mokimo · mokimo · Apr 8, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,5 @@
+### Description
+Based on the [Github security guidance](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) we pinned actions to a full length commit SHA's rather than tags, which are more common.
+In order to upgrade an action, simply go to the Github repo such as: https://github.com/actions/checkout/releases - find the latest release and the commit-SHA that is connected to it and replace it for all actions that use the 3rd party package you want to upgrade. This [PR](https://github.com/adobecom/milo/pull/3830) serves as an example where we upgraded multiple 3rd party packages across all actions.
+
+To QA the change, when you run the action on your own fork, you can simply validate it's still running as expected and manages to download the 3rd party package within the scope of the action.
diff --git a/.github/workflows/code-compatibility.yaml b/.github/workflows/code-compatibility.yaml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Check for unsupported functions
         run: |

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -34,19 +34,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -59,6 +59,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dispatch.yml b/.github/workflows/dispatch.yml
@@ -13,8 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4    
-      - uses: dorny/paths-filter@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683    
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
         id: changes
         with:
           base: ${{ github.ref }}
@@ -23,7 +23,7 @@ jobs:
               - 'libs/**'    
       - if: steps.changes.outputs.src == 'true'
         name: Trigger DC Workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           github-token: ${{ secrets.DC_PAT }}
           script: |

diff --git a/.github/workflows/fg-sync-repos.yml b/.github/workflows/fg-sync-repos.yml
@@ -22,15 +22,15 @@ jobs:
     steps:
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e
         with:
           app-id: ${{ secrets.FG_SYNC_APP_ID }}
           private-key: ${{ secrets.FG_SYNC_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: "milo-pink"
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: false
           ref: ${{ inputs.syncBranch || github.ref_name }}

diff --git a/.github/workflows/high-impact-alert.yml b/.github/workflows/high-impact-alert.yml
@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Send Slack message for high impact PRs
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           script: |
             const main = require('./.github/workflows/high-impact-alert.js')

diff --git a/.github/workflows/label-zero-impact.yaml b/.github/workflows/label-zero-impact.yaml
@@ -10,10 +10,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Add the zero impact label
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           script: |
             const main = require('./.github/workflows/label-zero-impact.js')

diff --git a/.github/workflows/mark-stale-prs.yaml b/.github/workflows/mark-stale-prs.yaml
@@ -9,7 +9,7 @@ jobs:
     if: github.repository_owner == 'adobecom'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-pr-message: 'This PR has not been updated recently and will be closed in 7 days if no action is taken. Please ensure all checks are passing, https://github.com/orgs/adobecom/discussions/997 provides instructions. If the PR is ready to be merged, please mark it with the "Ready for Stage" label.'

diff --git a/.github/workflows/merge-to-main.js b/.github/workflows/merge-to-main.js
@@ -1,5 +1,4 @@
 const {
-  slackNotification,
   getLocalConfigs,
   isWithinRCP,
   pulls: { addLabels, addFiles, getChecks, getReviews },
@@ -50,10 +49,6 @@ const main = async (params) => {
         merge_method: 'merge',
       });
 
-      await slackNotification(
-        `:rocket: Production release <${stageToMainPR.html_url}|${stageToMainPR.number}>`
-      );
-
       await github.rest.repos.createDispatchEvent({
         owner,
         repo,

diff --git a/.github/workflows/merge-to-main.yaml b/.github/workflows/merge-to-main.yaml
@@ -20,17 +20,17 @@ jobs:
     if: github.repository_owner == 'adobecom' && (github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' || (github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' && github.event.pull_request.head.ref == 'stage'))
 
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e
         id: milo-pr-merge-token
         with:
           app-id: ${{ secrets.MILO_PR_MERGE_APP_ID }}
           private-key: ${{ secrets.MILO_PR_MERGE_PRIVATE_KEY }}
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Merge to main
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           github-token: ${{ steps.milo-pr-merge-token.outputs.token }}
           script: |

diff --git a/.github/workflows/merge-to-stage.js b/.github/workflows/merge-to-stage.js
@@ -27,7 +27,6 @@ const TEAM_MENTIONS = [
   '@adobecom/miq-sot',
 ];
 const SLACK = {
-  merge: ({ html_url, number, title, prefix = '' }) => `:merged: PR merged to stage: ${prefix} <${html_url}|${number}: ${title}>.`,
   openedSyncPr: ({ html_url, number }) => `:fast_forward: Created <${html_url}|Stage to Main PR ${number}>`,
 };
 
@@ -143,14 +142,6 @@ const merge = async ({ prs, type }) => {
       console.log(`Current number of PRs merged: ${existingPRCount}`);
       const prefix = type === LABELS.zeroImpact ? ' [ZERO IMPACT]' : '';
       body = `-${prefix} ${html_url}\n${body}`;
-      await slackNotification(
-        SLACK.merge({
-          html_url,
-          number,
-          title,
-          prefix,
-        }),
-      ).catch(console.error);
       await new Promise((resolve) => setTimeout(resolve, 5000));
     } catch (error) {
       commentOnPR(`Error merging ${number}: ${title} ${error.message}`, number);

diff --git a/.github/workflows/merge-to-stage.yaml b/.github/workflows/merge-to-stage.yaml
@@ -22,17 +22,17 @@ jobs:
     environment: milo_pr_merge
 
