chore(actions): Replace unverified actions with GH scripts (#4604)

* chore(actions): Replace unverified actions with GH scripts

* chore(actions): Update rust toolchain in Dockerfile

Author: sergei-boiko-trustwallet

.github/workflows/kotlin-ci.yml

@@ -23,9 +23,6 @@ jobs:
         java-version: '17'
         distribution: 'temurin'
 
-    - name: Setup Android SDK
-      uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
-
     - name: Setup Gradle
       uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa # v2.12.0
       with:

.github/workflows/kotlin-sample-ci.yml

@@ -23,9 +23,6 @@ jobs:
         java-version: '17'
         distribution: 'temurin'
 
-    - name: Setup Android SDK
-      uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
-
     - name: Install Kotlin Dependencies
       run: tools/install-kotlin-dependencies
 

.github/workflows/rust.yml

@@ -126,15 +126,13 @@ jobs:
       # Download previous release report, compare the release binary sizes, and post/update a comment at the Pull Request.
       - name: Download previous release report
         if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
-        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
-        with:
-          commit: ${{github.event.pull_request.base.sha}}
-          path: previous
-          if_no_artifact_found: warn
+        run: ./tools/gh-download-workflow-artifact
+        env:
+          COMMIT: ${{github.event.pull_request.base.sha}}
+          DOWNLOAD_PATH: previous
           # Same artifact name as at the "Upload release report" step.
-          name: release_report
-          # Ignore status or conclusion in the search.
-          workflow_conclusion: ""
+          ARTIFACT_NAME: release_report
+          GH_TOKEN: ${{ github.token }}
 
       - name: Craft Comment Body
         if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
@@ -144,13 +142,11 @@ jobs:
 
       - name: Create or Update Comment
         if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
-        uses: edumserrano/find-create-or-update-comment@3d340543af6d2743c70ab2d525deeb0f12e290de # v2.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body-includes: "Binary size comparison"
-          comment-author: 'github-actions[bot]'
-          edit-mode: replace
-          body-path: 'report-diff.md'
+          script: |
+            const script = require('./tools/gh-create-or-update-comment.js');
+            await script({github, context, bodyPath: 'report-diff.md', bodyIncludes: 'Binary size comparison'});
 
   memory-profiler:
     runs-on: ubuntu-24.04

Dockerfile

@@ -42,7 +42,7 @@ RUN ln -s /usr/bin/clang++-14 /usr/bin/clang++
 RUN wget "https://sh.rustup.rs" -O rustup.sh \
     && sh rustup.sh -y
 ENV PATH="/root/.cargo/bin:${PATH}"
-RUN rustup default nightly-2024-06-13
+RUN rustup default nightly-2025-12-11
 RUN cargo install --force cbindgen --locked \
     && rustup target add wasm32-unknown-emscripten
 

tools/gh-create-or-update-comment.js

@@ -0,0 +1,36 @@
+const fs = require('fs');
+
+module.exports = async ({github, context, bodyPath, bodyIncludes}) => {
+    const body = fs.readFileSync(bodyPath, 'utf8');
+
+    // Find existing comment
+    const { data: comments } = await github.rest.issues.listComments({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: context.issue.number
+    });
+
+    const botComment = comments.find(comment =>
+        comment.user.login === 'github-actions[bot]' &&
+        comment.body.includes(bodyIncludes)
+    );
+
+    // Create or update comment
+    if (botComment) {
+        await github.rest.issues.updateComment({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            comment_id: botComment.id,
+            body: body
+        });
+        console.log(`Updated comment ${botComment.id}`);
+    } else {
+        const { data: newComment } = await github.rest.issues.createComment({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+            body: body
+        });
+        console.log(`Created comment ${newComment.id}`);
+    }
+};

tools/gh-download-workflow-artifact

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euo pipefail
+
+COMMIT="${COMMIT:?COMMIT environment variable is required}"
+DOWNLOAD_PATH="${DOWNLOAD_PATH:?DOWNLOAD_PATH environment variable is required}"
+ARTIFACT_NAME="${ARTIFACT_NAME:?ARTIFACT_NAME environment variable is required}"
+
+echo "Searching for artifact '$ARTIFACT_NAME' from commit $COMMIT..."
+
+# Find the artifact ID
+ARTIFACT_ID=$(gh api \
+  "repos/$GITHUB_REPOSITORY/actions/artifacts" \
+  --jq ".artifacts[] | select(.workflow_run.head_sha == \"$COMMIT\" and .name == \"$ARTIFACT_NAME\" and .expired == false) | .id" \
+  | head -n 1)
+
+if [ -z "$ARTIFACT_ID" ]; then
+  echo "Warning: No artifact found for commit $COMMIT with name '$ARTIFACT_NAME'"
+  exit 0
+fi
+
+echo "Found artifact ID: $ARTIFACT_ID"
+
+# Create download directory
+mkdir -p "$DOWNLOAD_PATH"
+
+# Download and extract artifact
+echo "Downloading artifact..."
+gh api "repos/$GITHUB_REPOSITORY/actions/artifacts/$ARTIFACT_ID/zip" > /tmp/artifact.zip
+
+echo "Extracting to $DOWNLOAD_PATH..."
+unzip -q /tmp/artifact.zip -d "$DOWNLOAD_PATH"
+rm /tmp/artifact.zip
+
+echo "Successfully downloaded artifact to $DOWNLOAD_PATH"