Pull some of the GitHub actions updates from main

Author: benjie

.github/workflows/ci.yml

@@ -4,13 +4,16 @@ on:
     secrets:
       codecov_token:
         required: true
+permissions: {}
 jobs:
   lint:
     name: Lint source files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -35,31 +38,44 @@ jobs:
       - name: Spellcheck
         run: npm run check:spelling
 
+      - name: Lint GitHub Actions
+        uses: docker://rhysd/actionlint:latest
+        with:
+          args: -color
+
   checkForCommonlyIgnoredFiles:
     name: Check for commonly ignored files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: Check if commit contains files that should be ignored
         run: |
-          git clone --depth 1 https://github.com/github/gitignore.git &&
-          cat gitignore/Node.gitignore $(find gitignore/Global -name "*.gitignore" | grep -v ModelSim) > all.gitignore &&
-          if  [[ "$(git ls-files -iX all.gitignore)" != "" ]]; then
-            echo "::error::Please remove these files:"
-            git ls-files -iX all.gitignore
+          git clone --depth 1 https://github.com/github/gitignore.git
+
+          rm gitignore/Global/ModelSim.gitignore
+          rm gitignore/Global/Images.gitignore
+          cat gitignore/Node.gitignore gitignore/Global/*.gitignore > all.gitignore
+
+          IGNORED_FILES=$(git ls-files --cached --ignored --exclude-from=all.gitignore)
+          if  [[ "$IGNORED_FILES" != "" ]]; then
+            echo -e "::error::Please remove these files:\n$IGNORED_FILES" | sed -z 's/\n/%0A/g'
             exit 1
           fi
 
   checkPackageLock:
     name: Check health of package-lock.json file
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -72,6 +88,9 @@ jobs:
       - name: Install Dependencies
         run: npm ci --ignore-scripts
 
+      - name: Check that package-lock.json doesn't have conflicts
+        run: npm ls --depth 999
+
       - name: Run npm install
         run: npm install --ignore-scripts --force --package-lock-only --engine-strict --strict-peer-deps
 
@@ -81,9 +100,11 @@ jobs:
   integrationTests:
     name: Run integration tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -103,9 +124,11 @@ jobs:
   fuzz:
     name: Run fuzzing tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -156,9 +179,11 @@ jobs:
     strategy:
       matrix:
         node_version_to_setup: [12, 14, 16, 17]
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -174,13 +199,35 @@ jobs:
       - name: Run Tests
         run: npm run testonly
 
+  codeql:
+    name: Run CodeQL security scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write # for codeql-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: 'javascript, typescript'
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+
   build-npm-dist:
     name: Build 'npmDist' artifact
     runs-on: ubuntu-latest
     needs: [test, fuzz, lint, integrationTests]
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -206,15 +253,18 @@ jobs:
     name: Build 'denoDist' artifact
     runs-on: ubuntu-latest
     needs: [test, fuzz, lint, integrationTests]
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
+          cache: npm
           node-version-file: '.node-version'
 
       - name: Install Dependencies

.github/workflows/deploy-artifact-as-branch.yml

@@ -3,26 +3,33 @@ on:
   workflow_call:
     inputs:
       environment:
+        description: Environment to publish under
         required: true
         type: string
       artifact_name:
+        description: Artifact name
         required: true
         type: string
       target_branch:
+        description: Target branch
         required: true
         type: string
       commit_message:
+        description: Commit message
         required: true
         type: string
+permissions: {}
 jobs:
   deploy-artifact-as-branch:
     environment:
       name: ${{ inputs.environment }}
       url: ${{ github.server_url }}/${{ github.repository }}/tree/${{ inputs.target_branch }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for actions/checkout and to push branch
     steps:
       - name: Checkout `${{ inputs.target_branch }}` branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: ${{ inputs.target_branch }}
 

.github/workflows/pull_request.yml

@@ -1,24 +1,44 @@
 name: PullRequest
 on: pull_request
+permissions: {}
 jobs:
   ci:
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write # for codeql-action
     uses: ./.github/workflows/ci.yml
     secrets:
       codecov_token: ${{ secrets.CODECOV_TOKEN }}
 
+  dependency-review:
+    name: Security check of added dependencies
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v2
+
   diff-npm-package:
     name: Diff content of NPM package
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: Deepen cloned repo
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
-        run: 'git fetch --depth=1 origin $BASE_SHA:refs/tags/BASE'
+        run: 'git fetch --depth=1 origin "$BASE_SHA:refs/tags/BASE"'
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

.github/workflows/pull_request_opened.yml

@@ -2,6 +2,7 @@ name: PullRequestOpened
 on:
   pull_request:
     types: [opened]
+permissions: {}
 jobs:
   save-github-event:
     name: "Save `github.event` as an artifact to use in subsequent 'workflow_run' actions"

.github/workflows/push.yml

@@ -1,14 +1,20 @@
 name: Push
 on: push
+permissions: {}
 jobs:
   ci:
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write
     uses: ./.github/workflows/ci.yml
     secrets:
       codecov_token: ${{ secrets.CODECOV_TOKEN }}
   deploy-to-npm-branch:
     name: Deploy to `npm` branch
     needs: ci
     if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: write # for actions/checkout and to push branch
     uses: ./.github/workflows/deploy-artifact-as-branch.yml
     with:
       environment: npm-branch
@@ -20,6 +26,8 @@ jobs:
     name: Deploy to `deno` branch
     needs: ci
     if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: write # for actions/checkout and to push branch
     uses: ./.github/workflows/deploy-artifact-as-branch.yml
     with:
       environment: deno-branch