Bump the github-actions group across 1 directory with 6 updates

.github/workflows/ci-rust.yml

@@ -102,7 +102,7 @@ jobs:
         timeout-minutes: 5
 
       # Install cargo nextest command
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected], [email protected], [email protected]
 
@@ -263,7 +263,7 @@ jobs:
         timeout-minutes: 5
 
       # Install cargo nextest command
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected]
 

.github/workflows/ci-web.yml

@@ -123,7 +123,7 @@ jobs:
         timeout-minutes: 5
 
       # Install wasm-pack command
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: wasm-pack@${{ env.wasm-pack-version }}
 

.github/workflows/ci.yml

@@ -191,7 +191,7 @@ jobs:
           diff --unified .pre-commit-config.yaml $TEMP_FILE || true
           echo "path=$TEMP_FILE" >> $GITHUB_OUTPUT
 
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected]
 

.github/workflows/codeql.yml

@@ -58,7 +58,7 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.should-run-python-analysis.outputs.run == 'true'
-        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
         with:
           languages: python
           setup-python-dependencies: false
@@ -87,7 +87,7 @@ jobs:
 
       - name: Perform CodeQL Analysis
         if: steps.should-run-python-analysis.outputs.run == 'true'
-        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
         with:
           category: /language:python
 
@@ -142,7 +142,7 @@ jobs:
   #     # Initializes the CodeQL tools for scanning.
   #     - name: Initialize CodeQL
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+  #       uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
   #       with:
   #         languages: java
   #         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -154,15 +154,15 @@ jobs:
 
   #     - name: Autobuild android
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+  #       uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
   #       with:
   #         working-directory: client/android
   #       env:
   #         GRADLE_LIBPARSEC_BUILD_STRATEGY: no_build
 
   #     - name: Perform CodeQL Analysis
   #       if: steps.should-run-java-analysis.outputs.run == 'true'
-  #       uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+  #       uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
   #       with:
   #         category: /language:java
 
@@ -191,7 +191,7 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
         with:
           languages: typescript
 
@@ -202,12 +202,12 @@ jobs:
 
       - name: Autobuild for typescript
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
         with:
           working-directory: client
 
       - name: Perform CodeQL Analysis
         if: steps.should-run-js-analysis.outputs.run == 'true'
-        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # pin v3.27.1
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # pin v3.27.5
         with:
           category: /language:typescript

.github/workflows/docker-server.yml

@@ -56,7 +56,7 @@ jobs:
         timeout-minutes: 1
 
       - name: Generate build metadata
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         id: metadata
         with:
           images:

.github/workflows/docker-testbed.yml

@@ -66,7 +66,7 @@ jobs:
         timeout-minutes: 1
 
       - name: Generate build metadata
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         id: metadata
         with:
           images:

.github/workflows/package-client.yml

@@ -108,7 +108,7 @@ jobs:
         working-directory: client
 
       # Install syft
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected], wasm-pack@${{ env.wasm-pack-version }}
 
@@ -135,7 +135,7 @@ jobs:
     needs: version
     runs-on: ubuntu-22.04
     # Always run the job if `version` job is skipped otherwise only if `version` job was successful.
-    if: ${{ inputs.version_patch_run_id != '' && always() || success() }}
+    if: inputs.version_patch_run_id != '' && always() || success()
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin v4.2.2
         with:
@@ -162,7 +162,7 @@ jobs:
 
       # In case this step timeout, check the status of snapcraft.io at https://status.snapcraft.io/
       - name: Install snapcraft
-        uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # pin v2.1.1
+        uses: samuelmeuli/action-snapcraft@fceeb3c308e76f3487e72ef608618de625fb7fe8 # pin v3.0.1
         timeout-minutes: 15
 
       - name: Setup LXD
@@ -176,20 +176,26 @@ jobs:
         working-directory: client/electron
 
