chore: improve actions performance and security practices (#5970)

* chore: bump actions and pin versions * build: switch to blacksmith * fix: use rust-toolchain stable * build: improve pnpm store caching * chore: remove emoji from workflows * fix: run prepare job on blacksmith * chore: kebab case id * build: add concurrency groups to limit duplicate jobs * build: switch around node setup and pnpm setup task * chore: bump to nodejs 24, fix pnpm caching * fix: enable corepack * fix: concurrency deadlock in frontend preview * fix: approve build scripts * fix: just don't cancel concurrent previews * build: remove pnpm setup action everywhere * build: cache apt packages * build: yet another attempt at fixing concurrency * build: lower runner type for frontend deploy * fix: eslint not existing * build: add sccache to turbo-ci * fix: correct nextest pkg * fix: turbo ignoring sccache * revert me: test labrinth tests * Revert "revert me: test labrinth tests" This reverts commit def5cc19183d5c0fe3b6f3c03635d73bb59bd312. * build: compile app before docker build * build: lower runner types * build: remove docker inline caching * build: try mold on labrinth * build: tweak labrinth prod build profile * fix: app windows builds and caching * fix: tombi format cargo.toml * fix: swap ping test to cubecraft to avoid CI flakiness * typos fix --------- Co-authored-by: aecsocket <aecsocket@tutanota.com>
2026-05-03 14:18:31 +02:00
parent 9015ff0971
commit 5b59e39a8a
29 changed files with 976 additions and 382 deletions
--- a/.github/workflows/frontend-deploy.yml
+++ b/.github/workflows/frontend-deploy.yml
@@ -21,16 +21,20 @@ on:
        type: string
        description: 'The environment to deploy to (staging-preview or production-preview)'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.environment || 'push' }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/prod' }}
+
 jobs:
  deploy:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
    permissions:
      contents: read
      deployments: write
      pull-requests: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

@@ -63,14 +67,25 @@ jobs:
            echo "url=https://modrinth.com" >> $GITHUB_OUTPUT
          fi

-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-
      - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: .nvmrc
-          cache: pnpm
+
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Get pnpm store path
+        id: pnpm-store
+        run: echo "store-path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Restore pnpm cache
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ${{ steps.pnpm-store.outputs.store-path }}
+          key: pnpm-cache-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            pnpm-cache-

      - name: Inject build variables
        working-directory: ./apps/frontend
@@ -99,7 +114,7 @@ jobs:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

      - name: Create Sentry release and upload sourcemaps
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3.6.0
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: modrinth
@@ -111,7 +126,7 @@ jobs:

      - name: Deploy Cloudflare Worker
        id: wrangler
-        uses: cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd # v3.15.0
        with:
          apiToken: ${{ secrets.CF_API_TOKEN }}
          accountId: ${{ secrets.CF_ACCOUNT_ID }}
@@ -137,7 +152,7 @@ jobs:

      - name: Upload deployment URL
        if: ${{ inputs.environment != '' }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: deployment-url-${{ inputs.environment }}
          path: deployment-url-${{ inputs.environment }}.txt