From dcf34206c728d768b5c66553a168a12dbf2b4519 Mon Sep 17 00:00:00 2001 From: Elliott Johnson Date: Wed, 20 May 2026 09:06:22 -0600 Subject: [PATCH 1/3] chore: Supply chain hardening --- .github/actions/platform-test/action.yml | 2 +- .github/actions/vercel-deploy/action.yml | 4 +- .github/workflows/audit.yml | 6 +-- .github/workflows/autofix-lint.yml | 8 +-- .github/workflows/ci.yml | 58 ++++++++------------- .github/workflows/platform-tests-vercel.yml | 2 +- .github/workflows/release.yml | 8 +-- .npmrc | 2 - pnpm-workspace.yaml | 10 ++++ 9 files changed, 48 insertions(+), 52 deletions(-) delete mode 100644 .npmrc diff --git a/.github/actions/platform-test/action.yml b/.github/actions/platform-test/action.yml index 8ac09ea153c2..62bb0a8f08ed 100644 --- a/.github/actions/platform-test/action.yml +++ b/.github/actions/platform-test/action.yml @@ -25,7 +25,7 @@ runs: - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: platform-test-results-${{ github.job }} path: ${{ inputs.test-app-dir }}/test-results diff --git a/.github/actions/vercel-deploy/action.yml b/.github/actions/vercel-deploy/action.yml index cdaf6c6acc21..0b3b54a844f2 100644 --- a/.github/actions/vercel-deploy/action.yml +++ b/.github/actions/vercel-deploy/action.yml @@ -24,9 +24,9 @@ outputs: runs: using: 'composite' steps: - - uses: pnpm/action-setup@v6.0.8 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index f07555cb69e6..92c1ff7d8932 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,9 +17,9 @@ jobs: if: github.repository == 'sveltejs/kit' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.x' cache: pnpm diff --git a/.github/workflows/autofix-lint.yml b/.github/workflows/autofix-lint.yml index d0d21b71a3df..2d04639fbf8e 100644 --- a/.github/workflows/autofix-lint.yml +++ b/.github/workflows/autofix-lint.yml @@ -28,7 +28,7 @@ jobs: - name: Get PR ref if: github.event_name != 'workflow_dispatch' id: pr - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const { data: pull } = await github.rest.pulls.get({ @@ -46,12 +46,12 @@ jobs: core.setFailed('PR is from a fork'); } core.setOutput('ref', pull.head.ref); - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'workflow_dispatch' || steps.pr.outcome == 'success' with: ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || steps.pr.outputs.ref }} - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f77f9c7c571e..e5a1e9280279 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,24 +36,12 @@ permissions: contents: read # to fetch code (actions/checkout) jobs: - pkg-pr-new: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 - with: - node-version: 24 - cache: pnpm - - run: pnpm install --frozen-lockfile - - run: pnpm build - - run: pnpx pkg-pr-new publish --comment=off ./packages/* lint-all: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -93,9 +81,9 @@ jobs: MATRIX_VITE: ${{matrix.vite}} steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ matrix.node-version }} cache: pnpm @@ -121,7 +109,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: retention-days: 3 name: test-failure-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }}-vite-${{matrix.vite}} @@ -161,9 +149,9 @@ jobs: KIT_E2E_BROWSER: ${{matrix.e2e-browser}} steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ matrix.node-version }} cache: pnpm @@ -179,7 +167,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-cross-platform-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: retention-days: 3 name: test-failure-cross-platform-${{ matrix.mode }}-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }} @@ -195,9 +183,9 @@ jobs: - mode: 'build' steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -213,7 +201,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-server-side-route-resolution-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: retention-days: 3 name: test-failure-server-side-route-resolution-${{ matrix.mode }}-${{ github.run_id }} @@ -229,9 +217,9 @@ jobs: - mode: 'build' steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -247,7 +235,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-svelte-async-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: retention-days: 3 name: test-failure-svelte-async-${{ matrix.mode }}-${{ github.run_id }} @@ -258,14 +246,14 @@ jobs: matrix: node-version: [18, 20, 22, 24] steps: - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{matrix.node-version}} cache: pnpm # required for testing netlify edge functions - - uses: denoland/setup-deno@v2 + - uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2 with: deno-version: ^2.2.4 - run: pnpm install --frozen-lockfile diff --git a/.github/workflows/platform-tests-vercel.yml b/.github/workflows/platform-tests-vercel.yml index d39386dc01bd..d4877017eda6 100644 --- a/.github/workflows/platform-tests-vercel.yml +++ b/.github/workflows/platform-tests-vercel.yml @@ -28,7 +28,7 @@ jobs: timeout-minutes: 15 environment: '@sveltejs/adapter-vercel platform tests' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.sha || github.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8675ec7c2de2..f51ac71fe0d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits fetch-depth: 0 - - uses: pnpm/action-setup@v6.0.8 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24.x cache: pnpm @@ -38,7 +38,7 @@ jobs: - name: Create Release Pull Request or Publish to npm id: changesets - uses: changesets/action@v1 + uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1 with: # This expects you to have a script called release which does a build for your packages and calls changeset publish publish: pnpm changeset:release diff --git a/.npmrc b/.npmrc deleted file mode 100644 index 8af70e3f1fb9..000000000000 --- a/.npmrc +++ /dev/null @@ -1,2 +0,0 @@ -link-workspace-packages = true -shell-emulator = true diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 15835f7c6cb0..fd195f8c77c0 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,3 +1,13 @@ +minimumReleaseAge: 1440 +minimumReleaseAgeExclude: + - '@sveltejs/*' + - svelte + - esrap + - devalue +blockExoticSubdeps: true +linkWorkspacePackages: true +shellEmulator: true + packages: - packages/* - packages/adapter-cloudflare/test/apps/* From 6e2f779a0cfd3839f4d9f8287f3509362b9ec19a Mon Sep 17 00:00:00 2001 From: Elliott Johnson Date: Wed, 20 May 2026 14:08:53 -0600 Subject: [PATCH 2/3] chore: bump minimumReleaseAge to 2 days and extend bypass list - Increase minimumReleaseAge from 1440 (1 day) to 2880 (2 days) - Add zimmerframe, prettier-plugin-svelte, svelte-check, and esm-env to minimumReleaseAgeExclude --- pnpm-workspace.