feat(actions): add zizmor and actionlint#636

.github/workflows/build.yml

@@ -2,13 +2,26 @@ name: Build
 
 on:
   workflow_call:
+    secrets:
+      OAUTH_CLIENT_ID:
+        required: true
+      # Signing certificates
+      CSC_LINK:
+        required: true
+      WIN_CSC_LINK:
+        required: true
+      CSC_KEY_PASSWORD:
+        required: true
+      WIN_CSC_KEY_PASSWORD:
+        required: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
-    name: Build ${{ matrix.platform }} (electron-builder)
+    name: Build ${{ matrix.platform }} [electron-builder]
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:
@@ -32,6 +45,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: ./.github/actions/setup-node

.github/workflows/ci.yml

@@ -8,30 +8,45 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   prepare: # macOS code-signing only works on `push` events and not `pull_request` events
     if: ${{ !startsWith(github.head_ref, 'release/v') }}
     name: Prepare CI
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
-      - run: echo Running CI for branch ${{ github.head_ref }}
+      - run: echo "Running CI for branch ${GITHUB_HEAD_REF}"
+    env:
+      GITHUB_HEAD_REF: ${{ github.head_ref }}
 
   lint:
     name: Lint App
     uses: ./.github/workflows/lint.yml
     needs: prepare
+    permissions:
+      contents: read
 
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
     needs: lint
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   build:
     name: Build
     uses: ./.github/workflows/build.yml
     needs: tests
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+      # Signing certificates
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}

.github/workflows/lint.yml

@@ -3,20 +3,39 @@ name: Lint
 on:
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  lint:
-    name: biomejs
+  lint-code:
+    name: Lint Code [biomejs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
 
       - name: Run linter
         run: pnpm lint:check
+
+  lint-actions:
+    name: Lint GitHub Actions [actionlint]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: .github/
+
+      - name: GitHub Actions linter
+        uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667

.github/workflows/milestone.yml

@@ -7,28 +7,31 @@ on:
     types:
       - closed
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   add-milestone:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
-      - name: Authenticate GitHub CLI
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
-
       - name: Get open milestone
         id: milestone
         run: |
           milestone=$(gh api repos/${{ github.repository }}/milestones \
             --jq '.[] | select(.state=="open") | .title' | head -n 1)
           echo "Found milestone: $milestone"
-          echo "milestone=$milestone" >> $GITHUB_OUTPUT
+          echo "milestone=$milestone" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Add milestone to PR
         if: steps.milestone.outputs.milestone != ''
         run: |
           gh pr edit ${{ github.event.pull_request.number }} \
             --repo ${{ github.repository }} \
-            --milestone "${{ steps.milestone.outputs.milestone }}"
+            --milestone "${STEPS_MILESTONE_OUTPUTS_MILESTONE}"
+        env:
+          STEPS_MILESTONE_OUTPUTS_MILESTONE: ${{ steps.milestone.outputs.milestone }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

@@ -2,42 +2,68 @@ name: Publish
 
 on:
   workflow_call:
+    secrets:
+      OAUTH_CLIENT_ID:
+        required: true
+      # Signing certificates
+      CSC_LINK:
+        required: true
+      WIN_CSC_LINK:
+        required: true
+      CSC_KEY_PASSWORD:
+        required: true
+      WIN_CSC_KEY_PASSWORD:
+        required: true
+      # macOS specific
+      APPLE_ID_USERNAME:
+        required: true
+      APPLE_ID_PASSWORD:
+        required: true
+      APPLE_ID_TEAM_ID:
+        required: true
   workflow_dispatch: # For manually running release process to verify code-signing of artifacts
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   prepare:
     name: Prepare draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
+        with:
+          persist-credentials: false
 
       - name: Parse release branch
         if: startsWith(github.ref, 'refs/heads/release/')
         run: |
           # Extract the branch name (e.g. release/v1.2.3[-meta])
           ref=${GITHUB_REF#refs/heads/}
-          echo "RELEASE_BRANCH=$ref" >> $GITHUB_ENV
+          echo "RELEASE_BRANCH=$ref" >> "$GITHUB_ENV"
           # Also export a RELEASE_TAG by removing the `release/` prefix (keeps leading 'v')
           tag=${ref#release/}
-          echo "RELEASE_TAG=$tag" >> $GITHUB_ENV
+          echo "RELEASE_TAG=$tag" >> "$GITHUB_ENV"
         shell: bash
 
       - name: Create draft release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
-        with:
-          name: "${{ env.RELEASE_TAG }}"
-          tag_name: "${{ env.RELEASE_TAG }}"
-          draft: true
-          body: '# <img src="https://github.com/gitify-app/gitify/blob/3554605d32a6c08a3d4ec17b02b90e2dd276a152/assets/images/tray-active%402x.png" /> Gitify ${{ env.RELEASE_TAG }}'
-          generate_release_notes: true
+        run: |
+          gh release create "${RELEASE_TAG}" \
+            --title "${RELEASE_TAG}" \
+            --draft \
+            --notes "# <img src=\"https://github.com/gitify-app/gitify/blob/3554605d32a6c08a3d4ec17b02b90e2dd276a152/assets/images/tray-active%402x.png\" /> Gitify ${RELEASE_TAG}" \
+            --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ env.RELEASE_TAG }}
 
   release:
-    name: Publish ${{ matrix.platform }} (electron-builder)
+    name: Publish ${{ matrix.platform }} [electron-builder]
     needs: prepare
+    permissions:
+      contents: write
     strategy:
       matrix:
         include:
@@ -61,6 +87,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: ./.github/actions/setup-node

.github/workflows/release.yml

@@ -5,24 +5,38 @@ on:
     branches:
       - release/v*.*.* # macOS code-signing only works on `push` events and not `pull_request` events
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   lint:
     name: Lint App
     uses: ./.github/workflows/lint.yml
+    permissions:
+      contents: read
 
   tests:
     name: Tests
     uses: ./.github/workflows/test.yml
     needs: lint
-    secrets: inherit
+    permissions:
+      contents: read
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   publish:
     name: Publish
     uses: ./.github/workflows/publish.yml
     needs: tests
-    secrets: inherit
     permissions:
       contents: write
+    secrets:
+      OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+      # Signing certificates
+      CSC_LINK: ${{ secrets.CSC_LINK }}
+      WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
+      CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+      WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
+      # macOS specific
+      APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
+      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      APPLE_ID_TEAM_ID: ${{ secrets.APPLE_ID_TEAM_ID }}

.github/workflows/renovate.yml

@@ -10,8 +10,7 @@ on:
     paths:
       - renovate.json
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   renovate-config-validator:
@@ -20,6 +19,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: renovate.json
 
       - uses: ./.github/actions/setup-node
         with:

.github/workflows/test.yml

@@ -2,18 +2,24 @@ name: Test
 
 on:
   workflow_call:
+    secrets:
+      SONAR_TOKEN:
+        required: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   run-unit-tests:
     name: Run Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
@@ -34,6 +40,8 @@ jobs:
     name: SonarQube Cloud Analysis
     runs-on: ubuntu-latest
     needs: run-unit-tests
+    permissions:
+      contents: read
     # Only analyze PRs from the same repository. Limitation of SonarQube Cloud
     if: github.event.pull_request.head.repo.fork == false
 
@@ -42,6 +50,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: ./.github/actions/setup-node