diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0fbfc01a..ba0ab75f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,6 +25,7 @@ jobs: - kissat-each-feature if: ${{ always() }} # Run this job even if a dependency has failed. steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Job outcomes run: | echo "🧪 Workspace tests: ${{ needs.tests.result }}" @@ -59,7 +60,10 @@ jobs: name: 🏗️ Dev dependencies runs-on: [self-hosted, nix] steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🏗️ Build dev dependencies run: nix build .#cargoDevArtifacts tests: @@ -69,7 +73,10 @@ jobs: - dev-deps if: '!github.event.pull_request.draft' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🧪 Run tests run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').tests" - name: 🧪 Run tests for external solver CaDiCaL @@ -83,7 +90,10 @@ jobs: runs-on: [self-hosted, nix] if: '!github.event.pull_request.draft' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🏗️ Check MSRV builds run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').msrv" wasm-check: @@ -91,7 +101,10 @@ jobs: runs-on: [self-hosted, nix] if: '!github.event.pull_request.draft' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🏄 Check WASM compatibility run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').wasm" code-quality: @@ -100,7 +113,10 @@ jobs: needs: - dev-deps steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: ✨ Check formatting run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').treefmt" - name: ✨ Cargo deny bans licenses sources @@ -124,8 +140,13 @@ jobs: runs-on: [self-hosted, nix] if: '!github.event.pull_request.draft' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: ✨ Build Python API and check run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').pyapi" doc: @@ -135,8 +156,13 @@ jobs: - dev-deps if: '!github.event.pull_request.draft' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: ✨ Build doc run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').doc" - name: 🧪 Run doc tests @@ -148,7 +174,10 @@ jobs: - tests - doc steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: ✨ Collect coverage reports run: | nix build .#testCoverage @@ -167,7 +196,10 @@ jobs: - dev-deps if: "!github.event.pull_request.draft && contains(github.event.pull_request.labels.*.name, 'heavy-tests')" steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: ✨ Run feature powerset checks run: nix build ".#checks.$(nix eval --impure --expr 'builtins.currentSystem').featurePowerset" cadical-each-feature: @@ -177,7 +209,10 @@ jobs: - dev-deps if: "!github.event.pull_request.draft && contains(github.event.pull_request.labels.*.name, 'solvers/cadical')" steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🧪 Test each feature run: nix develop ".#ci" --command cargo hack --each-feature --clean-per-run --exclude-features logging nextest run -p rustsat-cadical kissat-each-feature: @@ -187,6 +222,9 @@ jobs: - dev-deps if: "!github.event.pull_request.draft && contains(github.event.pull_request.labels.*.name, 'solvers/kissat')" steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🧪 Test each feature run: nix develop ".#ci" --command cargo hack --each-feature --clean-per-run nextest run -p rustsat-kissat diff --git a/.github/workflows/non-linux.yml b/.github/workflows/non-linux.yml index ee87fb91..8a08076d 100644 --- a/.github/workflows/non-linux.yml +++ b/.github/workflows/non-linux.yml @@ -6,6 +6,7 @@ env: CARGO_TERM_COLOR: always RUSTFLAGS: -Dwarnings RUSTDOCFLAGS: -Dwarnings + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -14,7 +15,10 @@ jobs: name: 🧪 MacOS workspace tests runs-on: macos-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: taiki-e/install-action@380f1e611385ce740b81d9841ae7fb08ef55add0 # nextest - name: 🧪 Run tests @@ -23,7 +27,10 @@ jobs: name: 🧪 Windows workspace tests runs-on: windows-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: taiki-e/install-action@380f1e611385ce740b81d9841ae7fb08ef55add0 # nextest - name: 🧪 Run tests @@ -35,7 +42,10 @@ jobs: os: [macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 06102613..2a2330d4 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -7,6 +7,8 @@ permissions: contents: read pages: write id-token: write +env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: @@ -17,8 +19,11 @@ jobs: build: runs-on: [self-hosted, nix] steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🏗️ Build pages run: nix build .#pages - name: ⬆️ Upload artifact @@ -33,6 +38,7 @@ jobs: runs-on: ubuntu-latest needs: build steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: 🫙 Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 diff --git a/.github/workflows/pyapi.yml b/.github/workflows/pyapi.yml index 767ba50c..195fe2f2 100644 --- a/.github/workflows/pyapi.yml +++ b/.github/workflows/pyapi.yml @@ -19,6 +19,8 @@ jobs: target: [x86_64, x86, aarch64, armv7, s390x, ppc64le] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -27,7 +29,7 @@ jobs: with: target: ${{ matrix.target }} args: --release --out dist --manifest-path pyapi/Cargo.toml - sccache: 'true' + sccache: false manylinux: auto - name: Upload wheels uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -42,6 +44,8 @@ jobs: target: [x64, x86] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -51,7 +55,7 @@ jobs: with: target: ${{ matrix.target }} args: --release --out dist --manifest-path pyapi/Cargo.toml - sccache: 'true' + sccache: false - name: Upload wheels uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: @@ -65,6 +69,8 @@ jobs: target: [x86_64, aarch64] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' @@ -73,7 +79,7 @@ jobs: with: target: ${{ matrix.target }} args: --release --out dist --manifest-path pyapi/Cargo.toml - sccache: 'true' + sccache: false - name: Upload wheels uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: @@ -84,6 +90,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Build sdist uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index c210ec25..722a8200 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -26,6 +26,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.generate-token.outputs.token }} + persist-credentials: false - name: Run release-plz run: nix develop ".#releasePlz" --command release-plz release --git-token "${GITHUB_TOKEN}" -o json env: @@ -55,6 +56,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.generate-token.outputs.token }} + persist-credentials: false - name: Configure git user from GitHub token uses: release-plz/git-config@59144859caf016f8b817a2ac9b051578729173c4 env: diff --git a/.github/workflows/semver-checks.yml b/.github/workflows/semver-checks.yml index 09ef7890..c124afd2 100644 --- a/.github/workflows/semver-checks.yml +++ b/.github/workflows/semver-checks.yml @@ -10,6 +10,9 @@ jobs: name: 🛡️ Semver checks runs-on: [self-hosted, nix] steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: 🛡️ Run semver checks run: nix run nixpkgs#just semver-checks