* chore(ci): pin GitHub Actions to commit SHAs (#1811)
Follow-up to #1810. The Node-24 upgrade left every workflow on mutable
tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.)
which superagent-security[bot] flagged on the ci.yml + publish.yml
reviews.
Pin all 18 external actions to the commit SHA they currently resolve to
and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see
the version. Local reusable-workflow refs (`uses: ./.github/...`) are
left alone — pinning those would defeat the point.
Closes#1811
* chore(ci): address review — persist-credentials + setup-node consistency (#1811)
Two pieces of follow-up feedback on the SHA-pinning PR:
- @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials:
false' to checkout steps in jobs that don't perform authenticated git
operations. Adds the line to 17 read-only checkouts across 9
workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight,
llm-evals, preview-cleanup, preview-deploy, publish:build).
Checkouts inside jobs that 'git push' (chart-release, mobile-build,
mobile-release, helm-publish:second-checkout, publish:bump-pre_release)
are intentionally left alone so they keep their token.
- @jjmata: preview-deploy.yml was the only workflow on
actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise
on v5.0.0 to match.
Dependabot config already has a github-actions ecosystem entry with a
weekly schedule, so no addition needed for that point.
* chore(ci): document intentional setup-node v6→5 normalization (#1811)
@superagent-security flagged the v6.4.0 -> v5.0.0 change in
preview-deploy.yml as a possible unintended downgrade. The downgrade
was deliberate, per @jjmata's review request to normalize setup-node
across all workflows. Add an inline YAML comment next to the line so
future scans don't re-flag it.
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
* Extract version to .sure-version file and add Sentry release tracking
Move the hardcoded version string to a `.sure-version` file at the repo
root so it can be read by both the Rails version initializer and other
tooling. Configure `config.release` in the Sentry initializer to tag
errors with the app version.
https://claude.ai/code/session_01KfUgF42B3exoU2vpErqJyW
* Use .sure-version as single source of truth in Helm CI workflows
Update chart-ci, chart-release, and publish workflows to read the app
version from .sure-version instead of regex-parsing version.rb. The
pre-release bump job now writes directly to .sure-version and stages it
for commit.
https://claude.ai/code/session_01KfUgF42B3exoU2vpErqJyW
* Guard empty .sure-version fallback
* fix: sync Helm chart version with .sure-version
* Moving on to `v0.7.1-alpha.*` with this
* Defensive rescue
* Getting fancy with versions now
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: SureBot <sure-bot@we-promise.com>
Co-authored-by: sure-admin <sure-admin@splashblot.com>
* Sync Helm chart and Rails app versions in CI and release workflows
- values.yaml: default image.tag to "" so it uses Chart.appVersion
(was hardcoded to stale "0.6.6" while app was at 0.6.8-alpha.13)
- chart-ci.yml: add version-sync job that fails if version.rb,
Chart.yaml version, and Chart.yaml appVersion diverge; trigger on
version.rb changes too
- chart-release.yml: derive chart version from version.rb (single
source of truth) instead of auto-incrementing independent chart-v* tags
https://claude.ai/code/session_01Eq3WHBn3Uwjezxb6ctdjMB
* Default to `false` AI_DEBUG_MODE
* Apply suggestions from CodeRabbit
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Juan José Mata <jjmata@jjmata.com>
---------
Signed-off-by: Juan José Mata <jjmata@jjmata.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Unify release workflows and add chart/mobile wrappers
* Update chart CI to kube 1.25
* Fetch tagged commit before pushing release branch
* Old `azure/setup-helm`
* Base chart dispatch version on existing chart tags
* `grep` failure with `pipefail` bypasses the user-friendly error message
* `gh-pages` push lacks retry logic
* Auto-incremented chart tag collision
* `grep -Ev` pipeline will crash
* Missed one
