chore: improve actions performance and security practices (#5970)

* chore: bump actions and pin versions * build: switch to blacksmith * fix: use rust-toolchain stable * build: improve pnpm store caching * chore: remove emoji from workflows * fix: run prepare job on blacksmith * chore: kebab case id * build: add concurrency groups to limit duplicate jobs * build: switch around node setup and pnpm setup task * chore: bump to nodejs 24, fix pnpm caching * fix: enable corepack * fix: concurrency deadlock in frontend preview * fix: approve build scripts * fix: just don't cancel concurrent previews * build: remove pnpm setup action everywhere * build: cache apt packages * build: yet another attempt at fixing concurrency * build: lower runner type for frontend deploy * fix: eslint not existing * build: add sccache to turbo-ci * fix: correct nextest pkg * fix: turbo ignoring sccache * revert me: test labrinth tests * Revert "revert me: test labrinth tests" This reverts commit def5cc19183d5c0fe3b6f3c03635d73bb59bd312. * build: compile app before docker build * build: lower runner types * build: remove docker inline caching * build: try mold on labrinth * build: tweak labrinth prod build profile * fix: app windows builds and caching * fix: tombi format cargo.toml * fix: swap ping test to cubecraft to avoid CI flakiness * typos fix --------- Co-authored-by: aecsocket <aecsocket@tutanota.com>
2026-05-03 14:18:31 +02:00
parent 9015ff0971
commit 5b59e39a8a
29 changed files with 976 additions and 382 deletions
--- a/.github/workflows/i18n-pull.yml
+++ b/.github/workflows/i18n-pull.yml
@@ -51,14 +51,14 @@ jobs:
          CROWDIN_GH_TOKEN_DEFINED: ${{ secrets.CROWDIN_GH_TOKEN != '' }}

      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.ref }}
          token: ${{ secrets.CROWDIN_GH_TOKEN }}

      - name: Configure Git author
        id: git-author
-        uses: MarcoIeni/git-config@v0.1
+        uses: MarcoIeni/git-config@59144859caf016f8b817a2ac9b051578729173c4 # v0.1.2
        env:
          GITHUB_TOKEN: ${{ secrets.CROWDIN_GH_TOKEN }}

@@ -79,7 +79,7 @@ jobs:
          echo "safe_branch_name=$SAFE_BRANCH_NAME" >> "$GITHUB_OUTPUT"

      - name: Download translations from Crowdin
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
        with:
          upload_sources: false
          upload_translations: false
@@ -96,7 +96,7 @@ jobs:
        run: sudo chown -R $USER:$USER .

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          title: 'New translations from Crowdin (${{ steps.branch-name.outputs.branch_name }})'
          body-path: .github/templates/crowdin-pr.md