release: 2024-02-20 (#1112)

.github/renovate.json

@@ -8,6 +8,12 @@
 			"groupName": "patched packages",
 			"matchPackageNames": ["@crowdin/ota-client", "trpc-panel", "msw-storybook-addon"],
 			"matchUpdateTypes": ["major", "minor", "patch"]
+		},
+		{
+			"enabled": false,
+			"groupName": "Ignored Versions",
+			"matchCurrentVersion": "0.9.2",
+			"matchPackageNames": ["@t3-oss/env-nextjs"]
 		}
 	],
 	"semanticCommitScope": "{{parentDir}}"

.github/workflows/approve.yml

@@ -1,4 +1,4 @@
-name: 'PR Auto Approve'
+name: '🤖 PR Auto Approve'
 on:
   pull_request:
     types: [review_requested]
@@ -10,8 +10,9 @@ permissions:
   statuses: read
 
 jobs:
-  check:
+  auto-approve:
     runs-on: ubuntu-latest
+    name: '🤖 PR Auto Approve'
     steps:
       - uses: github/privileged-requester@f8d60d9344e1c10976aad5c1af0c7c977badd677 # v2.1.0
         if: ${{ github.event.requested_reviewer.login == 'InReach-svc'}}

.github/workflows/cache.yml

@@ -1,4 +1,4 @@
-name: post-merge cache cleanup
+name: '🧹 Post-Merge GH Cache Cleanup'
 on:
   pull_request:
     types:
@@ -8,10 +8,10 @@ jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
-      - name: Check out code
+      - name: ⤵️ Check out code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Cleanup
+      - name: '🧹 Cleanup'
         run: |
           gh extension install actions/gh-actions-cache
 

.github/workflows/chromatic.yml

@@ -23,6 +23,7 @@ jobs:
       OVERRIDE_CI: true
       FORCE_COLOR: true
       SKIP_ENV_VALIDATION: true
+      HUSKY: 0
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -31,13 +32,13 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
+      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
         name: Install pnpm
         id: pnpm-install
         with:
           run_install: false
       - name: Install Node.js
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -49,7 +50,7 @@ jobs:
 
       # 👇 Runs Chromatic CLI in ./packages/ui
       - name: Publish to Chromatic
-        uses: chromaui/action@80bf5911f28005ed208f15b7268843b79ca0e23a # v10
+        uses: chromaui/action@c9067691aca4a28d6fbb40d9eea6e144369fbcae # v10
         with:
           workingDir: packages/ui
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}

.github/workflows/codeql.yml

@@ -15,12 +15,16 @@ on:
 
 jobs:
   codeql:
-    name: 🏭 Scanning
+    name: 🏭 CodeQL Scanning
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 🏗 Initialize CodeQL
-        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3
+        uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3
       - name: 🚀 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3
+        uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3

.github/workflows/codesee-arch-diagram.yml

@@ -15,7 +15,7 @@ jobs:
   codesee:
     runs-on: ubuntu-latest
     continue-on-error: true
-    name: Analyze the repo with CodeSee
+    name: 🧐 Analyze the repo with CodeSee
     steps:
       - uses: Codesee-io/codesee-action@4f66933f195ad209dab16bcdd12cbacfff7f8707 # v2
         with:

.github/workflows/crowdin.yml

@@ -26,9 +26,10 @@ on:
 
 jobs:
   synchronize-with-crowdin:
+    name: Crowdin Actions
     runs-on: ubuntu-latest
     env:
-      CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+      HUSKY: 0
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -43,23 +44,21 @@ jobs:
           git_commit_gpgsign: true
           git_committer_name: 'InReach [bot]'
 
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
+      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
         name: Install pnpm
         id: pnpm-install
         with:
-          run_install: false
+          run_install: |
+            args: [--global, "@crowdin/cli"]
 
