diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json index 3feaa831..fa811a29 100644 --- a/.devcontainer/devcontainer-lock.json +++ b/.devcontainer/devcontainer-lock.json @@ -1,31 +1,31 @@ { "features": { - "ghcr.io/anthropics/devcontainer-features/claude-code:1.0": { + "ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5": { "version": "1.0.5", "resolved": "ghcr.io/anthropics/devcontainer-features/claude-code@sha256:cfc2e7d3e9fd3b9b01f8d5cb158508a884c8c0ede2e23ed10f32dea5d4ffe69a", "integrity": "sha256:cfc2e7d3e9fd3b9b01f8d5cb158508a884c8c0ede2e23ed10f32dea5d4ffe69a" }, - "ghcr.io/devcontainers-extra/features/act:1": { + "ghcr.io/devcontainers-extra/features/act:1.0.15": { "version": "1.0.15", "resolved": "ghcr.io/devcontainers-extra/features/act@sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c", "integrity": "sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c" }, - "ghcr.io/devcontainers-extra/features/pre-commit:2": { + "ghcr.io/devcontainers-extra/features/pre-commit:2.0.18": { "version": "2.0.18", "resolved": "ghcr.io/devcontainers-extra/features/pre-commit@sha256:6e0bb2ce80caca1d94f44dab5d0653d88a1c00984e590adb7c6bce012d0ade6e", "integrity": "sha256:6e0bb2ce80caca1d94f44dab5d0653d88a1c00984e590adb7c6bce012d0ade6e" }, - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": { - "version": "1.9.1", - "resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:dc89605f01ff2f24252c61f7c8ba2a58ccdbc14f2ebf87a7952d9e2b89834850", - "integrity": "sha256:dc89605f01ff2f24252c61f7c8ba2a58ccdbc14f2ebf87a7952d9e2b89834850" + "ghcr.io/devcontainers/features/docker-outside-of-docker:1.10.0": { + "version": "1.10.0", + "resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e", + "integrity": "sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e" }, - "ghcr.io/devcontainers/features/github-cli:1": { + "ghcr.io/devcontainers/features/github-cli:1.1.0": { "version": "1.1.0", "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671", "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671" }, - "ghcr.io/devcontainers/features/node:2": { + "ghcr.io/devcontainers/features/node:2.0.0": { "version": "2.0.0", "resolved": "ghcr.io/devcontainers/features/node@sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f", "integrity": "sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f" diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index cd951c58..d2b4a28d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,34 +1,39 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the { "name": "Container - Cloudflare Pages Action", - "image": "mcr.microsoft.com/devcontainers/base:jammy", + // mcr.microsoft.com/devcontainers/base:jammy + "image": "mcr.microsoft.com/devcontainers/base:jammy@sha256:f2d74267998cfe76acefa5cc8d19ccc86bb2ba4520a5ad2b218def9566dc04cd", "customizations": { "vscode": { "extensions": [ - "eamodio.gitlens", - "oxc.oxc-vscode", - "github.vscode-github-actions", - "yoavbls.pretty-ts-errors", - "redhat.vscode-yaml", - "GraphQL.vscode-graphql", - "GraphQL.vscode-graphql-syntax", - "vitest.explorer", - "webpro.vscode-knip" - ] + "eamodio.gitlens@2026.5.230538", + "github.vscode-github-actions@0.31.5", + "GraphQL.vscode-graphql-syntax@1.3.10", + "GraphQL.vscode-graphql@0.13.4", + "oxc.oxc-vscode@1.56.0", + "redhat.vscode-yaml@1.24.2026052209", + "vitest.explorer@1.50.4", + "webpro.vscode-knip@2.1.5", + "yoavbls.pretty-ts-errors@0.8.7" + ], + "settings": { + "extensions.autoUpdate": false, + "extensions.autoCheckUpdates": true + } } }, "postCreateCommand": "sed -i '/^ZSH_THEME/c\\ZSH_THEME=\"bira\"' ~/.zshrc && pnpm i && pre-commit install", "updateContentCommand": "rm -rf .cache && pnpm i && pre-commit install", "features": { - "ghcr.io/devcontainers-extra/features/act:1": {}, - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, - "ghcr.io/devcontainers/features/node:2": { + "ghcr.io/devcontainers-extra/features/act:1.0.15": {}, + "ghcr.io/devcontainers/features/docker-outside-of-docker:1.10.0": {}, + "ghcr.io/devcontainers/features/node:2.0.0": { "version": "24.7.0", "pnpmVersion": "11.0.8" }, - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers-extra/features/pre-commit:2": {}, - "ghcr.io/anthropics/devcontainer-features/claude-code:1.0": {} + "ghcr.io/devcontainers/features/github-cli:1.1.0": {}, + "ghcr.io/devcontainers-extra/features/pre-commit:2.0.18": {}, + "ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5": {} }, "containerEnv": { "CLAUDE_CONFIG_DIR": "/home/vscode/.claude" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7db709cd..ec418ea8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,24 +6,27 @@ updates: directory: / schedule: interval: weekly - day: sunday + cooldown: + default-days: 7 + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: weekly cooldown: default-days: 7 - package-ecosystem: 'devcontainers' directory: '/' schedule: interval: weekly - day: sunday cooldown: default-days: 7 - package-ecosystem: npm directory: / schedule: interval: weekly - day: sunday cooldown: default-days: 7 - semver-major-days: 30 + semver-major-days: 14 semver-minor-days: 7 semver-patch-days: 3 groups: diff --git a/.github/workflow-templates/delete.yml b/.github/workflow-templates/delete.yml index fead965e..7917d9ba 100644 --- a/.github/workflow-templates/delete.yml +++ b/.github/workflow-templates/delete.yml @@ -8,8 +8,15 @@ on: - closed branches: - $default-branch + +concurrency: + group: deploy-delete-${{ github.head_ref || github.run_id }} + +# Deny all permissions by default; grant only what's needed per job +permissions: {} + jobs: - deploy: + delete: permissions: actions: read # Only required for private GitHub Repo contents: read @@ -20,6 +27,8 @@ jobs: steps: - name: 'Checkout Github Action' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: 'Deploy deletion from Cloudflare Pages' uses: andykenward/github-actions-cloudflare-pages/delete@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0 with: diff --git a/.github/workflow-templates/deploy.yml b/.github/workflow-templates/deploy.yml index 7c7519bc..851332b2 100644 --- a/.github/workflow-templates/deploy.yml +++ b/.github/workflow-templates/deploy.yml @@ -9,6 +9,13 @@ on: pull_request: branches: - $default-branch + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + +# Deny all permissions by default; grant only what's needed per job +permissions: {} + jobs: deploy: permissions: @@ -21,6 +28,8 @@ jobs: steps: - name: 'Checkout Github Action' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: 'Deploy to Cloudflare Pages' uses: andykenward/github-actions-cloudflare-pages@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..63e71a30 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: [main] + pull_request: + branches: ['**'] + +# Deny all permissions by default; grant only what's needed per job +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # upload SARIF to GitHub code scanning + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 diff --git a/README.md b/README.md index dceb8593..71fb158c 100644 --- a/README.md +++ b/README.md @@ -94,48 +94,10 @@ wrangler: ## Examples -See the GitHub Workflow examples below or [.github/workflow-templates/deploy.yml](.github/workflow-templates/deploy.yml) +See the GitHub Workflow Templates [.github/workflow-templates/](.github/workflow-templates/) -### `push` & `pull_request` - -```yaml -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json -name: 'Deployment' -on: - push: - branches: - - main - pull_request: - branches: - - main - -jobs: - deploy: - permissions: - actions: read # Only required for private GitHub Repo - contents: read - deployments: write - pull-requests: write - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 - with: - node_version: 20 - - run: npm ci - run: npm run build - - name: Deploy to Cloudflare Pages - uses: andykenward/github-actions-cloudflare-pages@1f45924c4dd0c6d746a7edfaa4e1dea8958806a6 #v3.4.0 - id: pages - with: - cloudflare-api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }} - cloudflare-account-id: ${{ vars.CLOUDFLARE_ACCOUNT_ID }} - cloudflare-project-name: ${{ vars.CLOUDFLARE_PROJECT_NAME }} - directory: dist - github-token: ${{ secrets.GITHUB_TOKEN }} - github-environment: ${{ vars.CLOUDFLARE_PROJECT_NAME }} ${{ (github.ref == 'refs/heads/main' && '(Production)') || '(Preview)' }} -``` +- [.github/workflow-templates/delete.yml](.github/workflow-templates/delete.yml) +- [.github/workflow-templates/deploy.yml](.github/workflow-templates/deploy.yml) ### Fork pull requests with `workflow_run`