Skip to content

Commit ba9d1d4

Browse files
authored
ci: add zizmor workflow (#440)
* ci: add zizmor workflow * ci: clarify skill review push credentials * ci: simplify stale skills PR body generation * Update .github/workflows/triage-agent.yml
1 parent 31c194e commit ba9d1d4

9 files changed

Lines changed: 82 additions & 30 deletions

File tree

.github/workflows/autofix.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
steps:
2020
- name: Checkout
2121
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
with:
23+
persist-credentials: false
2224
- name: Setup Tools
2325
uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main
2426
- name: Fix formatting

.github/workflows/check-skills.yml

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -17,18 +17,21 @@ on:
1717
workflow_dispatch: {}
1818

1919
permissions:
20-
contents: write
21-
pull-requests: write
20+
contents: read
2221

2322
jobs:
2423
check:
2524
name: Check for stale skills
2625
runs-on: ubuntu-latest
26+
permissions:
27+
contents: write
28+
pull-requests: write
2729
steps:
2830
- name: Checkout
2931
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3032
with:
3133
fetch-depth: 0
34+
persist-credentials: true # review job pushes a generated branch
3235

3336
- name: Setup Node
3437
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -108,8 +111,10 @@ jobs:
108111
if: steps.stale.outputs.has_stale == 'true'
109112
env:
110113
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
114+
VERSION: ${{ github.event.release.tag_name || 'manual' }}
115+
SUMMARY: ${{ steps.summary.outputs.summary }}
116+
PROMPT: ${{ steps.summary.outputs.prompt }}
111117
run: |
112-
VERSION="${{ github.event.release.tag_name || 'manual' }}"
113118
BRANCH="skills/review-${VERSION}"
114119
115120
git config user.name "github-actions[bot]"
@@ -118,26 +123,20 @@ jobs:
118123
git commit --allow-empty -m "chore: review stale skills for ${VERSION}"
119124
git push origin "$BRANCH"
120125
126+
{
127+
printf '%s\n\n' '## Stale Skills Detected'
128+
printf '%s\n\n' 'The following skills may need updates after the latest release:'
129+
printf '%s\n\n' "$SUMMARY"
130+
printf '%s\n\n' '---'
131+
printf '%s\n\n' '### Update Prompt'
132+
printf '%s\n\n' 'Paste this into your coding agent (Claude Code, Cursor, etc.):'
133+
printf '%s\n' '~~~'
134+
printf '%s\n' "$PROMPT"
135+
printf '%s\n' '~~~'
136+
} > pr-body.md
137+
121138
gh pr create \
122139
--title "Review stale skills (${VERSION})" \
123-
--body "$(cat <<'PREOF'
124-
## Stale Skills Detected
125-
126-
The following skills may need updates after the latest release:
127-
128-
${{ steps.summary.outputs.summary }}
129-
130-
---
131-
132-
### Update Prompt
133-
134-
Paste this into your coding agent (Claude Code, Cursor, etc.):
135-
136-
~~~
137-
${{ steps.summary.outputs.prompt }}
138-
~~~
139-
140-
PREOF
141-
)" \
140+
--body-file pr-body.md \
142141
--head "$BRANCH" \
143142
--base main

.github/workflows/dependency-review.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,19 @@ concurrency:
99

1010
permissions:
1111
contents: read
12-
pull-requests: write
1312

1413
jobs:
1514
review:
1615
name: Review dependency changes
1716
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
19+
pull-requests: write
1820
steps:
1921
- name: Checkout
2022
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
with:
24+
persist-credentials: false
2125

2226
- name: Dependency Review
2327
uses: actions/dependency-review-action@e58c696e52cac8e62d61cc21fda89565d71505d7 # v4.3.1

.github/workflows/notify-playbooks.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ on:
2222
- 'docs/**'
2323
- 'packages/*/src/**'
2424

25+
permissions:
26+
contents: read
27+
2528
jobs:
2629
notify:
2730
name: Notify TanStack Intent
@@ -31,6 +34,7 @@ jobs:
3134
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3235
with:
3336
fetch-depth: 2
37+
persist-credentials: false
3438

