diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..62a021a --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @danfry1 diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e880ed7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,38 @@ +version: 2 +updates: + - package-ecosystem: bun + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 10 + # Supply-chain hardening: hold update PRs until a version has been public for + # at least seven days, long enough for most malicious releases to be yanked. + # Mirrors the install-time minimumReleaseAge gate in bunfig.toml. + cooldown: + default-days: 7 + semver-major-days: 7 + semver-minor-days: 7 + semver-patch-days: 7 + ignore: + # Keep @types/node on the major matching the lowest supported engines.node + # (>=18). A higher major would let the type-checker accept Node APIs newer + # than our floor. + - dependency-name: "@types/node" + update-types: ["version-update:semver-major"] + groups: + dev-dependencies: + dependency-type: development + update-types: [minor, patch] + production-dependencies: + dependency-type: production + update-types: [minor, patch] + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + cooldown: + default-days: 7 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e0581c..08ce5f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,13 +6,17 @@ on: pull_request: branches: [main] +permissions: read-all + jobs: quality: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - run: bun install --frozen-lockfile + - name: Verify dependencies are pinned + run: bun run lint:deps - run: bun run lint - run: bun run typecheck - run: bun run test # enforces the coverage gate in packages/faultline/bunfig.toml @@ -30,12 +34,12 @@ jobs: matrix: node-version: [18, 20, 22] steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 - run: bun install --frozen-lockfile - name: Build publishable packages run: bun --filter 'faultline' --filter 'eslint-plugin-faultline' --filter 'faultline-cli' build - - uses: actions/setup-node@v4 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} - name: Smoke-test built artifacts on Node ${{ matrix.node-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..122b00e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,18 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Monday 6am UTC + +permissions: read-all + +jobs: + codeql: + permissions: + security-events: write + contents: read + uses: danfry1/standards/.github/workflows/codeql.yml@v1 diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 226477c..be9867e 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -3,12 +3,12 @@ name: Deploy to GitHub Pages on: push: branches: [main] + paths: + - 'website/**' + - '.github/workflows/pages.yml' workflow_dispatch: -permissions: - contents: read - pages: write - id-token: write +permissions: read-all concurrency: group: pages @@ -16,15 +16,21 @@ concurrency: jobs: deploy: + runs-on: ubuntu-latest + timeout-minutes: 10 + + permissions: + pages: write + id-token: write + environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/configure-pages@v5 - - uses: actions/upload-pages-artifact@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 + - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: website - id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5b3972c..d3b0108 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,14 +19,15 @@ jobs: runs-on: ubuntu-latest environment: npm steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 - - uses: actions/setup-node@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22 registry-url: https://registry.npmjs.org - run: npm i -g npm@latest - run: bun install --frozen-lockfile + - run: bun run lint:deps - run: bun run typecheck - run: bun run test - name: Validate package exports (faultline) @@ -36,7 +37,7 @@ jobs: npm pack npx @arethetypeswrong/cli ./faultline-*.tgz --ignore-rules no-resolution - name: Create Release PR or Publish - uses: changesets/action@v1 + uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1 with: version: bun run version-packages publish: bun run release diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..584e6f2 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,17 @@ +name: OpenSSF Scorecard + +on: + push: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Monday 6am UTC + workflow_dispatch: + +permissions: read-all + +jobs: + scorecard: + permissions: + security-events: write + id-token: write + uses: danfry1/standards/.github/workflows/scorecard.yml@v1 diff --git a/.syncpackrc.json b/.syncpackrc.json new file mode 100644 index 0000000..0733084 --- /dev/null +++ b/.syncpackrc.json @@ -0,0 +1,21 @@ +{ + "versionGroups": [ + { + "label": "Peer deps intentionally use wide ranges; dev pins the version we test against, so cross-instance version differences are expected.", + "dependencies": ["eslint", "typescript", "@typescript-eslint/utils"], + "isIgnored": true + } + ], + "semverGroups": [ + { + "label": "devDependencies are pinned to exact versions (supply-chain hardening)", + "dependencyTypes": ["dev"], + "range": "" + }, + { + "label": "runtime + peer deps keep author-defined ranges so consumers can dedupe", + "dependencyTypes": ["prod", "peer"], + "isIgnored": true + } + ] +} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e2e3456..439ad22 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -39,6 +39,17 @@ bun run build # build all packages Per-package: `bun --filter ''