Improvements to the worst package manager

[Boosted-Bonobo]

I was surprised to see that this article is right.
This pull request aims to improve the ecosystem as this is quite a commonly used github action.
I'd also like to refer you to immutable releases which should be done from now on.

[Boosted-Bonobo]

Since this is going to take a while to do and not just do, but also the time it will take to update to use a newer version which has the uses pinned, I'll create and update the below list of the PRs to check the overall progress:

actions/checkout#2346
actions/setup-node#1451
actions/publish-action#121
actions/reusable-workflows#27
pnpm/action-setup#199
actions/upload-artifact#746
actions/download-artifact#453
actions/publish-immutable-action#230
super-linter/super-linter#7290
actions/github-script#689
#461

[crazy-max]

We allow pining to mutable tags for official actions in our policy.

I'd also like to refer you to immutable releases which should be done from now on.

It's already done on our side: https://github.com/docker/setup-buildx-action/pkgs/container/setup-buildx-action but it's still experimental and no GA announcement so far: https://github.com/actions/publish-immutable-action?tab=readme-ov-file#publish-immutable-action

[Boosted-Bonobo]

If the official actions do get to pin the actions in their own workflows, would you be willing to review the policy?

We all know the current experimental is probably the best it's going to get from the way github team runs things, at least for the foreseeable future, otherwise this would not still be a problem in 2026.

The installable action is immutable while the releases/tags are mutable. Did I understand it correctly?

[joe345-str]

: Handle Pull Request
on:

WARNING: pull_request_target MUST NOT be used if running code under control

of the source PR [0], as it could risk leaking the GH_TOKENs.

In this case, we do it as the job needs to run within the context of the

target repo, so it can get a GH_TOKEN which it can use to comment on and

update the PR.

Crucially, no external code is loaded or run as part of this workflow.

[0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website

pull_request_target:
types: [opened, reopened]

env:
ALLOWED_TEAM: lando-github-pilot
ALLOWED_PATHS: |
mobile/android/android-components
mobile/android/fenix
mobile/android/focus-android

GH_REPO: ${{ github.repository }}
PR: ${{ github.event.pull_request.number }}

GH_TOKEN: ${{ github.token }}

jobs:
handle-pr:
runs-on: ubuntu-latest
steps:

  # Workflows don't get access to organisation metadata via the GITHUB_TOKEN.
  # We use the Lando Web App to obtain a token with sufficient permissions.
  - name: Generate a Lando Web token
    id: generate-lando-web-token
    uses: actions/create-github-app-token@v2
    continue-on-error: true
    with:
      app-id: ${{ vars.LANDO_WEB_APP_ID }}
      private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }}
      permission-members: read

  - name: Check team membership
    id: team
    continue-on-error: true
    env:
      AUTHOR: ${{ github.actor }}
      GH_ORG: ${{ github.repository_owner }}
      GH_TOKEN: ${{ steps.generate-lando-web-token.outputs.token }}
    run: |
      if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
        echo "is_member=true" >> $GITHUB_OUTPUT
      else
        echo "is_member=false" >> $GITHUB_OUTPUT
      fi

  - name: Check allowed paths
    id: paths
    continue-on-error: true
    if: steps.team.outputs.is_member == 'true'
    run: |
      PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
      if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
        echo "only_allowed=false" >> $GITHUB_OUTPUT
      else
        echo "only_allowed=true" >> $GITHUB_OUTPUT
      fi

  - name: Close PR
    if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true'
    run: |
      gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
      gh pr lock "${PR}"

  - name: Check PR target
    if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' && github.base_ref == 'main'
    run: |
      gh pr comment "${PR}" --body "> [!WARNING]
      The base branch is currently set to \`main\`. Please Edit this PR and set the base to \`autoland\`."

  - name: Add Lando link
    if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
    env:
      #
      # Set the following variables at the repository level [0].
      # [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows
      #
      LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }}