[mob] Freeze app dependencies and enforce lockfiles

.github/workflows/auth-internal-release.yml

@@ -39,6 +39,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Setup keys
               uses: timheuer/base64-to-file@v1
               with:

.github/workflows/auth-lint.yml

@@ -25,6 +25,10 @@ jobs:
               with:
                   submodules: recursive
 
+            - name: Verify frozen mobile pubspecs
+              run: ruby mobile/scripts/check_frozen_pubspecs.rb mobile/apps/auth
+              working-directory: ${{ github.workspace }}
+
             - name: Verify custom icons are lowercase including optional understores, and end with .svg
               run: |
                   find assets/custom-icons -type f -name "*.svg" | while read -r file; do
@@ -72,6 +76,6 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
-            - run: flutter pub get
+            - run: flutter pub get --enforce-lockfile
 
             - run: flutter analyze --no-fatal-infos

.github/workflows/auth-release.yml

@@ -96,6 +96,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Update Linux AppData metadata
               run: |
                   APPDATA_FILE="linux/packaging/enteauth.appdata.xml"
@@ -224,6 +227,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Create artifacts directory
               run: mkdir artifacts
 
@@ -298,6 +304,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Install code signing dependencies
               run: |
                   pip3 install codemagic-cli-tools --break-system-packages

.github/workflows/locker-internal-release.yml

@@ -39,6 +39,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Increment version code for build
               run: |
                   CURRENT_VERSION=$(grep '^version:' pubspec.yaml | sed 's/version: //')

.github/workflows/locker-lint.yml

@@ -25,6 +25,10 @@ jobs:
               with:
                   submodules: recursive
 
+            - name: Verify frozen mobile pubspecs
+              run: ruby mobile/scripts/check_frozen_pubspecs.rb mobile/apps/locker
+              working-directory: ${{ github.workspace }}
+
             - name: Install Flutter ${{ env.FLUTTER_VERSION  }}
               uses: subosito/flutter-action@v2
               with:
@@ -36,6 +40,6 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
-            - run: flutter pub get
+            - run: flutter pub get --enforce-lockfile
 
             - run: flutter analyze --no-fatal-infos

.github/workflows/locker-release.yml

@@ -76,6 +76,9 @@ jobs:
               run: flutter gen-l10n
               working-directory: mobile/packages/strings
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Setup keys
               uses: timheuer/base64-to-file@v1
               with:

.github/workflows/mobile-daily-internal.yml

@@ -55,6 +55,9 @@ jobs:
               with:
                   toolchain: ${{ env.RUST_VERSION }}
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Install Flutter Rust Bridge
               run: cargo install flutter_rust_bridge_codegen
 

.github/workflows/mobile-lint.yml

@@ -30,6 +30,10 @@ jobs:
               with:
                   submodules: recursive
 
+            - name: Verify frozen mobile pubspecs
+              run: ruby mobile/scripts/check_frozen_pubspecs.rb mobile/apps/photos
+              working-directory: ${{ github.workspace }}
+
             - name: Install Flutter ${{ env.FLUTTER_VERSION  }}
               uses: subosito/flutter-action@v2
               with:
@@ -53,7 +57,7 @@ jobs:
                       mobile/apps/photos/rust/target
                   key: ${{ runner.os }}-cargo-mobile-${{ hashFiles('mobile/**/Cargo.lock') }}
 
-            - run: flutter pub get
+            - run: flutter pub get --enforce-lockfile
 
             - name: Install Flutter Rust Bridge
               run: cargo install flutter_rust_bridge_codegen

.github/workflows/mobile-release.yml

@@ -78,6 +78,9 @@ jobs:
               with:
                   toolchain: ${{ env.RUST_VERSION }}
 
+            - name: Resolve dependencies with lockfile enforcement
+              run: flutter pub get --enforce-lockfile
+
             - name: Install Flutter Rust Bridge
               run: cargo install flutter_rust_bridge_codegen
 

.github/workflows/photos-internal-release.yml

@@ -42,6 +42,9 @@ jobs:
         with:
           toolchain: ${{ env.RUST_VERSION }}
 
+      - name: Resolve dependencies with lockfile enforcement
+        run: flutter pub get --enforce-lockfile
+
       # Android Build 
       - name: Setup Android signing key
         uses: timheuer/base64-to-file@v1

