Merge branch 'Expensify:main' into fix-Expensify#26942

.github/actions/composite/setupGitForOSBotifyApp/action.yml

@@ -29,9 +29,9 @@ runs:
       shell: bash
       run: |
         if [[ -f .github/workflows/OSBotify-private-key.asc.gpg ]]; then
-          echo "::set-output name=key_exists::true"
+          echo "key_exists=true" >> "$GITHUB_OUTPUT"
         fi
-  
+
     - name: Checkout
       uses: actions/checkout@v4
       if: steps.key_check.outputs.key_exists != 'true'

.github/actions/javascript/awaitStagingDeploys/action.yml

@@ -8,5 +8,5 @@ inputs:
     description: If provided, this action will only wait for a deploy matching this tag.
     required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/bumpVersion/action.yml

@@ -11,5 +11,5 @@ outputs:
     NEW_VERSION:
         description: The new semver version of the application, updated in the JS and native layers.
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/checkDeployBlockers/action.yml

@@ -11,5 +11,5 @@ outputs:
   HAS_DEPLOY_BLOCKERS:
     description: A true/false indicating whether or not a deploy blocker was found.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'index.js'

.github/actions/javascript/createOrUpdateStagingDeploy/action.yml

@@ -8,5 +8,5 @@ inputs:
         description: The new NPM version of the StagingDeployCash issue.
         required: false
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/createOrUpdateStagingDeploy/index.js

@@ -198,13 +198,16 @@ function fetchTag(tag) {
     let needsRepack = false;
     while (shouldRetry) {
         try {
+            let command = '';
             if (needsRepack) {
                 // We have seen some scenarios where this fixes the git fetch.
                 // Why? Who knows... https://github.com/Expensify/App/pull/31459
-                execSync('git repack -d');
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
             }
 
-            let command = `git fetch origin tag ${tag} --no-tags`;
+            command = `git fetch origin tag ${tag} --no-tags`;
 
             // Exclude commits reachable from the previous patch version (i.e: previous checklist),
             // so that we don't have to fetch the full history
@@ -315,16 +318,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/actions/javascript/getDeployPullRequestList/action.yml

@@ -14,5 +14,5 @@ outputs:
     PR_LIST:
         description: Array of pull request numbers
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/getDeployPullRequestList/index.js

@@ -140,13 +140,16 @@ function fetchTag(tag) {
     let needsRepack = false;
     while (shouldRetry) {
         try {
+            let command = '';
             if (needsRepack) {
                 // We have seen some scenarios where this fixes the git fetch.
                 // Why? Who knows... https://github.com/Expensify/App/pull/31459
-                execSync('git repack -d');
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
             }
 
-            let command = `git fetch origin tag ${tag} --no-tags`;
+            command = `git fetch origin tag ${tag} --no-tags`;
 
             // Exclude commits reachable from the previous patch version (i.e: previous checklist),
             // so that we don't have to fetch the full history
@@ -257,16 +260,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/actions/javascript/getPreviousVersion/action.yml

@@ -8,5 +8,5 @@ outputs:
   PREVIOUS_VERSION:
     description: The previous semver version of the application, according to the SEMVER_LEVEL provided
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/getPullRequestDetails/action.yml

@@ -22,5 +22,5 @@ outputs:
   FORKED_REPO_URL:
     description: 'Output forked repo URL if PR includes changes from a fork'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/getReleaseBody/action.yml

@@ -8,5 +8,5 @@ outputs:
   RELEASE_BODY:
     description: String body of a production release.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/isStagingDeployLocked/action.yml

@@ -10,5 +10,5 @@ outputs:
     NUMBER:
         description: StagingDeployCash issue number
 runs:
-    using: 'node16'
+    using: 'node20'
     main: 'index.js'

.github/actions/javascript/markPullRequestsAsDeployed/action.yml

@@ -28,5 +28,5 @@ inputs:
         description: "Web job result ('success', 'failure', 'cancelled', or 'skipped')"
         required: true
 runs:
-    using: "node16"
+    using: "node20"
     main: "./index.js"

.github/actions/javascript/postTestBuildComment/action.yml

@@ -32,5 +32,5 @@ inputs:
         description: "Link for the web build"
         required: false
 runs:
-    using: "node16"
+    using: "node20"
     main: "./index.js"

.github/actions/javascript/reopenIssueWithComment/action.yml

@@ -11,5 +11,5 @@ inputs:
     description: The comment string we want to leave on the issue after we reopen it.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/reviewerChecklist/action.yml

@@ -5,5 +5,5 @@ inputs:
     description: Auth token for New Expensify Github
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/validateReassureOutput/action.yml

@@ -11,5 +11,5 @@ inputs:
     description: Refers to the results obtained from regression tests `.reassure/output.json`.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/verifySignedCommits/action.yml

@@ -9,5 +9,5 @@ inputs:
     required: false
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/libs/GitUtils.js

@@ -13,13 +13,16 @@ function fetchTag(tag) {
     let needsRepack = false;
     while (shouldRetry) {
         try {
+            let command = '';
             if (needsRepack) {
                 // We have seen some scenarios where this fixes the git fetch.
                 // Why? Who knows... https://github.com/Expensify/App/pull/31459
-                execSync('git repack -d');
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
             }
 
-            let command = `git fetch origin tag ${tag} --no-tags`;
+            command = `git fetch origin tag ${tag} --no-tags`;
 
             // Exclude commits reachable from the previous patch version (i.e: previous checklist),
             // so that we don't have to fetch the full history
@@ -130,16 +133,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/workflows/README.md

