From 1736a75bb92a909c1852e19df141068f4ae21717 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 17:57:31 +0000 Subject: [PATCH 01/22] ci(release): Switch from action-prepare-release to Craft This PR migrates from the deprecated action-prepare-release to the new Craft GitHub Actions (reusable workflow or composite action). Changes: - Migrate .github/workflows/release_library.yml to Craft reusable workflow --- .github/workflows/changelog-preview.yml | 13 +++++++++ .github/workflows/release_library.yml | 38 ++++++------------------- 2 files changed, 22 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 00000000000..1ed1021302d --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,13 @@ +name: Changelog Preview +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + - labeled +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + secrets: inherit diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 1389553307f..ccb9fde5f24 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -1,38 +1,18 @@ name: Release Library - on: workflow_dispatch: inputs: version: - description: Version to release - required: true + description: Version to release (or "auto") + required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers required: false - jobs: release: - runs-on: ubuntu-latest - name: "Release a new librelay version" - - steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - - uses: actions/checkout@v6.0.1 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - - name: Prepare release - uses: getsentry/action-prepare-release@v1 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} - path: py + uses: getsentry/craft/.github/workflows/release.yml@v2 + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + path: py + secrets: inherit From 2af37145eb9e9ab1c7e438e7cfcce929e846ff83 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:04:19 +0000 Subject: [PATCH 02/22] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release_binary.yml | 51 ++++++++++++---------------- 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 745d5731edf..634b0876c92 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -1,43 +1,34 @@ name: Release - on: workflow_dispatch: inputs: version: - description: Version to release (optional) + description: Version to release (or "auto") required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers required: false - schedule: - # We want the release to be at 9-10am Pacific Time - # We also want it to be 1 hour before the on-prem release - - cron: "0 17 15 * *" - + - cron: "0 17 15 * *" jobs: release: runs-on: ubuntu-latest - name: "Release a new Relay version" - + name: Release a new version steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - - uses: actions/checkout@v6.0.1 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - - name: Prepare release - uses: getsentry/action-prepare-release@v1 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} - calver: true + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} From c6c86bb95e7bc8f3e461b80bf12ab06473ee72a4 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:05:38 +0000 Subject: [PATCH 03/22] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release_library.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index ccb9fde5f24..677279c295d 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -10,9 +10,24 @@ on: required: false jobs: release: - uses: getsentry/craft/.github/workflows/release.yml@v2 - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - path: py - secrets: inherit + runs-on: ubuntu-latest + name: Release a new version + steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + path: py From e8766034f53122b9da127424589d90df202902a0 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 00:20:32 +0000 Subject: [PATCH 04/22] fix: Pin actions to SHA and add permissions blocks --- .github/workflows/beta.yml | 2 +- .github/workflows/build_binary.yml | 8 ++++---- .github/workflows/build_library.yml | 6 +++--- .github/workflows/changelog-preview.yml | 4 ++++ .github/workflows/changelog.yml | 6 +++++- .github/workflows/ci.yml | 24 ++++++++++++------------ .github/workflows/deploy.yml | 4 ++-- .github/workflows/release_binary.yml | 10 +++++++--- .github/workflows/release_library.yml | 10 +++++++--- .github/workflows/validate-pipelines.yml | 4 ++-- 10 files changed, 47 insertions(+), 31 deletions(-) diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 0eb277bd19f..057090e9bc8 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -22,7 +22,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index 571bdc7dcab..781d4f24211 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index 68666393c11..a182759e877 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 1ed1021302d..5883c004c07 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,10 @@ on: - reopened - edited - labeled +permissions: + contents: write + pull-requests: write + jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 7233483ebd0..1e9f8c738f0 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -4,12 +4,16 @@ on: types: [opened, synchronize, reopened, edited, ready_for_review, labeled, unlabeled] merge_group: +permissions: + contents: write + pull-requests: write + jobs: build: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fcd6e2a2794..106588ec97c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -107,7 +107,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -157,7 +157,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -219,7 +219,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -250,7 +250,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -365,7 +365,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -441,7 +441,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -506,7 +506,7 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -572,7 +572,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -783,7 +783,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -832,7 +832,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@v6.0.