       - name: Install Node.js
         if: github.event_name != 'pull_request' && !startsWith(github.ref_name, 'l10n_')
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
           cache-dependency-path: pnpm-lock.yaml
 
-      - name: Install Crowdin
-        run: pnpm -g add @crowdin/cli
-
       - name: Remove Jira ticket ID from branch name
         id: branchregex
         uses: ashley-taylor/regex-property-action@eeec905bf940ec1c65ff777402c57f786368d9bc # v1.4
@@ -80,35 +79,50 @@ jobs:
 
       - name: Push sources to Crowdin
         if: github.event_name != 'pull_request' && !startsWith(github.ref_name, 'l10n_')
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
         run: crowdin push sources -b ${{ steps.sanitizebranch.outputs.value }} --no-progress
 
       - name: Synchronize sources to Crowdin
         if: steps.sanitizebranch.outputs.value == 'main'
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
         run: crowdin push sources -b ${{ steps.sanitizebranch.outputs.value }} --no-progress
 
       - name: Pull updated translations from Crowdin
         if: (github.event_name != 'pull_request' && github.ref_name == 'dev') || github.event_name == 'scheduled'
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
         run: crowdin pull -b ${{ steps.sanitizebranch.outputs.value }} --no-progress
 
       - name: Check for updated files
         if: (github.event_name != 'pull_request' && github.ref_name == 'dev') || github.event_name == 'scheduled'
-        uses: tj-actions/verify-changed-files@b742fc9c8c613945ae7ee756f8d2bb3bd2d1f7dd # v17
+        uses: tj-actions/verify-changed-files@eb6d385c0e52fb28e2f6b70e15c835cb3cbfff17 # v18
         id: verify-changed-files
         with:
           files: '**/locales/*/*.json'
 
       - name: Format json files
         if: ((github.event_name != 'pull_request' && github.ref_name == 'dev') || github.event_name == 'scheduled') && steps.verify-changed-files.outputs.files_changed
         working-directory: apps/app
+        id: run-prettier
         run: |
           echo 'Installing package dependencies'
           pnpm install
           echo 'Running prettier'
           pnpm format
 
+      - name: Get files to commit
+        if: steps.run-prettier.conclusion == 'success'
+        uses: tj-actions/verify-changed-files@eb6d385c0e52fb28e2f6b70e15c835cb3cbfff17 # v18
+        id: get-pending-files
+        with:
+          separator: <br>
+
       - name: Commit files
+        id: commit-files
         if: ((github.event_name != 'pull_request' && github.ref_name == 'dev') || github.event_name == 'scheduled') && steps.verify-changed-files.outputs.files_changed
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6
         with:
           token: ${{ secrets.GH_ACT_PAT }}
           commit-message: Updated translations from Crowdin
@@ -122,11 +136,31 @@ jobs:
             kodiak: merge.method = 'squash'
             automerge
           delete-branch: true
+          add-paths: |
+            ./**/locales/*/*.json
+
+      - name: Generate job summary
+        id: generate-job-summary
+        if: steps.commit-files.conclusion == 'success'
+        run: |
+          echo "# Job Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Pull request ${{steps.commit-files.outputs.pull-request-number}} has been ${{steps.commit-files.outputs.pull-request-operation}}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Changed files:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "${{ steps.get-pending-files.outputs.changed_files }}" >> $GITHUB_STEP_SUMMARY
 
       - name: Delete Crowdin Branch
         if: github.event_name == 'pull_request' && github.ref_name != 'l10n_dev' && steps.sanitizebranch.outputs.value != 'dev' && steps.sanitizebranch.outputs.value != 'main'
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
         run: crowdin branch delete ${{ steps.sanitizebranch.outputs.value }} --no-progress
 
       - name: Generate OTA Release
         if: github.event_name == 'schedule'
+        env:
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
         run: crowdin distribution release ${{ secrets.CROWDIN_OTA_HASH }} --no-progress --verbose