3539
- name: Collect changed files
3640
id: changes

.github/workflows/pr.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,21 +12,24 @@ env:
1212

1313
permissions:
1414
contents: read
15-
pull-requests: write
1615

1716
jobs:
1817
test:
1918
name: Test
2019
runs-on: ubuntu-latest
20+
permissions:
21+
contents: read
22+
pull-requests: write
2123
steps:
2224
- name: Checkout
2325
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2426
with:
2527
fetch-depth: 0
28+
persist-credentials: false
2629
- name: Setup Tools
2730
uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main
2831
- name: Get base and head commits for `nx affected`
29-
uses: nrwl/nx-set-shas@15514ee4353489ef5a1644bcdae44f0ae2ea45f3 # v4.4.0
32+
uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0
3033
with:
3134
main-branch-name: main
3235
- name: Run Checks
@@ -37,6 +40,8 @@ jobs:
3740
steps:
3841
- name: Checkout
3942
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
43+
with:
44+
persist-credentials: false
4045
- name: Setup Tools
4146
uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main
4247
- name: Build Packages
@@ -49,6 +54,8 @@ jobs:
4954
steps:
5055
- name: Checkout
5156
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
57+
with:
58+
persist-credentials: false
5259
- name: Check Provenance
5360
uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
5461
with:
@@ -59,6 +66,8 @@ jobs:
5966
steps:
6067
- name: Checkout
6168
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
69+
with:
70+
persist-credentials: false
6271
- name: Setup Tools
6372
uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main
6473
- name: Changeset Preview

.github/workflows/release.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,17 @@ env:
1414
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
1515

1616
permissions:
17-
contents: write
18-
id-token: write
19-
pull-requests: write
17+
contents: read
2018

2119
jobs:
2220
release:
2321
name: Release
2422
if: github.repository_owner == 'TanStack'
2523
runs-on: ubuntu-latest
24+
permissions:
25+
contents: write
26+
id-token: write
27+
pull-requests: write
2628
# Configure required reviewers / wait timer for this environment in
2729
# repo settings → Environments → release. Until configured, this only
2830
# creates a deployment record (no gating).
@@ -32,13 +34,14 @@ jobs:
3234
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3335
with:
3436
fetch-depth: 0
37+
persist-credentials: false
3538
- name: Setup Tools
3639
uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main
3740
- name: Run Tests
3841
run: pnpm run test:ci
3942
- name: Run Changesets (version or publish)
4043
id: changesets
41-
uses: changesets/action@e87c8ed249971350e47fab7515075f44eb134e5b # v1.7.0
44+
uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
4245
with:
4346
version: pnpm run changeset:version
4447
publish: pnpm run changeset:publish

.github/workflows/triage-agent.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,11 @@ jobs:
1111
issues: write
1212
steps:
1313
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
14+
with:
15+
persist-credentials: false
1416

1517
- name: Triage issue with Warp Agent
16-
uses: warpdotdev/warp-agent-action@039f8de15fe60704b4308850e8cafb5cc0958bf2 # v1
18+
uses: warpdotdev/warp-agent-action@fee7dc8441f64d14a4ae22596eb68167ced24a1a # v1.0.18
1719
env:
1820
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
1921
with:

.github/workflows/validate-skills.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,18 @@ on:
1212
- 'skills/**'
1313
- '**/skills/**'
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
validate:
1720
name: Validate skill files
1821
runs-on: ubuntu-latest
1922
steps:
2023
- name: Checkout
2124
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
25+
with:
26+
persist-credentials: false
2227

2328
- name: Setup Node
2429
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

.github/workflows/zizmor.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: GitHub Actions Security Analysis
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: ['**']
8+
9+
permissions: {}
10+
11+
jobs:
12+
zizmor:
13+
name: Run zizmor
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Checkout
17+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
with:
19+
persist-credentials: false
20+
- name: Run zizmor
21+
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
22+
with:
23+
advanced-security: false
24+
annotations: true

0 commit comments

Comments
 (0)