Pull changes from bloq/actions #22

gabmontes · 2025-04-30T01:05:55Z

Pull all the changes from https://github.com/bloq/actions/tree/7a00bde576f8383a7afabf48dc6153bd7a7daab7 to improve the workflows and actions here.

LICENSE

README.md

publish-to-npm/action.yml

.github/workflows/docker-checks.yml

setup-node-env/action.yml

.github/workflows/npm-publish.yml

That action does not exist in tag v1. Fixing the ref here allows using this action in the meantime.

joshuasing · 2025-06-24T16:00:33Z

.github/workflows/docker-checks.yml

+    steps:
+      - uses: actions/checkout@v4
+      - run: docker build --tag ${{ github.repository }}:${{ github.sha }} ${{ inputs.context }}
+      - uses: aquasecurity/trivy-action@0.29.0


As this is a third-party action, not maintained by either GitHub or Docker, we should pin it to a commit hash in order to make it immutable.

Suggested change

- uses: aquasecurity/trivy-action@0.29.0

- uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.29.0

https://github.com/aquasecurity/trivy-action/releases/tag/0.31.0
aquasecurity/trivy-action@76071ef

In addition to being third-party, this is also a security scanning tool.

joshuasing · 2025-06-24T16:02:58Z

bump-version

@@ -0,0 +1,46 @@
+#!/bin/sh


This file is missing a copyright notice:

Suggested change

#!/bin/sh

#!/bin/sh

# Copyright (c) 2025 Hemi Labs, Inc.

# Use of this source code is governed by the MIT License,

# which can be found in the LICENSE file.

joshuasing · 2025-06-24T16:03:44Z

bump-version

What do you think about moving this script to scripts/bump-version.sh - to keep it out of the way?
We will likely add additional scripts, so I think having a separate directory would be useful.

joshuasing · 2025-06-24T16:06:51Z

notify-deploy-to-slack/action.yml

+runs:
+  using: composite
+  steps:
+    - uses: slackapi/slack-github-action@v1


As this is a third-party action, not maintained by either GitHub or Docker, we should pin it to a commit hash in order to make it immutable.

Also, the latest version of this action is v2.1.0 (https://github.com/slackapi/slack-github-action/releases/tag/v2.1.0) - are we able to update? There is a migration guide here: https://github.com/slackapi/slack-github-action/releases/tag/v2.0.0

Suggested change

- uses: slackapi/slack-github-action@v1

- uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1

https://github.com/slackapi/slack-github-action/releases/tag/v1.27.1
slackapi/slack-github-action@fcfb566

joshuasing · 2025-06-24T16:09:39Z

setup-node-env/action.yml

  using: composite
  steps:
-    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+    - uses: pnpm/action-setup@v4.0.0


As this is a third-party action, not maintained by either GitHub or Docker, we should pin it to a commit hash in order to make it immutable.

Also, a minor update is available: https://github.com/pnpm/action-setup/releases/tag/v4.1.0 (changes: pnpm/action-setup@v4.0.0...v4.1.0)

Suggested change

- uses: pnpm/action-setup@v4.0.0

- uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

https://github.com/pnpm/action-setup/releases/tag/v4.1.0
pnpm/action-setup@a7487c7

joshuasing · 2025-06-24T16:11:36Z

There are a few files missing copyright notices. Could you please add:

# Copyright (c) 2025 Hemi Labs, Inc.
# Use of this source code is governed by the MIT License,
# which can be found in the LICENSE file.

gabmontes self-assigned this Apr 30, 2025

gabmontes force-pushed the pull-from-bloq-actions branch from 11dcdfc to 7beb478 Compare April 30, 2025 01:07

gabmontes requested a review from gndelia April 30, 2025 01:08

Pull changes from bloq/actions

63592c8

gabmontes force-pushed the pull-from-bloq-actions branch from 7beb478 to 63592c8 Compare April 30, 2025 01:09

gabmontes marked this pull request as ready for review April 30, 2025 01:10

gabmontes requested review from a team and joshuasing as code owners April 30, 2025 01:10