Skip to content

Commit b9f3216

Browse files
authored
ci: apply some recommended CI security improvements (#482)
1 parent 8768407 commit b9f3216

8 files changed

Lines changed: 22 additions & 2 deletions

File tree

.github/workflows/bundle.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ jobs:
1010
pull-requests: write
1111
steps:
1212
- uses: actions/checkout@v4
13+
with:
14+
persist-credentials: false
1315
- uses: actions/setup-node@v4
1416
with:
1517
node-version: "22"

.github/workflows/codeql.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636
steps:
3737
- name: Checkout repository
3838
uses: actions/checkout@v4
39+
with:
40+
persist-credentials: false
3941

4042
# Initializes the CodeQL tools for scanning.
4143
- name: Initialize CodeQL

.github/workflows/deploy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ jobs:
1313
contents: write
1414
steps:
1515
- uses: actions/checkout@v4
16+
with:
17+
persist-credentials: false
1618
- uses: actions/setup-node@v4
1719
with:
1820
node-version: "22"

.github/workflows/dev-preview.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
contents: write
1515
steps:
1616
- uses: actions/checkout@v4
17+
with:
18+
persist-credentials: false
1719
- uses: actions/setup-node@v4
1820
with:
1921
node-version: "22"

.github/workflows/end-to-end-tests.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ jobs:
1515
contents: write
1616
steps:
1717
- uses: actions/checkout@v4
18+
with:
19+
persist-credentials: false
1820
- uses: actions/setup-node@v4
1921
with:
2022
node-version: 22
@@ -79,6 +81,8 @@ jobs:
7981
shardTotal: [3]
8082
steps:
8183
- uses: actions/checkout@v4
84+
with:
85+
persist-credentials: false
8286
- uses: actions/setup-node@v4
8387
with:
8488
node-version: lts/*
@@ -120,6 +124,8 @@ jobs:
120124
runs-on: ubuntu-latest
121125
steps:
122126
- uses: actions/checkout@v4
127+
with:
128+
persist-credentials: false
123129
- uses: actions/setup-node@v4
124130
with:
125131
node-version: lts/*

.github/workflows/pr-preview.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ jobs:
1818
pull-requests: write
1919
steps:
2020
- uses: actions/checkout@v4
21+
with:
22+
persist-credentials: false
2123
- uses: actions/setup-node@v4
2224
with:
2325
node-version: "22"

.github/workflows/release.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,10 @@ jobs:
2222
needs: test
2323
steps:
2424
- uses: actions/checkout@v4
25+
with:
26+
persist-credentials: false
2527
- name: Stop early if the tag fails any validation
26-
run: sh validate-version.sh ${{ github.ref_name }}
28+
run: sh validate-version.sh ${GITHUB_REF_NAME}
2729
# Setup .npmrc file to publish to npm
2830
- uses: actions/setup-node@v4
2931
with:
@@ -40,7 +42,7 @@ jobs:
4042
- name: Fix the relative URLs in the READMEs to work on npmjs
4143
run: |
4244
sed -i 's/(\.\.\/web-component)/(web-component)/g' dist/packages/ngx-web-component/README.md
43-
sed -i 's/(test-data\//(https:\/\/github.com\/ReadAlongs\/Studio-Web\/blob\/${{ github.ref_name }}\/packages\/web-component\/test-data\//g' dist/packages/web-component/README.md
45+
sed -i 's/(test-data\//(https:\/\/github.com\/ReadAlongs\/Studio-Web\/blob\/${GITHUB_REF_NAME}\/packages\/web-component\/test-data\//g' dist/packages/web-component/README.md
4446
- name: Update CHANGELOG
4547
id: changelog
4648
uses: requarks/changelog-action@v1

.github/workflows/windows-tests.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ jobs:
99
timeout-minutes: 60
1010
steps:
1111
- uses: actions/checkout@v4
12+
with:
13+
persist-credentials: false
1214
- uses: actions/setup-node@v4
1315
with:
1416
node-version: 22

0 commit comments

Comments
 (0)