diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index fd98e9fb08..b2db7d18b2 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -18,9 +18,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools - uses: TanStack/config/.github/setup@main + uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 - name: Fix formatting run: pnpm run format - name: Apply fixes diff --git a/.github/workflows/detect-agent.yml b/.github/workflows/detect-agent.yml index 3576325e78..42d564a6ac 100644 --- a/.github/workflows/detect-agent.yml +++ b/.github/workflows/detect-agent.yml @@ -5,15 +5,19 @@ on: types: [opened] workflow_dispatch: {} -permissions: - issues: write - pull-requests: write +permissions: {} jobs: detect: if: github.event_name != 'workflow_dispatch' + permissions: + issues: write + pull-requests: write uses: bombshell-dev/automation/.github/workflows/detect-agent.yml@a1553cebd9318d416f6a8e9f38f363b6aaa19c72 backfill: if: github.event_name == 'workflow_dispatch' + permissions: + issues: write + pull-requests: write uses: bombshell-dev/automation/.github/workflows/detect-agent-backfill.yml@a1553cebd9318d416f6a8e9f38f363b6aaa19c72 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 7ec7479a0e..e92ce68ae5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,17 +3,18 @@ name: Labeler on: pull_request: -permissions: - contents: read - pull-requests: write +permissions: {} jobs: labeler: name: Labeler runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Labeler - uses: actions/labeler@v6.0.1 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: labeler-config.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 6e7d8c80a6..998938bfd2 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -10,26 +10,27 @@ concurrency: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} -permissions: - contents: read - pull-requests: write - issues: write +permissions: {} jobs: test: name: Test runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Start Nx Agents run: npx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yaml" - name: Setup Tools - uses: TanStack/config/.github/setup@main + uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 - name: Get base and head commits for `nx affected` - uses: nrwl/nx-set-shas@v4.4.0 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0 with: main-branch-name: main - name: Run Checks @@ -40,19 +41,25 @@ jobs: preview: name: Preview runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools - uses: TanStack/config/.github/setup@main + uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 - name: Build Packages run: pnpm run build:all - name: Publish Previews run: pnpx pkg-pr-new publish --pnpm --compact './packages/*' --template './examples/*/*' - name: Determine commit SHA id: determine-sha - run: | - echo "COMMIT_SHA=${{ github.event.pull_request.head.sha || github.sha }}" >> $GITHUB_ENV + run: echo "COMMIT_SHA=${COMMIT_SHA}" >> "$GITHUB_ENV" + env: + COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} - name: Size Limit uses: andresz1/size-limit-action@94bc357df29c36c8f8d50ea497c3e225c3c95d1d with: @@ -62,20 +69,30 @@ jobs: provenance: name: Provenance runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check Provenance - uses: danielroe/provenance-action@v0.1.1 + uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1 with: fail-on-downgrade: true version-preview: name: Version Preview runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools - uses: TanStack/config/.github/setup@main + uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 - name: Changeset Preview - uses: TanStack/config/.github/changeset-preview@main + uses: TanStack/config/.github/changeset-preview@e4b48f16568324f76f467aa4c2aac2f05db632c3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b76715680e..3f0cee6c1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,21 +12,24 @@ env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} permissions: - contents: write - id-token: write - pull-requests: write + contents: read jobs: release: name: Release runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: true # changesets/action pushes version/release changes - name: Setup Tools - uses: TanStack/config/.github/setup@main + uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 - name: Run Build run: pnpm run build:all - name: Determine dist-tag @@ -45,7 +48,7 @@ jobs: fi - name: Create Release Pull Request or Publish id: changesets - uses: changesets/action@v1 + uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 with: version: pnpm run changeset:version publish: pnpm run changeset:publish ${{ steps.dist-tag.outputs.tag && format('--tag {0}', steps.dist-tag.outputs.tag) }} @@ -55,7 +58,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create GitHub Release if: steps.changesets.outputs.published == 'true' - run: node scripts/create-github-release.mjs ${{ steps.dist-tag.outputs.prerelease == 'true' && '--prerelease' }} ${{ steps.dist-tag.outputs.latest == 'true' && '--latest' }} + run: node scripts/create-github-release.mjs ${PRERELEASE_FLAG} ${LATEST_FLAG} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PRERELEASE_FLAG: ${{ steps.dist-tag.outputs.prerelease == 'true' && '--prerelease' }} + LATEST_FLAG: ${{ steps.dist-tag.outputs.latest == 'true' && '--latest' }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..86d4b5b30a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: [main] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true