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: repository: getsentry/sentry path: sentry @@ -902,7 +902,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 14673a9b038..6b05e46354d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 with: submodules: recursive @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 634b0876c92..a7f8a593904 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -10,6 +10,10 @@ on: required: false schedule: - cron: "0 17 15 * *" +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest @@ -17,16 +21,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 677279c295d..e89ff37a6b9 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -8,6 +8,10 @@ on: force: description: Force a release even when there are release-blockers required: false +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest @@ -15,16 +19,16 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index 19e72588639..fcfe079551a 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 - id: 'auth' uses: google-github-actions/auth@v3 with: From 3720f92c147d5501f24946f4a370f670d136bae2 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:08:58 +0000 Subject: [PATCH 05/22] fix: Add calver: true configuration for CalVer releases --- .github/workflows/release_binary.yml | 46 ++++++++++++++++------------ 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index a7f8a593904..bd0c6ac5c20 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -3,13 +3,16 @@ on: workflow_dispatch: inputs: version: - description: Version to release (or "auto") + description: Version to release (optional) required: false force: description: Force a release even when there are release-blockers required: false schedule: - - cron: "0 17 15 * *" + # We want the release to be at 9-10am Pacific Time + # We also want it to be 1 hour before the on-prem release + - cron: "0 17 15 * *" + permissions: contents: write pull-requests: write @@ -17,22 +20,25 @@ permissions: jobs: release: runs-on: ubuntu-latest - name: Release a new version + name: Release a new Relay version steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} + - name: Get auth token + id: token + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Prepare release + uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + calver: true From 38dd030a1897813a583607f3cf29fd5b26b1d537 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:21:17 +0000 Subject: [PATCH 06/22] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/beta.yml | 2 +- .github/workflows/build_binary.yml | 8 ++++---- .github/workflows/build_library.yml | 6 +++--- .github/workflows/changelog.yml | 2 +- .github/workflows/ci.yml | 26 ++++++++++++------------ .github/workflows/deploy.yml | 4 ++-- .github/workflows/release_binary.yml | 4 ++-- .github/workflows/release_library.yml | 4 ++-- .github/workflows/validate-pipelines.yml | 4 ++-- 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 057090e9bc8..4383277806e 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -22,7 +22,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index 781d4f24211..c3840e4ca50 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index a182759e877..bee016c453d 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 1e9f8c738f0..1eb7a766123 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -13,7 +13,7 @@ jobs: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 106588ec97c..1ab60bfc83f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -107,7 +107,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -128,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v4.1.7 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 name: Check for file changes id: changes @@ -157,7 +157,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -219,7 +219,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -250,7 +250,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -365,7 +365,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -441,7 +441,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -506,7 +506,7 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -572,7 +572,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -783,7 +783,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -832,7 +832,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: repository: getsentry/sentry path: sentry @@ -902,7 +902,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6b05e46354d..dbc048dae9a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 with: submodules: recursive @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index bd0c6ac5c20..5694be10fbe 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -24,12 +24,12 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v1 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v4 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index e89ff37a6b9..7492320bb85 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -19,11 +19,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index fcfe079551a..bbe30644c68 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 - id: 'auth' uses: google-github-actions/auth@v3 with: From 