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index fd195f8c77c0..e89356f52aa1 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,9 +1,13 @@ -minimumReleaseAge: 1440 +minimumReleaseAge: 2880 minimumReleaseAgeExclude: - '@sveltejs/*' - svelte - esrap - devalue + - zimmerframe + - prettier-plugin-svelte + - svelte-check + - esm-env blockExoticSubdeps: true linkWorkspacePackages: true shellEmulator: true From 40a2a1796c32c65ea07234404e98f62602536060 Mon Sep 17 00:00:00 2001 From: "Willow (GHOST)" Date: Fri, 22 May 2026 04:58:12 +0100 Subject: [PATCH 3/3] chore: use full versions --- .github/actions/platform-test/action.yml | 2 +- .github/actions/vercel-deploy/action.yml | 2 +- .github/workflows/audit.yml | 4 +-- .github/workflows/autofix-lint.yml | 6 ++-- .github/workflows/ci.yml | 34 ++++++++++----------- .github/workflows/platform-tests-vercel.yml | 2 +- .github/workflows/release.yml | 6 ++-- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/actions/platform-test/action.yml b/.github/actions/platform-test/action.yml index 62bb0a8f08ed..829c7ac84029 100644 --- a/.github/actions/platform-test/action.yml +++ b/.github/actions/platform-test/action.yml @@ -25,7 +25,7 @@ runs: - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: platform-test-results-${{ github.job }} path: ${{ inputs.test-app-dir }}/test-results diff --git a/.github/actions/vercel-deploy/action.yml b/.github/actions/vercel-deploy/action.yml index 0b3b54a844f2..0efd8d53526c 100644 --- a/.github/actions/vercel-deploy/action.yml +++ b/.github/actions/vercel-deploy/action.yml @@ -26,7 +26,7 @@ runs: steps: - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: pnpm diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 92c1ff7d8932..f6a4cf73cde7 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -17,9 +17,9 @@ jobs: if: github.repository == 'sveltejs/kit' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' cache: pnpm diff --git a/.github/workflows/autofix-lint.yml b/.github/workflows/autofix-lint.yml index 2d04639fbf8e..3da48a693bd9 100644 --- a/.github/workflows/autofix-lint.yml +++ b/.github/workflows/autofix-lint.yml @@ -28,7 +28,7 @@ jobs: - name: Get PR ref if: github.event_name != 'workflow_dispatch' id: pr - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | const { data: pull } = await github.rest.pulls.get({ @@ -46,12 +46,12 @@ jobs: core.setFailed('PR is from a fork'); } core.setOutput('ref', pull.head.ref); - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: github.event_name == 'workflow_dispatch' || steps.pr.outcome == 'success' with: ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || steps.pr.outputs.ref }} - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: pnpm diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e5a1e9280279..3759363bdfd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,9 +39,9 @@ jobs: lint-all: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: pnpm @@ -81,9 +81,9 @@ jobs: MATRIX_VITE: ${{matrix.vite}} steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: pnpm @@ -109,7 +109,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: retention-days: 3 name: test-failure-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }}-vite-${{matrix.vite}} @@ -149,9 +149,9 @@ jobs: KIT_E2E_BROWSER: ${{matrix.e2e-browser}} steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: pnpm @@ -167,7 +167,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-cross-platform-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: retention-days: 3 name: test-failure-cross-platform-${{ matrix.mode }}-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }} @@ -183,9 +183,9 @@ jobs: - mode: 'build' steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: pnpm @@ -201,7 +201,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-server-side-route-resolution-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: retention-days: 3 name: test-failure-server-side-route-resolution-${{ matrix.mode }}-${{ github.run_id }} @@ -217,9 +217,9 @@ jobs: - mode: 'build' steps: - run: git config --global core.autocrlf false - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: pnpm @@ -235,7 +235,7 @@ jobs: run: find packages -type d -name test-results -not -empty | tar -czf test-results-svelte-async-${{ matrix.mode }}.tar.gz --files-from=- - name: Upload test results if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: retention-days: 3 name: test-failure-svelte-async-${{ matrix.mode }}-${{ github.run_id }} @@ -246,14 +246,14 @@ jobs: matrix: node-version: [18, 20, 22, 24] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{matrix.node-version}} cache: pnpm # required for testing netlify edge functions - - uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2 + - uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 with: deno-version: ^2.2.4 - run: pnpm install --frozen-lockfile diff --git a/.github/workflows/platform-tests-vercel.yml b/.github/workflows/platform-tests-vercel.yml index d4877017eda6..d1444bdaacca 100644 --- a/.github/workflows/platform-tests-vercel.yml +++ b/.github/workflows/platform-tests-vercel.yml @@ -28,7 +28,7 @@ jobs: timeout-minutes: 15 environment: '@sveltejs/adapter-vercel platform tests' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.sha || github.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f51ac71fe0d6..39e8414f8fc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits fetch-depth: 0 - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24.x cache: pnpm @@ -38,7 +38,7 @@ jobs: - name: Create Release Pull Request or Publish to npm id: changesets - uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1 + uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 with: # This expects you to have a script called release which does a build for your packages and calls changeset publish publish: pnpm changeset:release