diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b1f8d00ff..8fbb8960be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -325,7 +325,7 @@ jobs: NUGET_CACHE: local - name: Upload packages to GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 if: matrix.brand.name == 'euro-office' && startsWith(github.ref, 'refs/tags/') with: files: | @@ -439,6 +439,8 @@ jobs: if: | !cancelled() && needs.build.result == 'success' && + (github.event_name != 'pull_request' || + github.event.pull_request.head.repo.full_name == github.repository) && (github.event_name == 'pull_request' || ((github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')) && needs.manifest.result == 'success')) @@ -449,6 +451,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Determine image id: image @@ -462,7 +466,7 @@ jobs: fi - name: Log in to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -472,7 +476,7 @@ jobs: run: docker pull ${{ steps.image.outputs.ref }} - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '22' cache: 'npm' @@ -494,7 +498,7 @@ jobs: - name: Upload Playwright report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-report-${{ github.sha }} path: e2e/playwright-report/ diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..25af0d8c5c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,33 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + paths: [".github/workflows/**"] + pull_request: + branches: ["**"] + paths: [".github/workflows/**"] + types: + - opened + - synchronize + - reopened + - ready_for_review + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 + with: + inputs: ./.github/workflows