4dc3375749f9ca54c363a02090962958ea88e1a5 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:50:19 +0000 Subject: [PATCH 07/22] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/beta.yml | 2 +- .github/workflows/build_binary.yml | 8 ++++---- .github/workflows/build_library.yml | 6 +++--- .github/workflows/changelog.yml | 2 +- .github/workflows/ci.yml | 26 ++++++++++++------------ .github/workflows/deploy.yml | 4 ++-- .github/workflows/release_binary.yml | 4 ++-- .github/workflows/release_library.yml | 4 ++-- .github/workflows/validate-pipelines.yml | 4 ++-- 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 4383277806e..2a2f9a855b3 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -22,7 +22,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index c3840e4ca50..fb7365c7197 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index bee016c453d..f1e498e452f 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 1eb7a766123..5828e89ceb9 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -13,7 +13,7 @@ jobs: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ab60bfc83f..4112254337d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -107,7 +107,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -128,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v4.1.7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v4.1.7 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 name: Check for file changes id: changes @@ -157,7 +157,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -219,7 +219,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -250,7 +250,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -365,7 +365,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -441,7 +441,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -506,7 +506,7 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -572,7 +572,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -783,7 +783,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -832,7 +832,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: repository: getsentry/sentry path: sentry @@ -902,7 +902,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index dbc048dae9a..6f64200f3bb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 with: submodules: recursive @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 5694be10fbe..2535e83b8fb 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -24,12 +24,12 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v1 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v4 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 7492320bb85..64c500b1f5c 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -19,11 +19,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index bbe30644c68..01d2ad2d1da 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 - id: 'auth' uses: google-github-actions/auth@v3 with: From bc1ec1a68c39f79c7bf966234c1a669d8c9ae53b Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 12 Jan 2026 12:16:53 +0000 Subject: [PATCH 08/22] fix: Clean up action version comments --- .github/workflows/beta.yml | 2 +- .github/workflows/build_binary.yml | 8 ++++---- .github/workflows/build_library.yml | 6 +++--- .github/workflows/changelog.yml | 2 +- .github/workflows/ci.yml | 26 ++++++++++++------------ .github/workflows/deploy.yml | 4 ++-- .github/workflows/release_binary.yml | 4 ++-- .github/workflows/release_library.yml | 4 ++-- .github/workflows/validate-pipelines.yml | 4 ++-- 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 2a2f9a855b3..5234c79917a 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -22,7 +22,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index fb7365c7197..dda78b11a9c 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -26,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -100,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -133,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index f1e498e452f..2ce456502ce 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -28,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -70,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 5828e89ceb9..0d3d210bb8e 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -13,7 +13,7 @@ jobs: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4112254337d..e361a74e4f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -107,7 +107,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -128,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v4.1.7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.1.7 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 name: Check for file changes id: changes @@ -157,7 +157,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -219,7 +219,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -250,7 +250,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -365,7 +365,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -441,7 +441,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -506,7 +506,7 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -572,7 +572,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -783,7 +783,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -832,7 +832,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: getsentry/sentry path: sentry @@ -902,7 +902,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 name: Checkout repository - name: Get devservices version diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6f64200f3bb..64c4acea407 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 2535e83b8fb..4052e8e48f9 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -24,12 +24,12 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 64c500b1f5c..6f27dc48458 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -19,11 +19,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 # v2 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index 01d2ad2d1da..6f99d9ab786 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # v6 # v2.