diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b994e2d..f4455f8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,9 +12,13 @@ updates: update-types: ['version-update:semver-patch'] allow: - dependency-type: "direct" + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: "/" schedule: interval: weekly time: "10:00" - open-pull-requests-limit: 10 \ No newline at end of file + open-pull-requests-limit: 10 + cooldown: + default-days: 7 diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 00217ed..3cb75b8 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -7,7 +7,7 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache BUILD_CACHE_NAME: build-cache @@ -19,15 +19,17 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v4.2.3 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -41,4 +43,4 @@ jobs: run: ./check-pristine-state package-lock.json - name: Run tests - run: npm test \ No newline at end of file + run: npm test diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml index c781299..ef61082 100644 --- a/.github/workflows/label-check.yml +++ b/.github/workflows/label-check.yml @@ -1,15 +1,17 @@ name: label-check on: - pull_request_target: + pull_request: types: [opened, labeled, unlabeled, synchronize] +permissions: {} + jobs: label-check: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 id: app-token with: app-id: ${{ vars.GH_APP_ID }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b5009e7..75c346d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,23 +12,27 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache BUILD_CACHE_NAME: build-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -45,7 +49,6 @@ jobs: pull-requests: write needs: [Create-NPM-Cache] uses: ./.github/workflows/_build.yml - secrets: inherit ReleaseDraft: runs-on: ubuntu-latest @@ -53,13 +56,13 @@ jobs: contents: write pull-requests: read steps: - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 id: app-token with: app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Draft release notes - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 34ebb19..6abe41c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -12,22 +12,26 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -44,4 +48,3 @@ jobs: pull-requests: write needs: [Create-NPM-Cache] uses: ./.github/workflows/_build.yml - secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7b68c3..46b86d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,22 +8,26 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -41,23 +45,24 @@ jobs: needs: [Create-NPM-Cache] steps: - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: main - - - uses: actions/setup-node@v4 + persist-credentials: false + + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v4.2.3 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | node_modules/ key: ${{ env.CACHE_NAME }}-${{ hashFiles('package-lock.json') }} - + - run: npm run build - name: Confirm the build hasn't changed any files @@ -69,4 +74,4 @@ jobs: npm publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - RELEASE_VERSION: ${{ github.event.release.tag_name }} \ No newline at end of file + RELEASE_VERSION: ${{ github.event.release.tag_name }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..ee3afc8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - "main" + pull_request: + branches: + - "**" + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-24.04-2cores-tools-public + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0