ci(workflows): pin actions to full sha (#166)

* ci(workflows): pin actions to full sha

Signed-off-by: Dariusz Porowski <[email protected]>

* style(dependabot): standardize quotes and formatting in configuration

Signed-off-by: Dariusz Porowski <[email protected]>

* fix(package): update format scripts to include specific file extensions

Signed-off-by: Dariusz Porowski <[email protected]>

* fix(package): update format scripts to use glob patterns for file extensions

Signed-off-by: Dariusz Porowski <[email protected]>

* fix(workflows): update run command syntax for Azure DevOps token retrieval

Signed-off-by: Dariusz Porowski <[email protected]>

---------

Signed-off-by: Dariusz Porowski <[email protected]>

Author: DariuszPorowski

.github/dependabot.yml

@@ -1,26 +1,32 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
 version: 2
 updates:
-  - package-ecosystem: 'github-actions'
-    directory: '/'
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: 'weekly'
+      interval: weekly
     groups:
       all:
         patterns:
-          - '*'
-  - package-ecosystem: 'npm'
-    directory: '/'
+          - "*"
+
+  - package-ecosystem: npm
+    directory: /
     schedule:
-      interval: 'weekly'
+      interval: weekly
     groups:
       all:
         patterns:
-          - '*'
-  - package-ecosystem: 'devcontainers'
-    directory: '/.devcontainer'
+          - "*"
+
+  - package-ecosystem: devcontainers
+    directory: /
     schedule:
       interval: weekly
     groups:
       all:
         patterns:
-          - '*'
+          - "*"

.github/workflows/build.yaml

@@ -1,4 +1,7 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Build
+
 on:
   push:
     branches:
@@ -8,92 +11,118 @@ on:
   pull_request:
     branches:
       - main
+
 permissions:
   contents: read
   pull-requests: read
   issues: read
   packages: write
+
 env:
   CI_LINT: ${{ github.event_name == 'pull_request' }}
   CI_TEST: ${{ github.event_name == 'pull_request' }}
   CI_PUBLISH_RELEASE: ${{ github.repository == 'radius-project/dashboard' && startsWith(github.ref, 'refs/tags/v') && github.event_name == 'push' }}
   CI_PUBLISH_LATEST: ${{ github.repository == 'radius-project/dashboard' && github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+
 jobs:
   build:
     name: Build Packages
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
       - name: Parse release version and set environment variables
         run: python ./.github/scripts/get_release_version.py
+
       - name: Enable corepack
         run: corepack enable
+
       - name: Install Node.js 21 # Must be after corepack is enabled.
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '21'
-          cache: 'yarn'
-          cache-dependency-path: 'yarn.lock'
+          node-version: 21
+          cache: yarn
+          cache-dependency-path: yarn.lock
+
       - name: Install dependencies
         run: yarn install --frozen-lockfile
+
       - name: Lint
         if: ${{ env.CI_LINT == 'true' }}
         run: yarn run lint:all
+
       - name: Format
         if: ${{ env.CI_LINT == 'true' }}
         run: yarn run format:check
+
       - name: Build TypeScript
         run: yarn run tsc
+
       - name: Build
         run: yarn workspaces foreach -A run build:all
+
       - name: Build Storybook
         run: yarn workspace @radapp.io/rad-components run build-storybook
+
       - name: Run Tests
         if: ${{ env.CI_TEST == 'true' }}
         run: yarn run test:all
+
       - name: Run E2E Tests
         if: ${{ env.CI_TEST == 'true' }}
         run: yarn run test:e2e
+
   build-and-publish-container:
     name: Build and Publish Container
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
       - name: Parse release version and set environment variables
         run: python ./.github/scripts/get_release_version.py
+
       - name: Enable corepack
         run: corepack enable
+
       - name: Install Node.js 21 # Must be after corepack is enabled.
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '21'
-          cache: 'yarn'
-          cache-dependency-path: 'yarn.lock'
+          node-version: 21
+          cache: yarn
+          cache-dependency-path: yarn.lock
+
       - name: Install dependencies
         run: yarn install --frozen-lockfile
+
       - name: Build TypeScript
         run: yarn run tsc
+
       - name: Build Image
         run: yarn build:backend --config ../../app-config.yaml --config ../../app-config.dashboard.yaml
+
       - name: Build Image
         run: yarn build-image
+
       - name: Analyze Image
         uses: ./.github/actions/analyze-image
         with:
           image: ghcr.io/radius-project/dashboard:latest
+
       - name: Login to ghcr.io
         if: ${{ env.CI_PUBLISH_LATEST == 'true' || env.CI_PUBLISH_RELEASE == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push Image to ghcr.io (push to main)
         if: ${{ env.CI_PUBLISH_LATEST == 'true' }}
         run: |
           docker push ghcr.io/radius-project/dashboard:latest
+
       - name: Push Image to ghcr.io (push to tag)
         if: ${{ env.CI_PUBLISH_RELEASE == 'true' }}
         run: |

.github/workflows/devops-boards.yaml

@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
 name: Sync issue to Azure DevOps work item
 
 on:
@@ -23,27 +25,31 @@ jobs:
       # Auth using Azure Service Principals was added as a part of v2.3
       # reference: https://github.com/danhellem/github-actions-issue-to-work-item/pull/143
       - name: Login to Azure
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_SP_DEVOPS_SYNC_TENANT_ID }}
           allow-no-subscriptions: true
+
       - name: Get Azure DevOps token
         id: get_ado_token
-        run:
+        run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
+          echo "::add-mask::$ADO_TOKEN"
+          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+
       - name: Sync issue to Azure DevOps
-        uses: danhellem/[email protected]
+        uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'
-          ado_organization: 'azure-octo'
-          ado_project: 'Incubations'
+          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          ado_organization: azure-octo
+          ado_project: Incubations
           ado_area_path: "Incubations\\Radius"
           ado_iteration_path: "Incubations\\Radius"
-          ado_new_state: 'New'
-          ado_active_state: 'Active'
-          ado_close_state: 'Closed'
-          ado_wit: 'GitHub Issue'
+          ado_new_state: New
+          ado_active_state: Active
+          ado_close_state: Closed
+          ado_wit: GitHub Issue

package.json

@@ -25,8 +25,8 @@
     "fix": "backstage-cli repo fix",
     "lint": "backstage-cli repo lint --since origin/main",
     "lint:all": "backstage-cli repo lint",
-    "format:check": "prettier --check .",
-    "format:write": "prettier --write .",
+    "format:check": "prettier --check \"**/*.{js,jsx,ts,tsx,mjs,cjs}\"",
+    "format:write": "prettier --write \"**/*.{js,jsx,ts,tsx,mjs,cjs}\"",
     "new": "backstage-cli new --scope internal"
   },
   "workspaces": {