diff --git a/.github/actions/check-merge-queue-changelogs/action.yml b/.github/actions/check-merge-queue-changelogs/action.yml index 782f4aab3f..644844318c 100644 --- a/.github/actions/check-merge-queue-changelogs/action.yml +++ b/.github/actions/check-merge-queue-changelogs/action.yml @@ -15,6 +15,7 @@ runs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Get pull request number id: pr-number diff --git a/.github/actions/check-release/action.yml b/.github/actions/check-release/action.yml index 186eaa7583..34c055b649 100644 --- a/.github/actions/check-release/action.yml +++ b/.github/actions/check-release/action.yml @@ -13,6 +13,7 @@ runs: uses: actions/checkout@v5 with: fetch-depth: 0 + persist-credentials: false - name: Get merge base id: merge-base diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bcdf02f2d0..2e534de781 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: directory: '/' schedule: interval: 'daily' + cooldown: + default-days: 3 allow: - dependency-name: '@metamask/*' versioning-strategy: 'increase' @@ -16,6 +18,8 @@ updates: schedule: interval: 'daily' time: '06:00' + cooldown: + default-days: 3 allow: - dependency-name: 'MetaMask/*' - dependency-name: 'actions/*' diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml index 9a2727c463..b6395b1819 100644 --- a/.github/workflows/changelog-check.yml +++ b/.github/workflows/changelog-check.yml @@ -8,6 +8,9 @@ jobs: check-changelog: name: Check changelog runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read steps: - name: Check changelog uses: MetaMask/github-tools/.github/actions/check-changelog@v1 diff --git a/.github/workflows/create-update-issues.yml b/.github/workflows/create-update-issues.yml index 93ae77b167..08ab3f35dc 100644 --- a/.github/workflows/create-update-issues.yml +++ b/.github/workflows/create-update-issues.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout head uses: actions/checkout@v5 + with: + persist-credentials: false - name: Fetch tags run: git fetch --prune --unshallow --tags - name: Get extension token diff --git a/.github/workflows/ensure-blocking-pr-labels-absent.yml b/.github/workflows/ensure-blocking-pr-labels-absent.yml index 5e0c0b68d8..aec225298c 100644 --- a/.github/workflows/ensure-blocking-pr-labels-absent.yml +++ b/.github/workflows/ensure-blocking-pr-labels-absent.yml @@ -16,9 +16,10 @@ jobs: pull-requests: read steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false - name: Run command uses: actions/github-script@v8 with: diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index 7035a90e6e..d792410afc 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -14,11 +14,13 @@ jobs: child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false cache-node-modules: true node-version: ${{ matrix.node-version }} + force-setup: true - name: Fetch workspace package names id: workspace-package-names run: | @@ -42,9 +44,10 @@ jobs: - readme-content:check steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - name: Run yarn ${{ matrix.script }} run: yarn "$SCRIPT" @@ -58,6 +61,21 @@ jobs: exit 1 fi + lint-workflows: + name: Lint workflows + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + persist-credentials: false + - name: Lint workflows + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d + with: + advanced-security: false + annotations: true + version: v1.25.2 + validate-changelog: name: Validate changelog runs-on: ubuntu-latest @@ -68,11 +86,14 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - - run: yarn workspace ${{ matrix.package-name }} changelog:validate + - run: yarn workspace "$PACKAGE_NAME" changelog:validate + env: + PACKAGE_NAME: ${{ matrix.package-name }} - name: Require clean working directory shell: bash run: | @@ -88,6 +109,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Validate changelog diffs uses: ./.github/actions/check-merge-queue-changelogs @@ -100,9 +123,10 @@ jobs: node-version: [24.x] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - run: yarn build - name: Require clean working directory @@ -122,9 +146,10 @@ jobs: node-version: [24.x] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - run: yarn test:scripts - name: Require clean working directory @@ -145,11 +170,14 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - - run: yarn workspace ${{ matrix.package-name }} run test + - run: yarn workspace "$PACKAGE_NAME" run test + env: + PACKAGE_NAME: ${{ matrix.package-name }} - name: Require clean working directory shell: bash run: | diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 