Merge branch 'main' into feature/add-get-physical-card-button-and-nec…

…essary-routes

.github/CODEOWNERS

@@ -1,5 +1,2 @@
 # Every PR gets a review from an internal Expensify engineer
 * @Expensify/pullerbear
-
-# Every PR that touches redirects gets reviewed by ring0
-docs/redirects.csv @Expensify/infra

.github/actions/composite/setupGitForOSBotifyApp/action.yml

@@ -29,11 +29,11 @@ runs:
       shell: bash
       run: |
         if [[ -f .github/workflows/OSBotify-private-key.asc.gpg ]]; then
-          echo "::set-output name=key_exists::true"
+          echo "key_exists=true" >> "$GITHUB_OUTPUT"
         fi
-  
+
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       if: steps.key_check.outputs.key_exists != 'true'
       with:
         sparse-checkout: |

.github/actions/composite/setupNode/action.yml

@@ -4,7 +4,7 @@ description: Set up Node
 runs:
   using: composite
   steps:
-    - uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
+    - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
         cache: npm

.github/actions/javascript/awaitStagingDeploys/action.yml

@@ -8,5 +8,5 @@ inputs:
     description: If provided, this action will only wait for a deploy matching this tag.
     required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/bumpVersion/action.yml

@@ -11,5 +11,5 @@ outputs:
     NEW_VERSION:
         description: The new semver version of the application, updated in the JS and native layers.
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/checkDeployBlockers/action.yml

@@ -11,5 +11,5 @@ outputs:
   HAS_DEPLOY_BLOCKERS:
     description: A true/false indicating whether or not a deploy blocker was found.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'index.js'

.github/actions/javascript/createOrUpdateStagingDeploy/action.yml

@@ -8,5 +8,5 @@ inputs:
         description: The new NPM version of the StagingDeployCash issue.
         required: false
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/createOrUpdateStagingDeploy/index.js

@@ -194,20 +194,41 @@ const {getPreviousVersion, SEMANTIC_VERSION_LEVELS} = __nccwpck_require__(8007);
  */
 function fetchTag(tag) {
     const previousPatchVersion = getPreviousVersion(tag, SEMANTIC_VERSION_LEVELS.PATCH);
-    try {
-        let command = `git fetch origin tag ${tag} --no-tags`;
+    let shouldRetry = true;
+    let needsRepack = false;
+    while (shouldRetry) {
+        try {
+            let command = '';
+            if (needsRepack) {
+                // We have seen some scenarios where this fixes the git fetch.
+                // Why? Who knows... https://github.com/Expensify/App/pull/31459
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
+            }
 
-        // Exclude commits reachable from the previous patch version (i.e: previous checklist),
-        // so that we don't have to fetch the full history
-        // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
-        if (previousPatchVersion !== tag) {
-            command += ` --shallow-exclude=${previousPatchVersion}`;
-        }
+            command = `git fetch origin tag ${tag} --no-tags`;
 
-        console.log(`Running command: ${command}`);
-        execSync(command);
-    } catch (e) {
-        console.error(e);
+            // Exclude commits reachable from the previous patch version (i.e: previous checklist),
+            // so that we don't have to fetch the full history
+            // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
+            if (previousPatchVersion !== tag) {
+                command += ` --shallow-exclude=${previousPatchVersion}`;
+            }
+
+            console.log(`Running command: ${command}`);
+            execSync(command);
+            shouldRetry = false;
+        } catch (e) {
+            console.error(e);
+            if (!needsRepack) {
+                console.log('Attempting to repack and retry...');
+                needsRepack = true;
+            } else {
+                console.error("Repack didn't help, giving up...");
+                shouldRetry = false;
+            }
+        }
     }
 }
 
@@ -297,16 +318,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/actions/javascript/getDeployPullRequestList/action.yml

@@ -14,5 +14,5 @@ outputs:
     PR_LIST:
         description: Array of pull request numbers
 runs:
-    using: 'node16'
+    using: 'node20'
     main: './index.js'

