From af1ea7759f6f03b29c9d17a003b775881058df38 Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 13:54:36 +0000 Subject: [PATCH 1/6] Actions versions to latest --- .github/workflows/_build.yml | 10 +++++----- .github/workflows/main.yml | 8 ++++---- .github/workflows/pr.yml | 8 ++++---- .github/workflows/release.yml | 20 ++++++++++---------- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 00217ed..42f1313 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -7,7 +7,7 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache BUILD_CACHE_NAME: build-cache @@ -19,15 +19,15 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v4.2.3 + uses: actions/cache/restore@v5 id: npm-cache with: path: | @@ -41,4 +41,4 @@ jobs: run: ./check-pristine-state package-lock.json - name: Run tests - run: npm test \ No newline at end of file + run: npm test diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b5009e7..fa7492e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,7 +12,7 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache BUILD_CACHE_NAME: build-cache @@ -20,15 +20,15 @@ jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@v5 id: npm-cache with: path: | diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 34ebb19..a740b10 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -12,22 +12,22 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@v5 id: npm-cache with: path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7b68c3..d856fec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,22 +8,22 @@ defaults: run: shell: bash -l {0} -env: +env: CACHE_NAME: node-modules-cache jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@v5 id: npm-cache with: path: | @@ -41,23 +41,23 @@ jobs: needs: [Create-NPM-Cache] steps: - name: Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: main - - - uses: actions/setup-node@v4 + + - uses: actions/setup-node@v6 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v4.2.3 + uses: actions/cache/restore@v5 id: npm-cache with: path: | node_modules/ key: ${{ env.CACHE_NAME }}-${{ hashFiles('package-lock.json') }} - + - run: npm run build - name: Confirm the build hasn't changed any files @@ -69,4 +69,4 @@ jobs: npm publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - RELEASE_VERSION: ${{ github.event.release.tag_name }} \ No newline at end of file + RELEASE_VERSION: ${{ github.event.release.tag_name }} From 6a4b14d008732262abe8f0c60a558ec7d6153c61 Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 14:03:07 +0000 Subject: [PATCH 2/6] [COPP-8605] Deploy zizmor to open source repos --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..ee3afc8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - "main" + pull_request: + branches: + - "**" + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-24.04-2cores-tools-public + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 From 67ff6b164de409ccfe791d6cd1927c83bd4f9d9a Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 14:03:16 +0000 Subject: [PATCH 3/6] zizmor --fix=all . --- .github/dependabot.yml | 6 +++++- .github/workflows/_build.yml | 2 ++ .github/workflows/main.yml | 2 ++ .github/workflows/pr.yml | 2 ++ .github/workflows/release.yml | 3 +++ 5 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b994e2d..f4455f8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,9 +12,13 @@ updates: update-types: ['version-update:semver-patch'] allow: - dependency-type: "direct" + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: "/" schedule: interval: weekly time: "10:00" - open-pull-requests-limit: 10 \ No newline at end of file + open-pull-requests-limit: 10 + cooldown: + default-days: 7 diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 42f1313..55e1b4e 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fa7492e..51bf9a1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a740b10..2a7c60b 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d856fec..82ab553 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: @@ -44,6 +46,7 @@ jobs: uses: actions/checkout@v6 with: ref: main + persist-credentials: false - uses: actions/setup-node@v6 with: From 1d33243b35e632ad4c411c96bff60abb24adc4c8 Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 14:03:29 +0000 Subject: [PATCH 4/6] pinact run -fix -diff --- .github/workflows/_build.yml | 6 +++--- .github/workflows/label-check.yml | 2 +- .github/workflows/main.yml | 10 +++++----- .github/workflows/pr.yml | 6 +++--- .github/workflows/release.yml | 12 ++++++------ 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 55e1b4e..3cb75b8 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -19,17 +19,17 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml index c781299..1017e20 100644 --- a/.github/workflows/label-check.yml +++ b/.github/workflows/label-check.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 id: app-token with: app-id: ${{ vars.GH_APP_ID }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 51bf9a1..151984c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,17 +20,17 @@ jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -55,13 +55,13 @@ jobs: contents: write pull-requests: read steps: - - uses: actions/create-github-app-token@v2 + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 id: app-token with: app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Draft release notes - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 2a7c60b..94884d0 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -19,17 +19,17 @@ jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 82ab553..04edbd4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,17 +15,17 @@ jobs: Create-NPM-Cache: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Upload to Cache - uses: actions/cache@v5 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | @@ -43,18 +43,18 @@ jobs: needs: [Create-NPM-Cache] steps: - name: Checkout source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: main persist-credentials: false - - uses: actions/setup-node@v6 + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: ".nvmrc" registry-url: 'https://registry.npmjs.org' - name: Restore Cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: npm-cache with: path: | From ada96f34b82f4275d452d439d3813bd172d32ec7 Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 14:09:49 +0000 Subject: [PATCH 5/6] add permissions blocks, pull_request_target to pull_request --- .github/workflows/label-check.yml | 4 +++- .github/workflows/main.yml | 2 ++ .github/workflows/pr.yml | 2 ++ .github/workflows/release.yml | 2 ++ 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml index 1017e20..ef61082 100644 --- a/.github/workflows/label-check.yml +++ b/.github/workflows/label-check.yml @@ -1,9 +1,11 @@ name: label-check on: - pull_request_target: + pull_request: types: [opened, labeled, unlabeled, synchronize] +permissions: {} + jobs: label-check: runs-on: ubuntu-latest diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 151984c..42c508c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,6 +16,8 @@ env: CACHE_NAME: node-modules-cache BUILD_CACHE_NAME: build-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 94884d0..c4d2008 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -15,6 +15,8 @@ defaults: env: CACHE_NAME: node-modules-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 04edbd4..46b86d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,8 @@ defaults: env: CACHE_NAME: node-modules-cache +permissions: {} + jobs: Create-NPM-Cache: runs-on: ubuntu-latest From b9770dceab030a3c045512078e809990308d6bfb Mon Sep 17 00:00:00 2001 From: Lachlan Kidson Date: Tue, 13 Jan 2026 14:11:25 +0000 Subject: [PATCH 6/6] Remove secrets inheritance --- .github/workflows/main.yml | 1 - .github/workflows/pr.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 42c508c..75c346d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -49,7 +49,6 @@ jobs: pull-requests: write needs: [Create-NPM-Cache] uses: ./.github/workflows/_build.yml - secrets: inherit ReleaseDraft: runs-on: ubuntu-latest diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c4d2008..6abe41c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -48,4 +48,3 @@ jobs: pull-requests: write needs: [Create-NPM-Cache] uses: ./.github/workflows/_build.yml - secrets: inherit