strong><br />
<a
href="https://github.com/actions/runner/releases/tag/v2.327.1 ">Release
Notes</a></p>
<p>Make sure your runner is updated to this version or newer to use this
release.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4...v5.0.0 ">https://github.com/actions/checkout/compare/v4...v5.0.0 </a></p>
<h2>v4.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss "><code>@motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971 ">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail "><code>@mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977 ">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells "><code>@benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043 ">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross "><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044 ">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89 "><code>@nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194 ">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang "><code>@TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224 ">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc "><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236 ">actions/checkout#2236</a></li>
<li>Prepare release v4.3.0 by <a
href="https://github.com/salmanmkc "><code>@salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2237 ">actions/checkout#2237</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/motss "><code>@motss</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1971 ">actions/checkout#1971</a></li>
<li><a href="https://github.com/mouismail "><code>@mouismail</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1977 ">actions/checkout#1977</a></li>
<li><a href="https://github.com/benwells "><code>@benwells</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2043 ">actions/checkout#2043</a></li>
<li><a href="https://github.com/nebuk89 "><code>@nebuk89</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2194 ">actions/checkout#2194</a></li>
<li><a href="https://github.com/salmanmkc "><code>@salmanmkc</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2236 ">actions/checkout#2236</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4...v4.3.0 ">https://github.com/actions/checkout/compare/v4...v4.3.0 </a></p>
<h2>v4.2.2</h2>
<h2>What's Changed</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3 "><code>@jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941 ">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3 "><code>@jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946 ">actions/checkout#1946</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.2.1...v4.2.2 ">https://github.com/actions/checkout/compare/v4.2.1...v4.2.2 </a></p>
<h2>v4.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy "><code>@orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924 ">actions/checkout#1924</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Jcambass "><code>@Jcambass</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1919 ">actions/checkout#1919</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.2.0...v4.2.1 ">https://github.com/actions/checkout/compare/v4.2.0...v4.2.1 </a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="08c6903cd8https://redirect.github.com/actions/checkout/issues/2238 ">#2238</a>)</li>
<li><a
href="9f265659d3https://redirect.github.com/actions/checkout/issues/2226 ">#2226</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/v4...v5 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-12 07:46:07 +00:00
John "codefu" McDole
bcae39bdf8
chore: move experimental setup steps to composite action ( #170496 )
...
tool-test-general.yml had a lot of gnarly, but sharable code. Moving to
a shared, composite workflow.
updates:
- removed the "flutter/" working folder while running; keep the code in
the workspace
- moved android and pub-cache to /opt/
- switched to `flutter pub get` as the last step
- caching still works; but I think we could do better.
2025-06-12 23:35:57 +00:00
Zachary Anderson
14472b4aed
Reland workflow cache ( #170111 )
...
Put the Android SDK and pub cache under the workflow's workspace
directory instead of the worker's `$HOME` directory. In order to avoid
the pub cache and Android SDK being nested inside of the Flutter
checkout, this change also moves the Flutter checkout to a subdirectory
of the workspace directory called `flutter`.
---------
Co-authored-by: John "codefu" McDole <codefu@google.com>
2025-06-06 22:57:26 +00:00
auto-submit[bot]
09405e87d8
Reverts "Add caching to the tool test workflow ( #169858 )" ( #170100 )
...
<!-- start_original_pr_link -->
Reverts: flutter/flutter#169858
<!-- end_original_pr_link -->
<!-- start_initiating_author -->
Initiated by: jtmcdole
<!-- end_initiating_author -->
<!-- start_revert_reason -->
Reason for reverting: https://github.com/flutter/flutter/issues/170099
Apparently the cache isn't restored correctly?
<!-- end_revert_reason -->
<!-- start_original_pr_author -->
Original PR Author: zanderso
<!-- end_original_pr_author -->
<!-- start_reviewers -->
Reviewed By: {jtmcdole}
<!-- end_reviewers -->
<!-- start_revert_body -->
This change reverts the following previous change:
No description provided.
<!-- end_revert_body -->
Co-authored-by: auto-submit[bot] <flutter-engprod-team@google.com>
2025-06-05 23:40:26 +00:00
Zachary Anderson
317be1f681
Add caching to the tool test workflow ( #169858 )
...
Co-authored-by: John "codefu" McDole <codefu@google.com>
2025-06-05 22:03:56 +00:00
John "codefu" McDole
19460811e2
feat: experimental tool tests workflow (attempt 2) ( #169768 )
...
- remote repo: set upstream and get tags (flutter tool reqs)
- pull request to flutter: checkout the PR, not the merge commit
- local runs: update utils.dart to safely call terminal width
Now `act -W .github/workflows/tool-test-general.yml` works locally on
the command line.
Future improvements:
- Offer another way to set the "version" rather than tags; this causes a
longer checkout time.
- Multi-proc the tests and use as many cores as possible?
- Solve for packages downloading?
3.5 minutes isn't terrible.
2025-05-30 21:39:02 +00:00
Jason Simmons
d8baa77b38
Revert "fix: update experiment to use different setup ( #169728 )" and "feat: experimental workflow for Linux tool-tests-general ( #169706 )" ( #169770 )
...
The Linux_tool-tests-general check is causing errors on PRs such as
Dart->engine rolls (example:
https://github.com/flutter/flutter/pull/169763 )
2025-05-30 18:10:53 +00:00
John "codefu" McDole
351718d10b
fix: update experiment to use different setup ( #169728 )
...
Use android-actions/setup-android even if its more verbose.
2025-05-30 03:08:34 +00:00
John "codefu" McDole
033b32123f
feat: experimental workflow for Linux tool-tests-general ( #169706 )
...
Demonstrates running Linux tool-tests-general running on workflows.
Can be run locally using ACT: `gh act --workflows
".github/workflows/tool-test-general.yml" --secret-file "" --var-file ""
--input-file "" --eventpath ""` - except this works only in VSCode since
tty isn't attached.
2025-05-30 00:16:48 +00:00
