Skip to content

Commit 17cb5c4

Browse files
authored
ci: add zizmor workflow audits and harden workflows (#246)
1 parent aaf4ad5 commit 17cb5c4

7 files changed

Lines changed: 88 additions & 15 deletions

File tree

.github/dependabot.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,15 @@ updates:
55
schedule:
66
interval: daily
77
open-pull-requests-limit: 10
8+
cooldown:
9+
default-days: 7
810
- package-ecosystem: npm
911
directory: "/"
1012
schedule:
1113
interval: daily
1214
open-pull-requests-limit: 10
15+
cooldown:
16+
default-days: 7
1317
ignore:
1418
- dependency-name: "@typescript-eslint/eslint-plugin"
1519
- dependency-name: "@typescript-eslint/parser"

.github/workflows/ci.yml

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,22 +8,29 @@ on:
88
branches:
99
- main
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
build:
1316
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
1419

1520
strategy:
1621
matrix:
1722
node-version: [18.x, 20.x, 22.x, 24.x]
1823

1924
steps:
20-
- uses: actions/checkout@v4
25+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
26+
with:
27+
persist-credentials: false
2128

2229
- name: Install pnpm
23-
uses: pnpm/action-setup@v6
30+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
2431

2532
- name: Use Node.js
26-
uses: actions/setup-node@v4
33+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2734
with:
2835
node-version: ${{ matrix.node-version }}
2936
cache: 'pnpm'
@@ -42,6 +49,6 @@ jobs:
4249
pull-requests: write
4350
contents: write
4451
steps:
45-
- uses: fastify/github-action-merge-dependabot@v3
52+
- uses: fastify/github-action-merge-dependabot@30c3f8f14a4f7b315ba38dbc1b793d27128fef82 # v3.12.0
4653
with:
4754
github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/coverage.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,26 +7,32 @@ on:
77
branches:
88
- main
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
build:
1215
runs-on: ubuntu-latest
1316
name: coverage
17+
permissions:
18+
contents: read
1419

1520
strategy:
1621
matrix:
1722
node-version: [20.x]
1823

1924
steps:
2025
- name: Checkout Repository
21-
uses: actions/checkout@v4
26+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2227
with:
2328
fetch-depth: 1
29+
persist-credentials: false
2430

2531
- name: Install pnpm
26-
uses: pnpm/action-setup@v6
32+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
2733

2834
- name: Setup Node ${{ matrix.node-version }}
29-
uses: actions/setup-node@v4
35+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
3036
with:
3137
always-auth: false
3238
node-version: ${{ matrix.node-version }}
@@ -41,7 +47,7 @@ jobs:
4147
CI: true
4248

4349
- name: Update Coveralls
44-
uses: coverallsapp/github-action@master
50+
uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
4551
with:
4652
github-token: ${{ secrets.GITHUB_TOKEN }}
4753
if: success()

.github/workflows/linting.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,26 +10,32 @@ on:
1010
branches:
1111
- main
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
build:
1518
runs-on: ubuntu-latest
1619
name: linting
20+
permissions:
21+
contents: read
1722

1823
strategy:
1924
matrix:
2025
node-version: [20.x]
2126

2227
steps:
2328
- name: Checkout Repository
24-
uses: actions/checkout@v4
29+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2530
with:
2631
fetch-depth: 1
32+
persist-credentials: false
2733

2834
- name: Install pnpm
29-
uses: pnpm/action-setup@v6
35+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
3036

3137
- name: Setup Node ${{ matrix.node-version }}
32-
uses: actions/setup-node@v4
38+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
3339
with:
3440
always-auth: false
3541
node-version: ${{ matrix.node-version }}

.github/workflows/publish.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
branches:
99
- main
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
publish:
1316
if: github.event.pull_request.merged == true && (contains(github.event.pull_request.labels.*.name, 'patch') || contains(github.event.pull_request.labels.*.name, 'minor') || contains(github.event.pull_request.labels.*.name, 'major'))
@@ -19,16 +22,16 @@ jobs:
1922

2023
steps:
2124
- name: Checkout Repository
22-
uses: actions/checkout@v6
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2326
with:
2427
fetch-depth: 0
2528
token: ${{ secrets.GITHUB_TOKEN }}
2629

2730
- name: Install pnpm
28-
uses: pnpm/action-setup@v6
31+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
2932

3033
- name: Setup Node
31-
uses: actions/setup-node@v6
34+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
3235
with:
3336
node-version: 24.x
3437
registry-url: 'https://registry.npmjs.org'
@@ -57,8 +60,10 @@ jobs:
5760
fi
5861
5962
- name: Bump version
63+
env:
64+
VERSION_BUMP: ${{ steps.version.outputs.bump }}
6065
run: |
61-
pnpm version ${{ steps.version.outputs.bump }} -m "chore: release v%s"
66+
pnpm version "$VERSION_BUMP" -m "chore: release v%s"
6267
git push
6368
git push --tags
6469

.github/workflows/zizmor.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
3+
name: zizmor
4+
5+
on:
6+
push:
7+
branches:
8+
- main
9+
pull_request:
10+
branches:
11+
- main
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
zizmor:
18+
runs-on: ubuntu-latest
19+
name: zizmor
20+
permissions:
21+
contents: read
22+
23+
steps:
24+
- name: Checkout Repository
25+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
26+
with:
27+
fetch-depth: 1
28+
persist-credentials: false
29+
30+
- name: Run zizmor
31+
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
32+
with:
33+
min-severity: medium
34+
# advanced-security uses SARIF output, but zizmor's SARIF mode
35+
# always exits 0, so the job wouldn't fail on findings.
36+
# Disable it (and enable inline annotations instead) so medium+
37+
# severity findings actually fail the workflow.
38+
advanced-security: false
39+
annotations: true

.github/zizmor.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
rules:
2+
artipacked:
3+
ignore:
4+
# publish.yml needs persisted credentials so the workflow can
5+
# push the version-bump commit and release tag back to main.
6+
- publish.yml

0 commit comments

Comments
 (0)