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e
         id: milo-pr-merge-token
         with:
           app-id: ${{ secrets.MILO_PR_MERGE_APP_ID }}
           private-key: ${{ secrets.MILO_PR_MERGE_PRIVATE_KEY }}
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Merge to stage or queue to merge
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           github-token: ${{ steps.milo-pr-merge-token.outputs.token }}
           script: |

diff --git a/.github/workflows/pr-merge-notification.js b/.github/workflows/pr-merge-notification.js
@@ -0,0 +1,40 @@
+const { slackNotification, getLocalConfigs } = require('./helpers.js');
+
+async function main({ github, context } = {}) {
+    if (!github || !context) {
+        throw new Error("GitHub context is missing. Ensure you are running in the correct environment.");
+    }
+
+    if (process.env.LOCAL_RUN) {
+        console.log("Local run detected. Loading local configurations...");
+        const localConfigs = getLocalConfigs();
+        github = localConfigs.github;
+        context = localConfigs.context;
+    }
+
+    const { pull_request } = context.payload;
+    if (!pull_request) {
+        console.log("No pull_request found in context payload. Skipping notification.");
+        return;
+    }
+
+    const { number, title, html_url, base } = pull_request;
+    const isStage = base.ref === 'stage';
+    const prefix = isStage
+        ? ':merged: PR merged to stage:'
+        : ':rocket: Production release:';
+
+    console.log(`Sending notification for PR #${number}: ${title}`);
+
+    await slackNotification(
+        `${prefix} <${html_url}|#${number}: ${title}>.`,
+        process.env.MILO_RELEASE_SLACK_WH
+    );
+}
+
+if (process.env.LOCAL_RUN) {
+    const { github, context } = getLocalConfigs();
+    main({ github, context });
+}
+
+module.exports = main;
diff --git a/.github/workflows/pr-merge-notification.yaml b/.github/workflows/pr-merge-notification.yaml
@@ -0,0 +1,24 @@
+name: Slack notification on Merge
+
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  if_merged:
+    if: ${{ github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'stage' || github.event.pull_request.base.ref == 'main') }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Run Notify Merge with GitHub Script
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          script: |
+            const notifyMerge = require('./.github/workflows/pr-merge-notification.js');
+            await notifyMerge({ github, context });
+        env:
+          MILO_RELEASE_SLACK_WH: ${{ secrets.MILO_RELEASE_SLACK_WH }}
diff --git a/.github/workflows/pr-reminders.yaml b/.github/workflows/pr-reminders.yaml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     - name: Remind PR initiators
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
       with:
         script: |
           const main = require('./.github/workflows/pr-reminders.js')

diff --git a/.github/workflows/rcp-notifier.yml b/.github/workflows/rcp-notifier.yml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Create RCP Notification
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           script: |
             const main = require('./.github/workflows/rcp-notifier.js')

diff --git a/.github/workflows/release-standalone-feds.yml b/.github/workflows/release-standalone-feds.yml
@@ -22,12 +22,12 @@ jobs:
         working-directory: ./libs/navigation
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         fetch-depth: 2
 
     - name: Set up Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
       with:
         node-version: ${{ matrix.node-version }}
 

diff --git a/.github/workflows/run-lint.yaml b/.github/workflows/run-lint.yaml
@@ -10,17 +10,17 @@ jobs:
     name: Running eslint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
         with:
           node-version: 20
 
       - name: Install dependencies
         run: npm ci
 
       - name: Run eslint on changed files
-        uses: tj-actions/eslint-changed-files@v25
+        uses: tj-actions/eslint-changed-files@74f98653675512158746d3136cd2d9326fbfb6e1
         with:
           config_path: ".eslintrc.js"
           # ignore_path: "/path/to/.eslintignore"

diff --git a/.github/workflows/run-mas-tests.yaml b/.github/workflows/run-mas-tests.yaml
@@ -14,12 +14,12 @@ jobs:
         node-version: [20.x]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 2
 
       - name: Set up Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
         with:
           node-version: ${{ matrix.node-version }}
 
@@ -32,7 +32,7 @@ jobs:
         working-directory: libs/features/mas
 
       - name: Upload commerce coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574
         with:
           name: mas
           token: ${{ secrets.CODECOV_TOKEN }}

diff --git a/.github/workflows/run-nala-default.yml b/.github/workflows/run-nala-default.yml
@@ -22,12 +22,12 @@ jobs:
         node-version: [20.x]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 2
 
       - name: Set up Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
         with:
           node-version: ${{ matrix.node-version }}
 

diff --git a/.github/workflows/run-nala-milolibs.yaml b/.github/workflows/run-nala-milolibs.yaml
@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set environment variables
         run: |
@@ -46,7 +46,7 @@ jobs:
           HLX_TKN: ${{ secrets.HLX_TKN }}
           SLACK_WH: ${{ secrets.SLACK_WH }}          
       - name: Persist JSON Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1
         if: always()
         with:
           name: nala-results

diff --git a/.github/workflows/run-nala.yml b/.github/workflows/run-nala.yml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Run Nala Tests (Consuming Apps) 
         uses: adobecom/nala@main # Change if doing dev work
         env: