Merge pull request #346 from felixrieseberg/claude/crazy-kilby

Modernize GitHub Actions workflow
2026-05-09 00:24:09 +00:00 · 2026-04-11 09:32:54 -07:00
parent 17e0182ecb 3eab26fed1
commit 2ef06eb412
2 changed files with 22 additions and 37 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,25 +12,16 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: 18.x
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v1
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
+          node-version: 20.x
+          cache: npm
      - name: Install
-        run: yarn --frozen-lockfile
+        run: npm ci
      - name: lint
-        run: yarn lint
+        run: npm run lint
  build:
    needs: lint
    name: Build (${{ matrix.os }} - ${{ matrix.arch }})
@@ -55,22 +46,12 @@ jobs:
          arch: arm64

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: 18.x
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v1
-        if: matrix.os != 'macOS-latest'
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
+          node-version: 20.x
+          cache: npm
      - name: Set MacOS signing certs
        if: matrix.os == 'macOS-latest'
        run: chmod +x tools/add-macos-cert.sh && ./tools/add-macos-cert.sh
@@ -81,7 +62,7 @@ jobs:
        if: matrix.os == 'windows-latest'
        continue-on-error: true
        id: write_file
-        uses: timheuer/base64-to-file@v1
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
        with:
          fileName: 'win-certificate.pfx'
          encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }}
@@ -96,10 +77,10 @@ jobs:
        env:
          DISK_URL: ${{ secrets.DISK_URL }}
      - name: Install
-        run: yarn
+        run: npm ci
      - name: Make
        if: startsWith(github.ref, 'refs/tags/')
-        run: yarn make --arch=${{ matrix.arch }}
+        run: npm run make -- --arch=${{ matrix.arch }}
        env:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
@@ -107,7 +88,7 @@ jobs:
          WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }}
          WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
      - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        if: startsWith(github.ref, 'refs/tags/')
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/tools/check-links.js
+++ b/tools/check-links.js
@@ -15,9 +15,13 @@ async function main() {
      const response = await fetch(link, { method: 'HEAD' })

      if (!response.ok) {
-        // If we're inside GitHub's release asset server, we just ran into AWS not allowing
-        // HEAD requests, which is different from a 404.
-        if (!response.url.startsWith('https://github-production-release-asset')) {
+        // GitHub's release-asset and user-attachments CDNs reject anonymous HEAD
+        // requests (403), which is different from a 404.
+        const isGithubCdn =
+          response.url.startsWith('https://github-production-release-asset') ||
+          response.url.startsWith('https://github-production-user-asset') ||
+          link.startsWith('https://github.com/user-attachments/')
+        if (!isGithubCdn) {
          throw new Error (`HTTP Error Response: ${response.status} ${response.statusText}`)
        }
      }