feat: add zizmor and actionlint

Signed-off-by: Adam Setch <adam.setch@outlook.com>

Author: setchy

.github/workflows/build.yml

@@ -2,13 +2,26 @@ name: Build
 
 on:
   workflow_call:
+    secrets:
+      OAUTH_CLIENT_ID:
+        required: true
+      # Signing certificates
+      CSC_LINK:
+        required: true
+      WIN_CSC_LINK:
+        required: true
+      CSC_KEY_PASSWORD:
+        required: true
+      WIN_CSC_KEY_PASSWORD:
+        required: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
-    name: Build ${{ matrix.platform }} (electron-builder)
+    name: Build ${{ matrix.platform }} [electron-builder]
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:

.github/workflows/ci.yml

@@ -8,30 +8,45 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   prepare: # macOS code-signing only works on `push` events and not `pull_request` events
     if: ${{ !startsWith(github.head_ref, 'release/v') }}
     name: Prepare CI
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
-      - run: echo Running CI for branch ${{ github.head_ref }}
+      - run: echo "Running CI for branch ${GITHUB_HEAD_REF}"
+    env:
+      GITHUB_HEAD_REF: ${{ github.head_ref }}
 
   lint:
     name: Lint App
     uses: ./.github/workflows/lint.yml
     needs: prepare
+    permissions:
+      contents: read
 
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
     needs: lint
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   build:
     name: Build
     uses: ./.github/workflows/build.yml
     needs: tests
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+      # Signing certificates
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}

.github/workflows/lint.yml

@@ -3,13 +3,14 @@ name: Lint
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  lint:
-    name: biomejs
+  lint-code:
+    name: Lint Code [biomejs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -22,3 +23,19 @@ jobs:
 
       - name: Run linter
         run: pnpm lint:check
+
+  lint-actions:
+    name: Lint GitHub Actions [actionlint]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: .github/
+
+      - name: GitHub Actions linter
+        uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667

.github/workflows/milestone.yml

@@ -7,24 +7,24 @@ on:
     types:
       - closed
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   add-milestone:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
-      - name: Authenticate GitHub CLI
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
-
       - name: Get open milestone
         id: milestone
         run: |
           milestone=$(gh api repos/${{ github.repository }}/milestones \
             --jq '.[] | select(.state=="open") | .title' | head -n 1)
           echo "Found milestone: $milestone"
-          echo "milestone=$milestone" >> $GITHUB_OUTPUT
+          echo "milestone=$milestone" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Add milestone to PR
         if: steps.milestone.outputs.milestone != ''
@@ -34,3 +34,4 @@ jobs:
             --milestone "${STEPS_MILESTONE_OUTPUTS_MILESTONE}"
         env:
           STEPS_MILESTONE_OUTPUTS_MILESTONE: ${{ steps.milestone.outputs.milestone }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

@@ -2,15 +2,35 @@ name: Publish
 
 on:
   workflow_call:
+    secrets:
+      OAUTH_CLIENT_ID:
+        required: true
+      # Signing certificates
+      CSC_LINK:
+        required: true
+      WIN_CSC_LINK:
+        required: true
+      CSC_KEY_PASSWORD:
+        required: true
+      WIN_CSC_KEY_PASSWORD:
+        required: true
+      # macOS specific
+      APPLE_ID_USERNAME:
+        required: true
+      APPLE_ID_PASSWORD:
+        required: true
+      APPLE_ID_TEAM_ID:
+        required: true
   workflow_dispatch: # For manually running release process to verify code-signing of artifacts
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   prepare:
     name: Prepare draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
@@ -29,17 +49,21 @@ jobs:
         shell: bash
 
       - name: Create draft release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
-        with:
-          name: "${{ env.RELEASE_TAG }}"
-          tag_name: "${{ env.RELEASE_TAG }}"
-          draft: true
-          body: '# <img src="https://github.com/gitify-app/gitify/blob/3554605d32a6c08a3d4ec17b02b90e2dd276a152/assets/images/tray-active%402x.png" /> Gitify ${{ env.RELEASE_TAG }}'
-          generate_release_notes: true
+        run: |
+          gh release create "${RELEASE_TAG}" \
+            --title "${RELEASE_TAG}" \
+            --draft \
+            --notes "# <img src="https://github.com/gitify-app/gitify/blob/3554605d32a6c08a3d4ec17b02b90e2dd276a152/assets/images/tray-active%402x.png" /> Gitify ${RELEASE_TAG}" \
+            --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
 
   release:
-    name: Publish ${{ matrix.platform }} (electron-builder)
+    name: Publish ${{ matrix.platform }} [electron-builder]
     needs: prepare
+    permissions:
+      contents: write
     strategy:
       matrix:
         include:

.github/workflows/release.yml

@@ -5,24 +5,38 @@ on:
     branches:
       - release/v*.*.* # macOS code-signing only works on `push` events and not `pull_request` events
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   lint:
     name: Lint App
     uses: ./.github/workflows/lint.yml
+    permissions:
+      contents: read
 
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
     needs: lint
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   publish:
     name: Publish
     uses: ./.github/workflows/publish.yml
     needs: tests
-    secrets: inherit
     permissions:
       contents: write
+    secrets:
+      OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+      # Signing certificates
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
+      # macOS specific
+      APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
+      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      APPLE_ID_TEAM_ID: ${{ secrets.APPLE_ID_TEAM_ID }}

.github/workflows/renovate.yml

@@ -10,8 +10,7 @@ on:
     paths:
       - renovate.json
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   renovate-config-validator:
@@ -22,6 +21,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
+          sparse-checkout: renovate.json
 
       - uses: ./.github/actions/setup-node
         with:

.github/workflows/test.yml

@@ -2,14 +2,18 @@ name: Test
 
 on:
   workflow_call:
+    secrets:
+      SONAR_TOKEN:
+        required: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   run-unit-tests:
     name: Run Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
@@ -36,6 +40,8 @@ jobs:
     name: SonarQube Cloud Analysis
     runs-on: ubuntu-latest
     needs: run-unit-tests
+    permissions:
+      contents: read
     # Only analyze PRs from the same repository. Limitation of SonarQube Cloud
     if: github.event.pull_request.head.repo.fork == false
 

.github/workflows/triage.yml

@@ -1,7 +1,7 @@
 name: Triage PR
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
     types:
@@ -11,16 +11,14 @@ on:
       - synchronize
       - ready_for_review
 
-permissions:
-  contents: read # the config file
-  pull-requests: write # for labeling pull requests (on: pull_request_target or on: pull_request)
-  statuses: write # to generate status
-  checks: write # to generate status
+permissions: {}
 
 jobs:
   pr-title:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
@@ -29,5 +27,10 @@ jobs:
   pr-labeler:
     name: Auto-label PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # the config file
+      pull-requests: write # for labeling pull requests (on: pull_request_target or on: pull_request)
+      statuses: write # to generate status
+      checks: write # to generate status
     steps:
       - uses: fuxingloh/multi-labeler@b15a54460c38f54043fa75f7b08a0e2aa5b94b5b # v4.0.0

.github/workflows/website.yml

@@ -6,12 +6,12 @@ on:
     types:
       - published # For running on release publish
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   redeploy-website:
     name: Deploy Website
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - run: curl -X POST -d {} ${{ secrets.NETLIFY_BUILD_HOOK_URL }}