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - id: 'auth' uses: google-github-actions/auth@v3 with: From 32733fe4d08339e82f010a30597015e2e62ace71 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:43:48 +0000 Subject: [PATCH 09/22] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release_binary.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 4052e8e48f9..e24bcc024d4 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -35,7 +35,7 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 630e2892b22284a46e431b7cde461de1fd20d883 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:43:50 +0000 Subject: [PATCH 10/22] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release_library.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 6f27dc48458..8e4787072ee 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -28,7 +28,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 60fdab71c108a1136847c7ce636c5c588c04f6c0 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:58:39 +0000 Subject: [PATCH 11/22] Remove changelog-preview workflow per review feedback --- .github/workflows/changelog-preview.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml deleted file mode 100644 index 5883c004c07..00000000000 --- a/.github/workflows/changelog-preview.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Changelog Preview -on: - pull_request: - types: - - opened - - synchronize - - reopened - - edited - - labeled -permissions: - contents: write - pull-requests: write - -jobs: - changelog-preview: - uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 - secrets: inherit From d13a73d05eda1a19fe456fc95d569f2d51fc0b54 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:01:30 +0000 Subject: [PATCH 12/22] Add explicit permissions block to build_binary.yml --- .github/workflows/build_binary.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index dda78b11a9c..4de8018f6f6 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -9,6 +9,10 @@ env: CARGO_TERM_COLOR: always RELAY_CARGO_ARGS: "--locked" +permissions: + contents: write + pull-requests: write + jobs: linux: name: Linux From 904e96dd34cc812b56ade75792c67ed25727fc4d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:01:32 +0000 Subject: [PATCH 13/22] Add explicit permissions block to build_library.yml --- .github/workflows/build_library.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index 2ce456502ce..1364998ecc2 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -10,6 +10,10 @@ env: CARGO_TERM_COLOR: always RELAY_CARGO_ARGS: "--locked" +permissions: + contents: write + pull-requests: write + jobs: linux: timeout-minutes: 30 From f1b80cdf7fe0145d163c08f4796cd864177f10c8 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:01:34 +0000 Subject: [PATCH 14/22] Add explicit permissions block to ci.yml --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e361a74e4f6..3d5054042fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,10 @@ env: RELAY_CARGO_ARGS: "--locked" IS_MASTER: "${{ github.event_name == 'merge_group' }}" +permissions: + contents: write + pull-requests: write + jobs: lint: needs: build-setup From adbad65aec31a660e9cc9ebe0e9ebc7627a41401 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:01:35 +0000 Subject: [PATCH 15/22] Add explicit permissions block to enforce-license-compliance.yml --- .github/workflows/enforce-license-compliance.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml index 39301174f65..a88ffa6a167 100644 --- a/.github/workflows/enforce-license-compliance.yml +++ b/.github/workflows/enforce-license-compliance.yml @@ -11,6 +11,10 @@ on: branches: [master] merge_group: +permissions: + contents: write + pull-requests: write + jobs: enforce-license-compliance: runs-on: ubuntu-latest From 90df28ae9466a2fd76e9bfbe8bff81f5f129f664 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:13:10 +0000 Subject: [PATCH 16/22] Revert permissions changes to build_binary.yml --- .github/workflows/build_binary.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_binary.yml b/.github/workflows/build_binary.yml index 4de8018f6f6..571bdc7dcab 100644 --- a/.github/workflows/build_binary.yml +++ b/.github/workflows/build_binary.yml @@ -9,10 +9,6 @@ env: CARGO_TERM_COLOR: always RELAY_CARGO_ARGS: "--locked" -permissions: - contents: write - pull-requests: write - jobs: linux: name: Linux @@ -30,7 +26,7 @@ jobs: apt-get update apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -70,7 +66,7 @@ jobs: runs-on: ubuntu-22.04-arm steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -104,7 +100,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -137,7 +133,7 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive From 522251b333fa5f469d7de3c7b17be0c617052064 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:13:12 +0000 Subject: [PATCH 17/22] Revert permissions changes to build_library.yml --- .github/workflows/build_library.