       # We need to patch the vite.config.js because we cannot pass the secret to the snap build (either via build-args or env).
+      # Build we only do that is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build).
       - name: Patch vite config for snap build
+        if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
         run: >-
           sed -i
           -e s'/if (process.env.PARSEC_APP_SENTRY_AUTH_TOKEN)/if (true)/'
           -e s';authToken: process.env.PARSEC_APP_SENTRY_AUTH_TOKEN;authToken: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
           vite.config.ts
         working-directory: client
 
-      - name: Patch snapcraft file for sentry auth token and vite mode
+      # We only patch snapcraft.yaml is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build).
+      - name: Patch snapcraft file for sentry auth token
+        if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
         run: >-
-          sed -i
-          -e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
-          -e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/'
-          snap/snapcraft.yaml
+          sed -i -e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";' snap/snapcraft.yaml
+        working-directory: client/electron
+
+      - name: Patch snapcraft file for vite mode
+        run: >-
+          sed -i -e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/' snap/snapcraft.yaml
         working-directory: client/electron
 
       - name: Build snap
@@ -205,7 +211,7 @@ jobs:
           mv -v parsec_*_*.snap Parsec_${{ steps.version.outputs.full }}_linux_$ARCH.snap
 
       # Install syft
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected]
 
@@ -344,9 +350,10 @@ jobs:
         working-directory: client
         timeout-minutes: 1
 
+      # Do not prepare codesign if the PR is from dependabot (it does not have access to secrets).
       - name: Prepare codesign
         shell: bash -o pipefail -eux {0}
-        if: matrix.platform == 'macos'
+        if: matrix.platform == 'macos' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
         run: |
           printenv MACOS_CERT | base64 --decode > certificate.p12
 
@@ -387,15 +394,17 @@ jobs:
         working-directory: client/electron
         timeout-minutes: 10
 
+      # Do not upload sourcemaps if it's a PR from dependabot because it does not have access to secrets.
       - name: Upload client electron sourcemaps
+        if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
         run: npm run sentry:sourcemaps
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
         working-directory: client/electron
         timeout-minutes: 1
 
       # Install syft
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected]
 

.github/workflows/package-server.yml

@@ -98,7 +98,7 @@ jobs:
         run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch
 
       - name: Build wheel
-        uses: pypa/cibuildwheel@7940a4c0e76eb2030e473a5f864f291f63ee879b  # pin v2.21.3
+        uses: pypa/cibuildwheel@ee63bf16da6cddfb925f542f2c7b59ad50e93969  # pin v2.22.0
         with:
           package-dir: server
           output-dir: dist
@@ -111,7 +111,7 @@ jobs:
         run: python server/packaging/wheel/wheel_it.py ./server --output dist --skip-wheel
 
       # Install syft
-      - uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # pin v2.44.67
+      - uses: taiki-e/install-action@6da51af62171044932d435033daa70a0eb3383ba # pin v2.45.6
         with:
           tool: [email protected]
 

.github/workflows/publish.yml

@@ -50,6 +50,8 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-24.04
+    # We don't want to run this workflow on dependabot PRs because it will not be able to read the secrets
+    if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
     permissions:
       contents: read
       id-token: write
@@ -104,7 +106,7 @@ jobs:
         run: tree dist snap
 
       - name: Install Snapcraft
-        uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # pin v2.1.1
+        uses: samuelmeuli/action-snapcraft@fceeb3c308e76f3487e72ef608618de625fb7fe8 # pin v3.0.1
         timeout-minutes: 2
 
       - name: Get releases for snapcraft

.github/workflows/releaser.yml

@@ -54,7 +54,8 @@ jobs:
 
   package-parsec-client:
     needs: version
-    if: needs.version.result == 'success' && always()
+    # Do not run this job if the event is a pull request from dependabot.
+    if: needs.version.result == 'success' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') && always()
     uses: ./.github/workflows/package-client.yml
     with:
       version: ${{ needs.version.outputs.full }}
@@ -220,7 +221,7 @@ jobs:
 
       - name: Create release
         if: github.event_name == 'schedule' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
-        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # pin v2.0.9
+        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # pin v2.1.0
         with:
           draft: ${{ env.NIGHTLY_RELEASE != 'true' }}
           tag_name: ${{ github.event_name == 'schedule' && 'nightly' || github.ref }}