.github/actions/javascript/getDeployPullRequestList/index.js

@@ -136,20 +136,41 @@ const {getPreviousVersion, SEMANTIC_VERSION_LEVELS} = __nccwpck_require__(8007);
  */
 function fetchTag(tag) {
     const previousPatchVersion = getPreviousVersion(tag, SEMANTIC_VERSION_LEVELS.PATCH);
-    try {
-        let command = `git fetch origin tag ${tag} --no-tags`;
+    let shouldRetry = true;
+    let needsRepack = false;
+    while (shouldRetry) {
+        try {
+            let command = '';
+            if (needsRepack) {
+                // We have seen some scenarios where this fixes the git fetch.
+                // Why? Who knows... https://github.com/Expensify/App/pull/31459
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
+            }
 
-        // Exclude commits reachable from the previous patch version (i.e: previous checklist),
-        // so that we don't have to fetch the full history
-        // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
-        if (previousPatchVersion !== tag) {
-            command += ` --shallow-exclude=${previousPatchVersion}`;
-        }
+            command = `git fetch origin tag ${tag} --no-tags`;
 
-        console.log(`Running command: ${command}`);
-        execSync(command);
-    } catch (e) {
-        console.error(e);
+            // Exclude commits reachable from the previous patch version (i.e: previous checklist),
+            // so that we don't have to fetch the full history
+            // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
+            if (previousPatchVersion !== tag) {
+                command += ` --shallow-exclude=${previousPatchVersion}`;
+            }
+
+            console.log(`Running command: ${command}`);
+            execSync(command);
+            shouldRetry = false;
+        } catch (e) {
+            console.error(e);
+            if (!needsRepack) {
+                console.log('Attempting to repack and retry...');
+                needsRepack = true;
+            } else {
+                console.error("Repack didn't help, giving up...");
+                shouldRetry = false;
+            }
+        }
     }
 }
 
@@ -239,16 +260,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/actions/javascript/getPreviousVersion/action.yml

@@ -8,5 +8,5 @@ outputs:
   PREVIOUS_VERSION:
     description: The previous semver version of the application, according to the SEMVER_LEVEL provided
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/getPullRequestDetails/action.yml

@@ -22,5 +22,5 @@ outputs:
   FORKED_REPO_URL:
     description: 'Output forked repo URL if PR includes changes from a fork'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/getReleaseBody/action.yml

@@ -8,5 +8,5 @@ outputs:
   RELEASE_BODY:
     description: String body of a production release.
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/isStagingDeployLocked/action.yml

@@ -10,5 +10,5 @@ outputs:
     NUMBER:
         description: StagingDeployCash issue number
 runs:
-    using: 'node16'
+    using: 'node20'
     main: 'index.js'

.github/actions/javascript/markPullRequestsAsDeployed/action.yml

@@ -28,5 +28,5 @@ inputs:
         description: "Web job result ('success', 'failure', 'cancelled', or 'skipped')"
         required: true
 runs:
-    using: "node16"
+    using: "node20"
     main: "./index.js"

.github/actions/javascript/postTestBuildComment/action.yml

@@ -32,5 +32,5 @@ inputs:
         description: "Link for the web build"
         required: false
 runs:
-    using: "node16"
+    using: "node20"
     main: "./index.js"

.github/actions/javascript/reopenIssueWithComment/action.yml

@@ -11,5 +11,5 @@ inputs:
     description: The comment string we want to leave on the issue after we reopen it.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/reviewerChecklist/action.yml

@@ -5,5 +5,5 @@ inputs:
     description: Auth token for New Expensify Github
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/validateReassureOutput/action.yml

@@ -11,5 +11,5 @@ inputs:
     description: Refers to the results obtained from regression tests `.reassure/output.json`.
     required: true
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/actions/javascript/verifySignedCommits/action.yml

@@ -9,5 +9,5 @@ inputs:
     required: false
 
 runs:
-  using: 'node16'
+  using: 'node20'
   main: './index.js'