@@ -63,7 +63,7 @@ git fetch origin tag 1.0.1-0 --no-tags --shallow-exclude=1.0.0-0 # This will fet
 
 ## Security Rules 🔐
 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
-1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
+1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v4`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.
 1. If an untrusted (i.e: not maintained by GitHub) external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
     1. **Bad:** `hmarr/auto-approve-action@v2.0.0` Relies on the tag

.github/workflows/authorChecklist.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor != 'OSBotify' && github.actor != 'imgbot[bot]'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: authorChecklist.js
         uses: ./.github/actions/javascript/authorChecklist

.github/workflows/deploy.yml

@@ -10,11 +10,11 @@ jobs:
     if: github.ref == 'refs/heads/staging'
     steps:
       - name: Checkout staging branch
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
         with:
           ref: staging
           token: ${{ secrets.OS_BOTIFY_TOKEN }}
-          
+
       - uses: Expensify/App/.github/actions/composite/setupGitForOSBotifyApp@8c19d6da4a3d7ce3b15c9cd89a802187d208ecab
         id: setupGitForOSBotify
         with:

.github/workflows/deployBlocker.yml

@@ -13,28 +13,22 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Get URL, title, & number of new deploy blocker (issue)
-        if: ${{ github.event_name == 'issues' }}
-        env:
-          TITLE: ${{ github.event.issue.title }}
-        run: |
-          { echo "DEPLOY_BLOCKER_URL=${{ github.event.issue.html_url }}";
-          echo "DEPLOY_BLOCKER_NUMBER=${{ github.event.issue.number }}";
-          echo "DEPLOY_BLOCKER_TITLE=$(sed -e "s/'/'\\\\''/g; s/\`/\\\\\`/g; 1s/^/'/; \$s/\$/'/" <<< "$TITLE")";} >> "$GITHUB_ENV"
+      - uses: ./.github/actions/composite/setupGitForOSBotifyApp
+        id: setupGitForOSBotify
+        with:
+          GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+          OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
+          OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}
 
       - name: Update StagingDeployCash with new deploy blocker
-        uses: Expensify/App/.github/actions/javascript/createOrUpdateStagingDeploy@main
+        uses: ./.github/actions/javascript/createOrUpdateStagingDeploy
         with:
-          GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
 
-      - name: Give the issue/PR the Hourly, Engineering labels
-        uses: andymckay/labeler@978f846c4ca6299fd136f465b42c5e87aca28cac
-        with:
-          add-labels: 'Hourly, Engineering'
-          remove-labels: 'Daily, Weekly, Monthly'
+      - run: gh issue edit ${{ github.event.issue.number }} --add-label 'Engineering,Hourly' --remove-label 'Daily,Weekly,Monthly'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
 
       - name: 'Post the issue in the #expensify-open-source slack room'
         if: ${{ success() }}
@@ -46,26 +40,27 @@ jobs:
               channel: '#expensify-open-source',
               attachments: [{
                 color: "#DB4545",
-                text: '💥 We have found a New Expensify Deploy Blocker, if you have any idea which PR could be causing this, please comment in the issue: <${{ env.DEPLOY_BLOCKER_URL }}|'+ `${{ env.DEPLOY_BLOCKER_TITLE }}`.replace(/(^'|'$)/gi, '').replace(/'\''/gi,'\'') + '>',
+                text: '💥 We have found a New Expensify Deploy Blocker, if you have any idea which PR could be causing this, please comment in the issue: <${{ github.event.issue.html_url }}|${{ toJSON(github.event.issue.title) }}>',
               }]
             }
         env:
           GITHUB_TOKEN: ${{ github.token }}
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
 
-      - name: Comment on deferred PR
-        uses: actions-ecosystem/action-create-comment@cd098164398331c50e7dfdd0dfa1b564a1873fac
-        with:
-          github_token: ${{ secrets.OS_BOTIFY_TOKEN }}
-          number: ${{ env.DEPLOY_BLOCKER_NUMBER }}
-          body: |
-            :wave: Friendly reminder that deploy blockers are time-sensitive ⏱ issues! [Check out the open `StagingDeployCash` deploy checklist](https://github.com/Expensify/App/issues?q=is%3Aopen+is%3Aissue+label%3AStagingDeployCash) to see the list of PRs included in this release, then work quickly to do one of the following:
-              1. Identify the pull request that introduced this issue and revert it.
-              2. Find someone who can quickly fix the issue.
-              3. Fix the issue yourself.
+      - name: Comment on deploy blocker
+        run: |
+          gh issue comment ${{ github.event.issue.number }} --body "$(cat <<'EOF'
+          :wave: Friendly reminder that deploy blockers are time-sensitive ⏱ issues! [Check out the open \`StagingDeployCash\` deploy checklist](https://github.com/Expensify/App/issues?q=is%3Aopen+is%3Aissue+label%3AStagingDeployCash) to see the list of PRs included in this release, then work quickly to do one of the following:
+          1. Identify the pull request that introduced this issue and revert it.
+          2. Find someone who can quickly fix the issue.
+          3. Fix the issue yourself.
+          EOF
+          )"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
 
       - name: Announce failed workflow in Slack
         if: ${{ failure() }}
-        uses: Expensify/App/.github/actions/composite/announceFailedWorkflowInSlack@main
+        uses: ./.github/actions/composite/announceFailedWorkflowInSlack
         with:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/deployExpensifyHelp.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        uses: actions/checkout@v4
 
       - name: Setup NodeJS
         uses: Expensify/App/.github/actions/composite/setupNode@main