.github/workflows/security-check-workflows.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Check for new privileged workflow triggers
+      - name: Check workflow security guardrails
         shell: bash
         run: |
           extract_sensitive_triggers() {
@@ -63,6 +63,29 @@ jobs:
             '
           }
 
+          extract_unpinned_third_party_actions() {
+            local revision=$1
+            local file=$2
+
+            if ! git cat-file -e "${revision}:${file}" 2>/dev/null; then
+              return 0
+            fi
+
+            git show "${revision}:${file}" | ruby -e '
+              FULL_SHA = /\A[0-9a-f]{40}\z/
+
+              refs = STDIN.read.scan(
+                /^\s*-?\s*uses:\s*([A-Za-z0-9._-]+\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._\/-]+)?)@([^\s#]+)/
+              )
+              refs.each do |action, ref|
+                next if action.start_with?("actions/")
+                next if ref.match?(FULL_SHA)
+
+                puts "#{action}@#{ref}"
+              end
+            ' | sort -u
+          }
+
           mapfile -t modified_workflows < <(
             git diff --name-only --diff-filter=AMR "origin/${{ github.base_ref }}...HEAD" |
             grep -E '^\.github/workflows/.*\.ya?ml$' || true
@@ -84,6 +107,7 @@ jobs:
             "workflow_run"
           )
           violations=()
+          unpinned_violations=()
 
           for file in "${modified_workflows[@]}"; do
             if ! current_triggers=$(extract_sensitive_triggers HEAD "$file"); then
@@ -106,6 +130,27 @@ jobs:
                 fi
               fi
             done
+
+            if ! current_unpinned=$(extract_unpinned_third_party_actions HEAD "$file"); then
+              echo "❌ ERROR: Failed to parse action refs in HEAD:$file"
+              exit 1
+            fi
+
+            if ! base_unpinned=$(extract_unpinned_third_party_actions "origin/${{ github.base_ref }}" "$file"); then
+              echo "❌ ERROR: Failed to parse action refs in origin/${{ github.base_ref }}:$file"
+              exit 1
+            fi
+
+            while IFS= read -r action_ref; do
+              [ -z "$action_ref" ] && continue
+
+              if grep -Fxq "$action_ref" <<< "$base_unpinned"; then
+                echo "✓ $file: ${action_ref} already existed unpinned (allowed for now)"
+              else
+                echo "✗ $file: NEW unpinned third-party action ${action_ref} detected!"
+                unpinned_violations+=("$file:${action_ref}")
+              fi
+            done <<< "$current_unpinned"
           done
 
           if [ "${#violations[@]}" -gt 0 ]; then
@@ -123,4 +168,13 @@ jobs:
             exit 1
           fi
 
-          echo "✓ No new privileged workflow triggers detected"
+          if [ "${#unpinned_violations[@]}" -gt 0 ]; then
+            echo ""
+            echo "❌ ERROR: New unpinned third-party workflow actions detected:"
+            printf ' - %s\n' "${unpinned_violations[@]}"
+            echo ""
+            echo "Pin third-party actions to a full commit SHA before merging."
+            exit 1
+          fi
+
+          echo "✓ No new privileged triggers or unpinned third-party actions detected"

mobile/apps/auth/ios/ci_scripts/ci_post_clone.sh

@@ -13,7 +13,7 @@ echo "🟩 Flutter Precache"
 time flutter precache --ios
 
 echo "🟩 Install Flutter Dependencies"
-time flutter pub get
+time flutter pub get --enforce-lockfile
 
 echo "🟩 Install CocoaPods via Homebrew"
 time HOMEBREW_NO_AUTO_UPDATE=1 brew install cocoapods

mobile/apps/auth/plugins/qr/pubspec.yaml

@@ -10,10 +10,10 @@ environment:
 dependencies:
   flutter:
     sdk: flutter
-  plugin_platform_interface: ^2.0.2
+  plugin_platform_interface: 2.1.8
 
 dev_dependencies:
-  flutter_lints: ^3.0.0
+  flutter_lints: 3.0.2
   flutter_test:
     sdk: flutter
 

mobile/apps/auth/pubspec.lock

@@ -1189,7 +1189,7 @@ packages:
     dependency: "direct main"
     description:
       path: "."
-      ref: v2-only
+      ref: "0cdfeed654d79636eff0c57110f3f6ad5801ba2f"
       resolved-ref: "0cdfeed654d79636eff0c57110f3f6ad5801ba2f"
       url: "https://github.com/ente-io/move_to_background.git"
     source: git