.github/libs/GitUtils.js

@@ -9,20 +9,41 @@ const {getPreviousVersion, SEMANTIC_VERSION_LEVELS} = require('../libs/versionUp
  */
 function fetchTag(tag) {
     const previousPatchVersion = getPreviousVersion(tag, SEMANTIC_VERSION_LEVELS.PATCH);
-    try {
-        let command = `git fetch origin tag ${tag} --no-tags`;
-
-        // Exclude commits reachable from the previous patch version (i.e: previous checklist),
-        // so that we don't have to fetch the full history
-        // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
-        if (previousPatchVersion !== tag) {
-            command += ` --shallow-exclude=${previousPatchVersion}`;
-        }
+    let shouldRetry = true;
+    let needsRepack = false;
+    while (shouldRetry) {
+        try {
+            let command = '';
+            if (needsRepack) {
+                // We have seen some scenarios where this fixes the git fetch.
+                // Why? Who knows... https://github.com/Expensify/App/pull/31459
+                command = 'git repack -d';
+                console.log(`Running command: ${command}`);
+                execSync(command);
+            }
+
+            command = `git fetch origin tag ${tag} --no-tags`;
+
+            // Exclude commits reachable from the previous patch version (i.e: previous checklist),
+            // so that we don't have to fetch the full history
+            // Note that this condition would only ever _not_ be true in the 1.0.0-0 edge case
+            if (previousPatchVersion !== tag) {
+                command += ` --shallow-exclude=${previousPatchVersion}`;
+            }
 
-        console.log(`Running command: ${command}`);
-        execSync(command);
-    } catch (e) {
-        console.error(e);
+            console.log(`Running command: ${command}`);
+            execSync(command);
+            shouldRetry = false;
+        } catch (e) {
+            console.error(e);
+            if (!needsRepack) {
+                console.log('Attempting to repack and retry...');
+                needsRepack = true;
+            } else {
+                console.error("Repack didn't help, giving up...");
+                shouldRetry = false;
+            }
+        }
     }
 }
 
@@ -112,16 +133,15 @@ function getValidMergedPRs(commits) {
  * @param {String} toTag
  * @returns {Promise<Array<Number>>} – Pull request numbers
  */
-function getPullRequestsMergedBetween(fromTag, toTag) {
+async function getPullRequestsMergedBetween(fromTag, toTag) {
     console.log(`Looking for commits made between ${fromTag} and ${toTag}...`);
-    return getCommitHistoryAsJSON(fromTag, toTag).then((commitList) => {
-        console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
+    const commitList = await getCommitHistoryAsJSON(fromTag, toTag);
+    console.log(`Commits made between ${fromTag} and ${toTag}:`, commitList);
 
-        // Find which commit messages correspond to merged PR's
-        const pullRequestNumbers = getValidMergedPRs(commitList);
-        console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
-        return _.map(pullRequestNumbers, (prNum) => Number.parseInt(prNum, 10));
-    });
+    // Find which commit messages correspond to merged PR's
+    const pullRequestNumbers = getValidMergedPRs(commitList).sort((a, b) => a - b);
+    console.log(`List of pull requests merged between ${fromTag} and ${toTag}`, pullRequestNumbers);
+    return pullRequestNumbers;
 }
 
 module.exports = {

.github/workflows/README.md

@@ -42,12 +42,12 @@ Due to the large, ever-growing history of this repo, do not do any full-fetches
 
 ```yaml
 # Bad
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     fetch-depth: 0
 
 # Good
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
 ```
 
 ```sh
@@ -63,7 +63,7 @@ git fetch origin tag 1.0.1-0 --no-tags --shallow-exclude=1.0.0-0 # This will fet
 
 ## Security Rules 🔐
 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
-1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
+1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v4`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.
 1. If an untrusted (i.e: not maintained by GitHub) external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
     1. **Bad:** `hmarr/[email protected]` Relies on the tag