security: use commit hashes for GitHub Actions instead of version tags #1616
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Release | |
| env: | |
| GH_TOKEN: ${{ SECRETS.GITHUB_TOKEN }} | |
| on: push | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| e2e_tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install Playwright browsers | |
| run: npx playwright install --with-deps chromium | |
| - name: Run E2E tests | |
| run: xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" npm run test:e2e | |
| - name: Upload Playwright test results | |
| if: failure() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: playwright-test-results | |
| path: test-results/ | |
| retention-days: 7 | |
| linux_x64: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Build | |
| run: npm ci | |
| - name: Validate Release Notes | |
| run: npm run generate-release-info | |
| - name: Build for Release | |
| if: contains(github.ref, 'main') | |
| run: npm run dist:linux:x64 -- --publish always | |
| - name: Build for PR | |
| if: "!contains(github.ref, 'main')" | |
| run: npm run dist:linux:x64 -- --publish never | |
| - name: Upload PR artifacts | |
| if: "!contains(github.ref, 'main')" | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: teams-for-linux-linux-x64 | |
| path: | | |
| dist/*.deb | |
| dist/*.rpm | |
| dist/*.tar.gz | |
| dist/*.AppImage | |
| retention-days: 30 | |
| compression-level: 6 | |
| linux_arm64: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Build | |
| run: npm ci | |
| - name: Validate Release Notes | |
| run: npm run generate-release-info | |
| - name: Build for Release | |
| if: contains(github.ref, 'main') | |
| run: npm run dist:linux:arm64 -- --publish always | |
| - name: Build for PR | |
| if: "!contains(github.ref, 'main')" | |
| run: npm run dist:linux:arm64 -- --publish never | |
| - name: Upload PR artifacts | |
| if: "!contains(github.ref, 'main')" | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: teams-for-linux-linux-arm64 | |
| path: | | |
| dist/*.deb | |
| dist/*.rpm | |
| dist/*.tar.gz | |
| dist/*.AppImage | |
| retention-days: 30 | |
| compression-level: 6 | |
| linux_arm: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Build | |
| run: npm ci | |
| - name: Validate Release Notes | |
| run: npm run generate-release-info | |
| - name: Build for Release | |
| if: contains(github.ref, 'main') | |
| run: npm run dist:linux:arm -- --publish always | |
| - name: Build for PR | |
| if: "!contains(github.ref, 'main')" | |
| run: npm run dist:linux:arm -- --publish never | |
| - name: Upload PR artifacts | |
| if: "!contains(github.ref, 'main')" | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: teams-for-linux-linux-armv7l | |
| path: | | |
| dist/*.deb | |
| dist/*.rpm | |
| dist/*.tar.gz | |
| dist/*.AppImage | |
| retention-days: 30 | |
| compression-level: 6 | |
| dmg: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Build | |
| run: npm ci | |
| - name: Validate Release Notes | |
| run: npm run generate-release-info | |
| - name: Build for Release | |
| if: contains(github.ref, 'main') | |
| run: npm run dist:mac:x64 -- --publish always | |
| - name: Build for PR | |
| if: "!contains(github.ref, 'main')" | |
| run: npm run dist:mac:x64 -- --publish never | |
| - name: Upload PR artifacts | |
| if: "!contains(github.ref, 'main')" | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: teams-for-linux-macos-x64 | |
| path: dist/*.dmg | |
| retention-days: 30 | |
| compression-level: 6 | |
| exe: | |
| runs-on: windows-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Node.js and NPM | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Build | |
| run: npm ci | |
| - name: Validate Release Notes | |
| run: npm run generate-release-info | |
| - name: Build for Release | |
| if: contains(github.ref, 'main') | |
| run: npm run dist:windows -- --publish always | |
| - name: Build for PR | |
| if: "!contains(github.ref, 'main')" | |
| run: npm run dist:windows -- --publish never | |
| - name: Upload PR artifacts | |
| if: "!contains(github.ref, 'main')" | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: teams-for-linux-windows-x64 | |
| path: dist/*.exe | |
| retention-days: 30 | |
| compression-level: 6 | |
| comment-artifacts: | |
| runs-on: ubuntu-latest | |
| if: "!contains(github.ref, 'main')" | |
| needs: [linux_x64, linux_arm64, linux_arm, dmg, exe] | |
| permissions: | |
| pull-requests: write | |
| actions: read | |
| steps: | |
| - name: Comment on PR with artifact links | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| // Find PR for this branch | |
| const branchName = context.ref.replace('refs/heads/', ''); | |
| const { data: prs } = await github.rest.pulls.list({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open' | |
| }); | |
| const pr = prs.find(p => p.head.ref === branchName); | |
| if (!pr) { | |
| console.log(`No PR found for branch ${branchName}`); | |
| return; | |
| } | |
| const { data: artifacts } = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: context.runId | |
| }); | |
| const buildArtifacts = artifacts.artifacts.filter(a => | |
| !a.name.includes('test-results') && !a.name.includes('playwright') | |
| ); | |
| if (buildArtifacts.length === 0) { | |
| console.log('No build artifacts found'); | |
| return; | |
| } | |
| let body = '## 📦 PR Build Artifacts\n\n✅ **Build successful!** Download artifacts:\n\n'; | |
| buildArtifacts.forEach(artifact => { | |
| const sizeMB = (artifact.size_in_bytes / 1024 / 1024).toFixed(2); | |
| body += `- [${artifact.name}](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}/artifacts/${artifact.id}) (${sizeMB} MB)\n`; | |
| }); | |
| body += `\n[View workflow run](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`; | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: pr.number | |
| }); | |
| const botComment = comments.find(c => | |
| c.user.type === 'Bot' && c.body.includes('## 📦 PR Build Artifacts') | |
| ); | |
| if (botComment) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: pr.number, | |
| body | |
| }); | |
| } |