diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..d89d38d5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + ignore: + - dependency-name: DeterminateSystems/* + commit-message: + prefix: ci diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7c60d3a4..f1801db2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,9 @@ jobs: contents: read steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Check Nixpkgs input uses: DeterminateSystems/flake-checker-action@main @@ -31,7 +33,7 @@ jobs: echo "NPM_CACHE_DIRECTORY=$(nix develop --command npm config get cache | tr -d '\n')" >> $GITHUB_ENV - name: Set up npm cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ env.NPM_CACHE_DIRECTORY }} key: npm-cache-${{ hashFiles('**/package-lock.json') }} @@ -39,7 +41,7 @@ jobs: npm-cache - name: Restore Lychee cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .lycheecache key: lychee-cache-${{ github.sha }} @@ -49,7 +51,7 @@ jobs: run: nix develop --command ci - name: Check external links - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -62,7 +64,7 @@ jobs: - name: Save Lychee cache if: success() || failure() - uses: actions/cache/save@v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .lycheecache key: cache-lychee-${{ github.sha }} @@ -87,7 +89,9 @@ jobs: - nix-system: x86_64-linux runner: UbuntuLatest32Cores128G steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main diff --git a/.github/workflows/flakehub-cache.yml b/.github/workflows/flakehub-cache.yml index 317aea32..b763c75c 100644 --- a/.github/workflows/flakehub-cache.yml +++ b/.github/workflows/flakehub-cache.yml @@ -20,7 +20,9 @@ jobs: - nix-system: x86_64-linux runner: UbuntuLatest32Cores128G steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Build dev shell for ${{ matrix.systems.nix-system }} on ${{ matrix.systems.runner }} diff --git a/.github/workflows/flakehub-publish-rolling.yml b/.github/workflows/flakehub-publish-rolling.yml index d3711990..d1d03a0c 100644 --- a/.github/workflows/flakehub-publish-rolling.yml +++ b/.github/workflows/flakehub-publish-rolling.yml @@ -12,7 +12,9 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-push@main with: diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml index 0acb9c2c..1faff89a 100644 --- a/.github/workflows/update-flake-lock.yml +++ b/.github/workflows/update-flake-lock.yml @@ -14,8 +14,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 - uses: DeterminateSystems/update-flake-lock@main with: pr-title: "Update root Nix flake inputs" # Title of PR to be created @@ -31,8 +33,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 - uses: DeterminateSystems/flakehub-cache-action@main - name: Update template flake.lock files id: update @@ -48,7 +52,7 @@ jobs: fi - name: Create pull request for changes if: ${{ steps.detect-changes.outputs.changed == 'true' }} - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: base: main branch: flake-template-input-update diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..9397c97f --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: zizmor + +on: + push: + branches: + - main + pull_request: + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + config: .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..abdc40be --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin