* chore(ci): pin GitHub Actions to commit SHAs (#1811)
Follow-up to #1810. The Node-24 upgrade left every workflow on mutable
tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.)
which superagent-security[bot] flagged on the ci.yml + publish.yml
reviews.
Pin all 18 external actions to the commit SHA they currently resolve to
and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see
the version. Local reusable-workflow refs (`uses: ./.github/...`) are
left alone — pinning those would defeat the point.
Closes#1811
* chore(ci): address review — persist-credentials + setup-node consistency (#1811)
Two pieces of follow-up feedback on the SHA-pinning PR:
- @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials:
false' to checkout steps in jobs that don't perform authenticated git
operations. Adds the line to 17 read-only checkouts across 9
workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight,
llm-evals, preview-cleanup, preview-deploy, publish:build).
Checkouts inside jobs that 'git push' (chart-release, mobile-build,
mobile-release, helm-publish:second-checkout, publish:bump-pre_release)
are intentionally left alone so they keep their token.
- @jjmata: preview-deploy.yml was the only workflow on
actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise
on v5.0.0 to match.
Dependabot config already has a github-actions ecosystem entry with a
weekly schedule, so no addition needed for that point.
* chore(ci): document intentional setup-node v6→5 normalization (#1811)
@superagent-security flagged the v6.4.0 -> v5.0.0 change in
preview-deploy.yml as a possible unintended downgrade. The downgrade
was deliberate, per @jjmata's review request to normalize setup-node
across all workflows. Add an inline YAML comment next to the line so
future scans don't re-flag it.
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
When workflow_dispatch is triggered from a tag (e.g. v0.6.7) instead
of a branch, github.ref_name returns the tag name, causing filenames
like sure-v0.6.7-{stamp}.apk instead of sure-main-{stamp}.apk.
Guard against this by checking github.ref_type and falling back to the
repository's default branch when a tag is selected.
https://claude.ai/code/session_01TDfNkNxQ6uWxQxLAwJY5Qa
* Add workflow to build mobile apps from main without tagging
Adds a new `mobile-main-build.yml` workflow that can be triggered
manually via workflow_dispatch to build Android APK and iOS unsigned
builds from the main branch. Uses a `main-YYYYMMDDHHMI` stamp for
versioning (e.g. sure-main-202602181259.apk) and updates the gh-pages
README.md MOBILE_DOWNLOADS section with direct download links.
https://claude.ai/code/session_01TDfNkNxQ6uWxQxLAwJY5Qa
* Rename to mobile-build.yml and support any branch
Instead of hardcoding "main", derive the branch name from
github.ref_name, sanitise it for filenames/tags (slashes → hyphens),
and use it throughout: version, tag, release notes, and gh-pages
README. The checkout step now explicitly pins ref: ${{ github.ref }}
so the tag always matches the dispatched branch.
Example artifacts from main: sure-main-202602181259.apk
Example from feature/foo: sure-feature-foo-202602181259.apk
https://claude.ai/code/session_01TDfNkNxQ6uWxQxLAwJY5Qa
* Add continue-on-error to artifact download steps
If either the Android or iOS build fails, the download step would
hard-fail and abort the release job before the conditional logic in
"Prepare release assets" could handle the partial result. Adding
continue-on-error lets the workflow proceed so a release can still
be created with whichever artifacts succeeded.
https://claude.ai/code/session_01TDfNkNxQ6uWxQxLAwJY5Qa
* Fix in-place replacement of MOBILE_DOWNLOADS section in README
The previous logic stripped the marker block then appended the new
section at the end of the file, causing it to drift to the bottom on
every run. Now writes the section to a temp file and uses awk to
replace the block between the markers in-place, preserving the
section's original position in the README.
https://claude.ai/code/session_01TDfNkNxQ6uWxQxLAwJY5Qa
---------
Co-authored-by: Claude <noreply@anthropic.com>
