chore(ci): Add trusted publishing, bullfrog, and update version pins (#502)

dgilmanuni · web-flow · commit 7ebd04b16174 · 2025-10-23T13:46:39.000-05:00
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -14,32 +14,22 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - name: Load secret
-        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          # You may need to change this to your vault name and secret name
-          # Refer to it by calling env.NPM_TOKEN
-          # This token is also limited by IP to ONLY work on the runner
-          NPM_TOKEN: op://npm-deploy/npm-runner-token/secret
+      - uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
 
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node
-        uses: actions/setup-node@v4.2.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: "20.x"
           registry-url: "https://registry.npmjs.org"
           scope: "@uniswap"
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0
         with:
-          version: stable
+          version: v1.3.6
 
       - name: Install dependencies
         run: |
@@ -48,10 +38,9 @@ jobs:
       - name: Compile
         run: forge build
 
+      - name: Install npm
+        run: npm install -g npm@latest
+
       - name: Release
-        env:
-          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npm set "//registry.npmjs.org/:_authToken" ${{ env.NPM_TOKEN }} 
-          npm publish --provenance --access public
+          npm publish
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -12,14 +12,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0
         with:
-          version: stable
+          version: v1.3.6
 
       - name: Check format
         run: forge fmt --check
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,14 +12,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0
         with:
-          version: stable
+          version: v1.3.6
 
       - name: Show Forge version
         run: |