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build_library.yml b/.github/workflows/build_library.yml index 1364998ecc2..68666393c11 100644 --- a/.github/workflows/build_library.yml +++ b/.github/workflows/build_library.yml @@ -10,10 +10,6 @@ env: CARGO_TERM_COLOR: always RELAY_CARGO_ARGS: "--locked" -permissions: - contents: write - pull-requests: write - jobs: linux: timeout-minutes: 30 @@ -32,7 +28,7 @@ jobs: }')[matrix.build-arch] }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -74,7 +70,7 @@ jobs: runs-on: macos-14 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -121,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive From 364cb0b0b0fffd349fc703605a4cc2d6e634422c Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:13:15 +0000 Subject: [PATCH 18/22] Revert permissions changes to ci.yml --- .github/workflows/ci.yml | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d5054042fb..fcd6e2a2794 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,10 +20,6 @@ env: RELAY_CARGO_ARGS: "--locked" IS_MASTER: "${{ github.event_name == 'merge_group' }}" -permissions: - contents: write - pull-requests: write - jobs: lint: needs: build-setup @@ -39,7 +35,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -111,7 +107,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -132,7 +128,7 @@ jobs: outputs: devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.1.7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.7 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 name: Check for file changes id: changes @@ -161,7 +157,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/')" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -223,7 +219,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -254,7 +250,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -369,7 +365,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -445,7 +441,7 @@ jobs: run: | curl -sL https://sentry.io/get-cli/ | bash - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -510,7 +506,7 @@ jobs: REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -576,7 +572,7 @@ jobs: if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 @@ -787,7 +783,7 @@ jobs: ghcr.io/getsentry/objectstore:nightly \ run - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -836,7 +832,7 @@ jobs: steps: # Checkout Sentry and run integration tests against latest Relay - name: Checkout Sentry - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@v6.0.1 with: repository: getsentry/sentry path: sentry @@ -906,7 +902,7 @@ jobs: needs: devservices-files-changed if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 name: Checkout repository - name: Get devservices version From ae8fa2050ff6184d2dcf0b44117d39c8642da0f7 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:13:18 +0000 Subject: [PATCH 19/22] Revert permissions changes to enforce-license-compliance.yml --- .github/workflows/enforce-license-compliance.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml index a88ffa6a167..39301174f65 100644 --- a/.github/workflows/enforce-license-compliance.yml +++ b/.github/workflows/enforce-license-compliance.yml @@ -11,10 +11,6 @@ on: branches: [master] merge_group: -permissions: - contents: write - pull-requests: write - jobs: enforce-license-compliance: runs-on: ubuntu-latest From f8662113a8a020cba753996bdb63bc186edff47e Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:58:15 +0000 Subject: [PATCH 20/22] fix: revert extraneous changes to non-release workflow files --- .github/workflows/beta.yml | 2 +- .github/workflows/changelog.yml | 6 +-- .github/workflows/deploy.yml | 4 +- .github/workflows/release_binary.yml | 21 +++++----- .github/workflows/release_library.yml | 51 ++++++++++++------------ .github/workflows/validate-pipelines.yml | 4 +- 6 files changed, 42 insertions(+), 46 deletions(-) diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml index 5234c79917a..0eb277bd19f 100644 --- a/.github/workflows/beta.yml +++ b/.github/workflows/beta.yml @@ -22,7 +22,7 @@ jobs: - 6379:6379 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 0d3d210bb8e..7233483ebd0 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -4,16 +4,12 @@ on: types: [opened, synchronize, reopened, edited, ready_for_review, labeled, unlabeled] merge_group: -permissions: - contents: write - pull-requests: write - jobs: build: name: Changelogs runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 64c4acea407..14673a9b038 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: sudo apt-get update sudo apt-get install -y libcurl4-openssl-dev - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 with: submodules: recursive @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - name: Install Rust Toolchain run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index e24bcc024d4..745d5731edf 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -1,4 +1,5 @@ name: Release + on: workflow_dispatch: inputs: @@ -6,39 +7,37 @@ on: description: Version to release (optional) required: false force: - description: Force a release even when there are release-blockers + description: Force a release even when there are release-blockers (optional) required: false + schedule: # We want the release to be at 9-10am Pacific Time # We also want it to be 1 hour before the on-prem release - cron: "0 17 15 * *" -permissions: - contents: write - pull-requests: write - jobs: release: runs-on: ubuntu-latest - name: Release a new Relay version + name: "Release a new Relay version" + steps: - name: Get auth token id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + - uses: actions/checkout@v6.0.1 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 + uses: getsentry/action-prepare-release@v1 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} calver: true diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 8e4787072ee..1389553307f 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -1,37 +1,38 @@ name: Release Library + on: workflow_dispatch: inputs: version: - description: Version to release (or "auto") - required: false + description: Version to release + required: true force: - description: Force a release even when there are release-blockers + description: Force a release even when there are release-blockers (optional) required: false -permissions: - contents: write - pull-requests: write jobs: release: runs-on: ubuntu-latest - name: Release a new version + name: "Release a new librelay version" + steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - path: py + - name: Get auth token + id: token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + + - uses: actions/checkout@v6.0.1 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Prepare release + uses: getsentry/action-prepare-release@v1 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} + path: py diff --git a/.github/workflows/validate-pipelines.yml b/.github/workflows/validate-pipelines.yml index 6f99d9ab786..19e72588639 100644 --- a/.github/workflows/validate-pipelines.yml +++ b/.github/workflows/validate-pipelines.yml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@v6.0.1 - id: 'auth' uses: google-github-actions/auth@v3 with: From c47299ac96360ab55961a150d533981eabe9c121 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 11:47:08 +0000 Subject: [PATCH 21/22] build(craft): Fix release workflows and config --- .craft.yml | 93 +++++++++++++-------------- .github/workflows/release_binary.yml | 3 +- .github/workflows/release_library.yml | 2 +- 3 files changed, 48 insertions(+), 50 deletions(-) diff --git a/.craft.yml b/.craft.yml index 46294a49478..774e1cdb3ea 100644 --- a/.craft.yml +++ b/.craft.yml @@ -1,55 +1,54 @@ -minVersion: "2.15.0" +minVersion: 2.18.0 changelog: policy: auto - statusProvider: name: github config: contexts: - - "Build Docker Image (relay)" - + - Build Docker Image (relay) targets: - - name: github - - name: registry - apps: - app:relay: - urlTemplate: https://downloads.sentry-cdn.com/relay/{{version}}/{{file}} - includeNames: /^relay-(Darwin|Linux|Windows).*$/i - - name: gcs - bucket: sentry-sdk-assets - includeNames: /^relay-(Darwin|Windows|Linux).*$/ - paths: - - path: /relay/{{version}}/ - metadata: - cacheControl: public, max-age=2592000 - - path: /relay/latest/ - metadata: - cacheControl: public, max-age=600 - - id: release - name: docker - source: ghcr.io/getsentry/relay - target: ghcr.io/getsentry/relay - - id: release-dockerhub - name: docker - source: ghcr.io/getsentry/relay - target: getsentry/relay - - id: latest - name: docker - source: ghcr.io/getsentry/relay - target: ghcr.io/getsentry/relay - targetFormat: "{{{target}}}:latest" - - id: latest - name: docker - source: ghcr.io/getsentry/relay - target: getsentry/relay - targetFormat: "{{{target}}}:latest" - +- name: github +- name: registry + apps: + app:relay: + urlTemplate: https://downloads.sentry-cdn.com/relay/{{version}}/{{file}} + includeNames: /^relay-(Darwin|Linux|Windows).*$/i +- name: gcs + bucket: sentry-sdk-assets + includeNames: /^relay-(Darwin|Windows|Linux).*$/ + paths: + - path: /relay/{{version}}/ + metadata: + cacheControl: public, max-age=2592000 + - path: /relay/latest/ + metadata: + cacheControl: public, max-age=600 +- id: release + name: docker + source: ghcr.io/getsentry/relay + target: ghcr.io/getsentry/relay +- id: release-dockerhub + name: docker + source: ghcr.io/getsentry/relay + target: getsentry/relay +- id: latest + name: docker + source: ghcr.io/getsentry/relay + target: ghcr.io/getsentry/relay + targetFormat: '{{{target}}}:latest' +- id: latest + name: docker + source: ghcr.io/getsentry/relay + target: getsentry/relay + targetFormat: '{{{target}}}:latest' requireNames: - - /^relay-Darwin-x86_64$/ - - /^relay-Darwin-x86_64-dsym.zip$/ - - /^relay-Linux-x86_64$/ - - /^relay-Linux-x86_64-debug.zip$/ - - /^relay-Linux-aarch64$/ - - /^relay-Linux-aarch64-debug.zip$/ - - /^relay-Windows-x86_64-pdb.zip$/ - - /^relay-Windows-x86_64\.exe$/ +- /^relay-Darwin-x86_64$/ +- /^relay-Darwin-x86_64-dsym.zip$/ +- /^relay-Linux-x86_64$/ +- /^relay-Linux-x86_64-debug.zip$/ +- /^relay-Linux-aarch64$/ +- /^relay-Linux-aarch64-debug.zip$/ +- /^relay-Windows-x86_64-pdb.zip$/ +- /^relay-Windows-x86_64\.exe$/ +versioning: + policy: calver diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index 745d5731edf..d356916ac01 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -34,10 +34,9 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: version: ${{ github.event.inputs.version }} force: ${{ github.event.inputs.force }} - calver: true diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 1389553307f..96928e89e8c 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 1b3f60db9d1ede172f7d53b5789c1ca0ef49c7cf Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 12:29:19 +0000 Subject: [PATCH 22/22] build(craft): Update Craft action to c6e2f04 --- .github/workflows/release_binary.yml | 2 +- .github/workflows/release_library.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_binary.yml b/.github/workflows/release_binary.yml index d356916ac01..d7dc4d2f19a 100644 --- a/.github/workflows/release_binary.yml +++ b/.github/workflows/release_binary.yml @@ -34,7 +34,7 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: diff --git a/.github/workflows/release_library.yml b/.github/workflows/release_library.yml index 96928e89e8c..25c778772dd 100644 --- a/.github/workflows/release_library.yml +++ b/.github/workflows/release_library.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: