diff --git a/.github/workflows/actions-lint.yml b/.github/workflows/actions-lint.yml new file mode 100644 index 0000000..79ddb0c --- /dev/null +++ b/.github/workflows/actions-lint.yml @@ -0,0 +1,23 @@ +name: Lint GitHub Actions + +on: + push: + branches: [ develop ] + pull_request: + branches: [ develop ] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-24.04 + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0502ddf..f8678a8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -5,16 +5,20 @@ on: types: [published] workflow_dispatch: +permissions: {} + jobs: docs: runs-on: ubuntu-24.04 - container: node:24 + container: node@sha256:fdddfb3e688158251943d52eba361de991548f6814007acba4917ae6b512d6be # 24 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Get Package Version id: package-version - uses: martinbeentjes/npm-get-version-action@master + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 - run: yarn --frozen-lockfile @@ -22,7 +26,7 @@ jobs: - name: Deploy v${{ steps.package-version.outputs.current-version }} # This step will copy over generated docs to gh-pages branch, commit and publish - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} keep_files: true @@ -31,9 +35,10 @@ jobs: full_commit_message: Deploy ${{ steps.package-version.outputs.current-version }} to GitHub Pages - name: Checkout gh-pages - uses: actions/checkout@v3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: gh-pages + persist-credentials: false # update the index file - env: @@ -41,7 +46,7 @@ jobs: run: node insert-new-version.js "${CURRENT_VERSION}" - name: Commit updated index - uses: github-actions-x/commit@v2.9 + uses: github-actions-x/commit@722d56b8968bf00ced78407bbe2ead81062d8baa # v2.9 with: github-token: ${{ secrets.GITHUB_TOKEN }} push-branch: 'gh-pages' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4486a8f..45108ab 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,14 +6,18 @@ on: pull_request: branches: [ develop ] +permissions: {} + jobs: lint: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: .node-version - run: yarn --ignore-scripts --strict-semver --pure-lockfile - - run: yarn lint \ No newline at end of file + - run: yarn lint diff --git a/.github/workflows/newsfile.yml b/.github/workflows/newsfile.yml index 8fdb979..7dba532 100644 --- a/.github/workflows/newsfile.yml +++ b/.github/workflows/newsfile.yml @@ -5,14 +5,17 @@ on: branches: [ develop ] workflow_dispatch: +permissions: {} + jobs: changelog: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # Needed for comparison fetch-depth: 0 - - uses: actions/setup-python@v2 + persist-credentials: false + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 - run: pip install 'towncrier>=23.6.0' - name: ":newspaper: Newsfile" run: ./scripts/check-newsfragment diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index e0f5991..36467a9 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -4,19 +4,23 @@ on: release: types: [published] +permissions: {} + jobs: publish-to-npm: runs-on: ubuntu-24.04 permissions: - contents: write id-token: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: .node-version registry-url: https://registry.npmjs.org/ + package-manager-cache: false - name: Upgrade npm for Trusted Publishing run: npm i -g npm@latest - run: yarn --strict-semver --frozen-lockfile diff --git a/.github/workflows/sign-off.yml b/.github/workflows/sign-off.yml index e0fbca2..d4d503f 100644 --- a/.github/workflows/sign-off.yml +++ b/.github/workflows/sign-off.yml @@ -4,6 +4,8 @@ on: pull_request: types: [opened, edited, synchronize] +permissions: {} + jobs: signoff: - uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@v1.4.1 + uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2.0.3 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 87f87fc..da5e400 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -6,6 +6,8 @@ on: pull_request: branches: [ develop ] +permissions: {} + jobs: test: runs-on: ubuntu-24.04 @@ -13,10 +15,12 @@ jobs: matrix: node_version: [24, 26] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "${{ matrix.node_version }}" - run: yarn --ignore-scripts --pure-lockfile - - run: yarn test \ No newline at end of file + - run: yarn test diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index acf7551..9115885 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,9 +4,11 @@ on: issues: types: [opened] +permissions: {} + jobs: triage: - uses: matrix-org/backend-meta/.github/workflows/triage-incoming.yml@v1 + uses: matrix-org/backend-meta/.github/workflows/triage-incoming.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2.0.3 with: project_id: 'PVT_kwDOAIB0Bs4AG0bY' content_id: ${{ github.event.issue.node_id }} diff --git a/changelog.d/81.misc b/changelog.d/81.misc new file mode 100644 index 0000000..6d1e378 --- /dev/null +++ b/changelog.d/81.misc @@ -0,0 +1 @@ +Analyze GitHub Actions with [zizmor](https://zizmor.sh/). diff --git a/changelog.d/81.misc.1 b/changelog.d/81.misc.1 new file mode 100644 index 0000000..98ef986 --- /dev/null +++ b/changelog.d/81.misc.1 @@ -0,0 +1 @@ +Update and pin remote GitHub Actions and container images.