781af33ae7..ec8f49a64d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,10 +10,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.sha || github.ref }} cancel-in-progress: ${{ !contains(github.ref, 'refs/heads/main') }} +permissions: + contents: read + jobs: check-skip-merge-queue: name: Check if pull request can skip merge queue runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip-merge-queue: ${{ steps.check-skip-merge-queue.outputs.up-to-date }} steps: @@ -28,15 +34,22 @@ jobs: - check-skip-merge-queue if: github.event_name != 'merge_group' || needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/914e7df21a07ef503a81201c76d2b11c789d3fca/scripts/download-actionlint.bash) 1.7.12 shell: bash - name: Check workflow files - run: ${{ steps.download-actionlint.outputs.executable }} -color + run: | + "$ACTIONLINT" -color shell: bash + env: + ACTIONLINT: ${{ steps.download-actionlint.outputs.executable }} analyse-code: name: Analyse code @@ -87,6 +100,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Check release if: github.event_name != 'push' uses: ./.github/actions/check-release diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 1c627de3e7..0fe6b07a3f 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -21,9 +21,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Build run: yarn build @@ -43,9 +44,10 @@ jobs: needs: build steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Restore build artifacts uses: actions/download-artifact@v7 @@ -67,9 +69,10 @@ jobs: id-token: write steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Restore build artifacts uses: actions/download-artifact@v7 @@ -88,9 +91,10 @@ jobs: needs: publish-npm steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - uses: MetaMask/action-publish-release@v3 env: diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 5cdee87881..e42c107198 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -12,14 +12,15 @@ on: - ready_for_review permissions: - contents: write - pull-requests: write + contents: read jobs: is-fork: name: Determine whether this PR is from a fork if: (github.event_name == 'pull_request_target' && !github.event.pull_request.draft) || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) runs-on: ubuntu-latest + permissions: + pull-requests: read outputs: is-fork: ${{ steps.is-fork.outputs.is-fork }} steps: @@ -38,6 +39,9 @@ jobs: if: needs.is-fork.outputs.is-fork == 'false' runs-on: ubuntu-latest environment: default-branch + permissions: + contents: read + pull-requests: read outputs: is-release: ${{ steps.is-release.outputs.IS_RELEASE }} head-sha: ${{ steps.pr-info.outputs.pr-head-sha }} @@ -62,6 +66,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 + persist-credentials: false ref: ${{ steps.pr-info.outputs.pr-head-sha }} - name: Get merge base @@ -102,8 +107,6 @@ jobs: permissions: | contents: write pull_requests: write - - name: Checkout repository - uses: actions/checkout@v6 - name: React to the comment run: | gh api \ @@ -140,6 +143,7 @@ jobs: with: ref: ${{ needs.is-release.outputs.merge-base }} token: ${{ steps.get-token.outputs.token }} + persist-credentials: false - name: Detach HEAD (to prevent accidental pushes) run: git checkout --detach HEAD @@ -207,11 +211,12 @@ jobs: NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }} PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} + TOKEN: ${{ steps.get-token.outputs.token }} run: | if [[ -n "$NEW_COMMIT_ID" ]]; then git checkout "$PR_HEAD_SHA" git cherry-pick "$NEW_COMMIT_ID" - git push origin "HEAD:$PR_HEAD_REF" + git push "https://x-access-token:${TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:$PR_HEAD_REF" echo "changes-pushed=true" >> "$GITHUB_OUTPUT" else echo "changes-pushed=false" >> "$GITHUB_OUTPUT" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..f21fe080f5 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,23 @@ +# Please see the documentation for all configuration options: +# https://docs.zizmor.sh/configuration/ + +rules: + dangerous-triggers: + ignore: + # `pull_request_target` is used safely here: The workflow checks whether + # the PR is from a fork before running, and write access is gated behind + # the `default-branch` environment. + - update-changelogs.yml:3:1 + + dependabot-cooldown: + config: + # Change the minimum allowed cooldown period for Dependabot to 3 days. + days: 3 + + unpinned-uses: + config: + policies: + # Allow `actions/*` and `MetaMask/*` to be pinned to a version instead + # of only to a commit hash. + actions/*: ref-pin + MetaMask/*: ref-pin