.github/workflows/lint.yml

@@ -11,6 +11,7 @@ jobs:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
       FORCE_COLOR: true
+      HUSKY: 0
       # GITHUB_TOKEN: ${{ secrets.GH_ACT_PAT }}
     name: 'Lint & format'
     runs-on: ubuntu-latest
@@ -30,15 +31,15 @@ jobs:
           git_config_global: true
           git_commit_gpgsign: true
 
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
+      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
         name: Install pnpm
         id: pnpm-install
         with:
           run_install: false
           # standalone: true
 
       - name: Install Node.js
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -73,7 +74,7 @@ jobs:
 
       # Commit changes
       - name: Commit changed files
-        uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
         if: always()
         with:
           message: 'chore: lint & format'

.github/workflows/nextjs_bundle_analysis.yml

@@ -22,24 +22,26 @@ permissions:
 
 jobs:
   analyze:
+    name: 'Next.js Bundle Analysis'
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
       FORCE_COLOR: true
       DATABASE_URL: ${{ secrets.DATABASE_URL }}
       DB_DIRECT_URL: ${{ secrets.DB_DIRECT_URL }}
+      HUSKY: 0
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
+      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
         name: Install pnpm
         id: pnpm-install
         with:
           run_install: false
 
       - name: Install Node.js
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -52,7 +54,7 @@ jobs:
         run: pnpm install
 
       - name: Restore next build
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4
         id: restore-build-cache
         env:
           cache-name: cache-next-build
@@ -73,13 +75,13 @@ jobs:
         run: npx -p nextjs-bundle-analysis report
 
       - name: Upload bundle
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
         with:
           name: bundle
           path: /home/runner/work/InReach/InReach/apps/app/.next/analyze/__bundle_analysis.json
 
       - name: Download base branch bundle stats
-        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3
+        uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3
         if: success() && github.event.number
         with:
           workflow: nextjs_bundle_analysis.yml
@@ -111,24 +113,25 @@ jobs:
           echo "body<<EOF" >> $GITHUB_OUTPUT
           echo "$(cat /home/runner/work/InReach/InReach/apps/app/.next/analyze/__bundle_analysis_comment.txt)" >> $GITHUB_OUTPUT
           echo EOF >> $GITHUB_OUTPUT
+          echo "$(cat /home/runner/work/InReach/InReach/apps/app/.next/analyze/__bundle_analysis_comment.txt)" >> $GITHUB_STEP_SUMMARY
 
       - name: Find Comment
-        uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2
+        uses: peter-evans/find-comment@d5fe37641ad8451bdd80312415672ba26c86575e # v3
         if: success() && github.event.number
         id: fc
         with:
           issue-number: ${{ github.event.number }}
           body-includes: '<!-- __NEXTJS_BUNDLE_@weareinreach/app -->'
 
       - name: Create Comment
-        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
         if: success() && github.event.number && steps.fc.outputs.comment-id == 0
         with:
           issue-number: ${{ github.event.number }}
           body: ${{ steps.get-comment-body.outputs.body }}
 
       - name: Update Comment
-        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
         if: success() && github.event.number && steps.fc.outputs.comment-id != 0
         with:
           issue-number: ${{ github.event.number }}

.github/workflows/njsscan.yml

@@ -0,0 +1,42 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates njsscan with GitHub's Code Scanning feature
+# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications
+
+name: njsscan
+
+on:
+  push:
+    branches: ['dev', 'main']
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ['dev']
+  schedule:
+    - cron: '27 4 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  njsscan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    name: njsscan code scanning
+    steps:
+      - name: ⤵️ Check out code from GitHub
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 🧐 nodejsscan scan
+        id: njsscan
+        uses: ajinabraham/njsscan-action@74e5a58c1edb363b84c9ddd626b0e22f038ac09e
+        with:
+          args: '. --sarif --output results.sarif || true'
+      - name: Upload njsscan report
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3
+        with:
+          sarif_file: results.sarif