diff --git a/.github/workflows/moderator.yml b/.github/workflows/moderator.yml index 78214722..095ab33c 100644 --- a/.github/workflows/moderator.yml +++ b/.github/workflows/moderator.yml @@ -17,6 +17,8 @@ jobs: contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: github/ai-moderator@81159c370785e295c97461ade67d7c33576e9319 # v1.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a5842318..325df1c0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,12 +15,14 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24.x - cache: npm registry-url: 'https://registry.npmjs.org' + package-manager-cache: false - name: Install dependencies run: npm ci - name: Build project diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 88646249..3300e557 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -28,7 +28,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -66,7 +66,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -100,7 +100,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -134,7 +134,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -168,7 +168,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -213,10 +213,12 @@ jobs: - name: Bump version with NPM version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + INPUT_TYPE: ${{ github.event.inputs.type }} + INPUT_BETA: ${{ github.event.inputs.beta }} id: bump-version run: | - TYPE=${{ github.event.inputs.type }} - BETA=${{ github.event.inputs.beta }} + TYPE="${INPUT_TYPE}" + BETA="${INPUT_BETA}" if [ "$TYPE" = "auto" ]; then npm version $(npm version | grep -Eo 'patch|minor|major' | head -1) else diff --git a/.github/workflows/run-ci.yml b/.github/workflows/run-ci.yml index d1fd56f7..05978c44 100644 --- a/.github/workflows/run-ci.yml +++ b/.github/workflows/run-ci.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -60,7 +60,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -94,7 +94,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -128,7 +128,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: @@ -162,7 +162,7 @@ jobs: - name: Checkout repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: true + persist-credentials: false - name: Setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: diff --git a/.github/workflows/update-sponsor-block.yml b/.github/workflows/update-sponsor-block.yml index 8133f50a..cd9ae182 100644 --- a/.github/workflows/update-sponsor-block.yml +++ b/.github/workflows/update-sponsor-block.yml @@ -20,6 +20,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: git config run: | git config user.name "${GITHUB_ACTOR}" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..74e30f24 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: [v1.x] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..6de13857 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + excessive-permissions: + # TODO: audit and narrow permissions across all workflows + disable: true +