diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index ce622a8207..9e2bbcc369 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Fix formatting diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml index fca9853870..436c4024b2 100644 --- a/.github/workflows/bundle-size.yml +++ b/.github/workflows/bundle-size.yml @@ -87,13 +87,17 @@ jobs: fi - name: Build PR Report + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + REPOSITORY_NAME: ${{ github.event.repository.name }} + REPOSITORY_OWNER: ${{ github.repository_owner }} run: | node scripts/benchmarks/bundle-size/pr-report.mjs \ --current benchmarks/bundle-size/results/current.json \ --history benchmarks/bundle-size/results/history-data.js \ --output benchmarks/bundle-size/results/pr-comment.md \ - --base-sha "${{ github.event.pull_request.base.sha }}" \ - --dashboard-url "https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/benchmarks/bundle-size/" + --base-sha "$BASE_SHA" \ + --dashboard-url "https://${REPOSITORY_OWNER}.github.io/${REPOSITORY_NAME}/benchmarks/bundle-size/" - name: Upsert Sticky PR Comment env: @@ -114,6 +118,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main diff --git a/.github/workflows/check-skills.yml b/.github/workflows/check-skills.yml index 5c7de91ee9..075775cfcd 100644 --- a/.github/workflows/check-skills.yml +++ b/.github/workflows/check-skills.yml @@ -34,18 +34,20 @@ on: types: [published] workflow_dispatch: {} -permissions: - contents: write - pull-requests: write +permissions: {} jobs: validate: name: Validate intent skills if: github.event_name == 'pull_request' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 @@ -62,11 +64,15 @@ jobs: name: Check intent skill coverage if: github.event_name != 'pull_request' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: true # review job pushes a generated branch - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 @@ -84,16 +90,16 @@ jobs: - name: Open or update review PR if: steps.stale.outputs.has_review == 'true' env: + BASE_BRANCH: ${{ github.event.repository.default_branch }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ github.event.release.tag_name || 'manual' }} run: | - VERSION="${{ github.event.release.tag_name || 'manual' }}" BRANCH="skills/review-${VERSION}" - BASE_BRANCH="${{ github.event.repository.default_branch }}" git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git fetch origin "$BRANCH" || true + git fetch origin "$BRANCH:refs/remotes/origin/$BRANCH" || true if git show-ref --verify --quiet "refs/remotes/origin/$BRANCH"; then git checkout -B "$BRANCH" "origin/$BRANCH" else diff --git a/.github/workflows/client-nav-benchmarks.yml b/.github/workflows/client-nav-benchmarks.yml index 42195785bc..817aea1809 100644 --- a/.github/workflows/client-nav-benchmarks.yml +++ b/.github/workflows/client-nav-benchmarks.yml @@ -40,6 +40,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f9bddecb1e..95f351c309 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -13,7 +13,6 @@ env: permissions: contents: read - pull-requests: write jobs: test: @@ -26,6 +25,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Start Nx Agents run: npx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yaml" - name: Setup Tools @@ -42,11 +42,15 @@ jobs: preview: name: Preview runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Build Packages @@ -56,9 +60,14 @@ jobs: version-preview: name: Version Preview runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Changeset Preview diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8d58950c4..a7c7b0c69a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,6 +27,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: true # release job pushes version changes - name: Check for changesets id: changesets run: | @@ -61,11 +62,9 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" git add . if git commit -m "ci: changeset release"; then - git push + git push origin "HEAD:${GITHUB_REF_NAME}" echo "committed=true" >> "$GITHUB_OUTPUT" fi - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Determine dist-tag if: steps.commit.outputs.committed == 'true' id: dist-tag @@ -80,7 +79,14 @@ jobs: fi - name: Publish Packages if: steps.commit.outputs.committed == 'true' - run: pnpm run changeset:publish ${{ steps.dist-tag.outputs.tag && format('--tag {0}', steps.dist-tag.outputs.tag) }} + env: + DIST_TAG: ${{ steps.dist-tag.outputs.tag }} + run: | + if [ -n "$DIST_TAG" ]; then + pnpm run changeset:publish --tag "$DIST_TAG" + else + pnpm run changeset:publish + fi - name: Create GitHub Release if: steps.commit.outputs.committed == 'true' run: node scripts/create-github-release.mjs ${{ steps.dist-tag.outputs.prerelease == 'true' && '--prerelease' }} ${{ steps.dist-tag.outputs.latest == 'true' && '--latest' }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..1d4088db88 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: [main] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true