diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f44d6d8..9b46dd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,16 +17,16 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm exec biome ci . typecheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: Build workspace .d.ts so cross-package types resolve # Skip @opencodehub/docs — its build runs astro + rehype-mermaid + @@ -55,8 +55,8 @@ jobs: env: MISE_NODE_VERSION: ${{ matrix.node-version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm --filter '!@opencodehub/docs' -r build - run: pnpm --filter '!@opencodehub/docs' -r test @@ -85,8 +85,8 @@ jobs: MISE_NODE_VERSION: ${{ matrix.node-version }} CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm --filter '!@opencodehub/docs' -r build - run: pnpm --filter '!@opencodehub/docs' -r test @@ -94,8 +94,8 @@ jobs: sarif-validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm -F @opencodehub/sarif build - run: pnpm -F @opencodehub/sarif run validate-schema @@ -103,14 +103,14 @@ jobs: banned-strings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - run: bash scripts/check-banned-strings.sh licenses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: license allowlist run: > @@ -130,7 +130,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ @@ -142,7 +142,7 @@ jobs: --lockfile=pnpm-lock.yaml \ --format=sarif \ --output=osv.sarif || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 if: always() with: sarif_file: osv.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 522884c..596fc02 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,12 +27,12 @@ jobs: matrix: language: [javascript-typescript, python] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: languages: ${{ matrix.language }} queries: security-and-quality - - uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 - - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 19a5b0b..37c2089 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -12,10 +12,10 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: Validate PR commit messages run: | diff --git a/.github/workflows/och-self-scan.yml b/.github/workflows/och-self-scan.yml index ef9cd05..0de0035 100644 --- a/.github/workflows/och-self-scan.yml +++ b/.github/workflows/och-self-scan.yml @@ -24,11 +24,11 @@ jobs: security-events: write issues: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4 - name: Cache pnpm store uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 @@ -81,7 +81,7 @@ jobs: - name: Upload SARIF to code scanning if: always() - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: .codehub/scan.sarif category: opencodehub-self diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml index 2a5ff7a..14374ab 100644 --- a/.github/workflows/osv.yml +++ b/.github/workflows/osv.yml @@ -24,7 +24,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ @@ -36,7 +36,7 @@ jobs: --lockfile=pnpm-lock.yaml \ --format=sarif \ --output=osv.sarif || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 if: always() with: sarif_file: osv.sarif diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 1fd4310..e19df0a 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -21,8 +21,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 # NOTE: --ignore-scripts removed so sharp's native binary download # and Playwright's chromium install (via rehype-mermaid) are allowed. - run: pnpm install --frozen-lockfile diff --git a/.github/workflows/pre-release-gate.yml b/.github/workflows/pre-release-gate.yml index 949b9ef..ab21ef0 100644 --- a/.github/workflows/pre-release-gate.yml +++ b/.github/workflows/pre-release-gate.yml @@ -42,10 +42,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 - name: Run pnpm audit at high+ severity run: pnpm audit --audit-level=high --prod @@ -54,10 +54,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 # Frozen + ignore-scripts is the strictest install path: any lockfile # drift, missing entry, or sneaky postinstall fails the job. - name: Install with frozen lockfile and no lifecycle scripts @@ -68,11 +68,11 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 - name: Sweep working tree run: | set -euo pipefail @@ -90,10 +90,10 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 - run: pnpm install --frozen-lockfile --ignore-scripts - name: license allowlist run: > diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3ccedab..491f30e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,14 +113,14 @@ jobs: hashes-b64: ${{ steps.hashes.outputs.b64 }} steps: - name: Checkout released SHA - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.resolve.outputs.sha }} fetch-depth: 0 persist-credentials: false - name: Provision toolchain (mise) - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 - name: Install dependencies run: pnpm install --frozen-lockfile @@ -314,7 +314,7 @@ jobs: - name: Upload SARIF to code scanning if: hashFiles('artifacts/och-scan.sarif') != '' - uses: github/codeql-action/upload-sarif@f4d0a7abf7b1d0f530e480f564a7e2371488107a # codeql-bundle-v2.25.4 + uses: github/codeql-action/upload-sarif@0630e39f3f7cb718c552f6c8711786b07960b612 # codeql-bundle-v2.25.4 with: sarif_file: artifacts/och-scan.sarif category: opencodehub-release @@ -343,11 +343,11 @@ jobs: contents: read id-token: write # OIDC token for npm trusted publishing AND provenance steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.resolve.outputs.sha }} persist-credentials: false - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 - run: pnpm install --frozen-lockfile - run: pnpm --filter '!@opencodehub/docs' -r build - name: Publish to npm diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 98bc032..10c7d79 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,7 +19,7 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 @@ -32,6 +32,6 @@ jobs: name: SARIF path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 9a2335f..8e59c9f 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -26,7 +26,7 @@ jobs: container: image: semgrep/semgrep steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: semgrep scan (p/auto + p/owasp-top-ten) # `|| true` so the SARIF upload step still runs on findings; # gating happens through GitHub code scanning, not the scan's @@ -39,7 +39,7 @@ jobs: --config p/owasp-top-ten \ --sarif --output=semgrep.sarif \ --metrics=off || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 if: always() with: sarif_file: semgrep.sarif diff --git a/.github/workflows/verify-global-install.yml b/.github/workflows/verify-global-install.yml index a08eb88..3abff3b 100644 --- a/.github/workflows/verify-global-install.yml +++ b/.github/workflows/verify-global-install.yml @@ -113,7 +113,7 @@ jobs: node: "22" installer: nvm steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -125,7 +125,7 @@ jobs: # ------------------------------------------------------------------ - name: Setup Node via mise if: matrix.installer == 'mise' - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 env: MISE_NODE_VERSION: ${{ matrix.node }}