Skip to content

Commit 1af7aa8

Browse files
authored
Merge pull request #197 from paritytech/fix/zizmor-gh-fixes
ci(security): Address zizmor findings
2 parents 18a6a75 + 334f8a4 commit 1af7aa8

9 files changed

Lines changed: 125 additions & 59 deletions

File tree

.github/dependabot.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# dtolnay/rust-toolchain publishes no version tags (only channel branches like
2+
# stable/nightly), so Dependabot cannot bump its pinned SHAs — refresh those by
3+
# hand. Every other action here auto-updates on the weekly schedule below.
4+
version: 2
5+
updates:
6+
- package-ecosystem: github-actions
7+
directory: /
8+
schedule:
9+
interval: weekly
10+
cooldown:
11+
default-days: 7
12+
groups:
13+
actions:
14+
patterns:
15+
- "*"

.github/workflows/check-rfc.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,10 @@ jobs:
1414
if: github.event.pull_request.user.login != 'github-actions[bot]'
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1818
with:
1919
fetch-depth: 0
20+
persist-credentials: false
2021

2122
# ── Check that the RFC document exists ──
2223
- name: Require RFC document

.github/workflows/ci.yml

Lines changed: 44 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,20 @@ jobs:
2020
env:
2121
RUSTFLAGS: "-D warnings"
2222
steps:
23-
- uses: actions/checkout@v4
23+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
24+
with:
25+
persist-credentials: false
2426

25-
- uses: dtolnay/rust-toolchain@nightly
27+
- uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
2628
with:
29+
toolchain: nightly
2730
components: rustfmt, clippy
2831

29-
- uses: dtolnay/rust-toolchain@stable
32+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
33+
with:
34+
toolchain: stable
3035

31-
- uses: Swatinem/rust-cache@v2
36+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
3237

3338
- name: cargo build
3439
run: cargo build --workspace --all-targets --all-features
@@ -46,15 +51,21 @@ jobs:
4651
name: Codegen
4752
runs-on: ubuntu-latest
4853
steps:
49-
- uses: actions/checkout@v4
54+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
55+
with:
56+
persist-credentials: false
5057

51-
- uses: dtolnay/rust-toolchain@stable
58+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
59+
with:
60+
toolchain: stable
5261

53-
- uses: dtolnay/rust-toolchain@nightly
62+
- uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
63+
with:
64+
toolchain: nightly
5465

55-
- uses: Swatinem/rust-cache@v2
66+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
5667

57-
- uses: actions/setup-node@v4
68+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
5869
with:
5970
node-version: 22
6071

@@ -65,7 +76,7 @@ jobs:
6576
run: ./scripts/codegen.sh
6677

6778
- name: Upload codegen output
68-
uses: actions/upload-artifact@v4
79+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
6980
with:
7081
name: codegen-output
7182
if-no-files-found: error
@@ -85,18 +96,20 @@ jobs:
8596
env:
8697
TRUAPI_REQUIRE_GENERATED: 1
8798
steps:
88-
- uses: actions/checkout@v4
99+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
100+
with:
101+
persist-credentials: false
89102

90-
- uses: actions/setup-node@v4
103+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
91104
with:
92105
node-version: 22
93106

94-
- uses: oven-sh/setup-bun@v2
107+
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
95108
with:
96109
bun-version: latest
97110

98111
- name: Download codegen output
99-
uses: actions/download-artifact@v4
112+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
100113
with:
101114
name: codegen-output
102115

@@ -116,14 +129,16 @@ jobs:
116129
env:
117130
TRUAPI_REQUIRE_GENERATED: 1
118131
steps:
119-
- uses: actions/checkout@v4
132+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
133+
with:
134+
persist-credentials: false
120135

121-
- uses: actions/setup-node@v4
136+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
122137
with:
123138
node-version: 22
124139

125140
- name: Download codegen output
126-
uses: actions/download-artifact@v4
141+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
127142
with:
128143
name: codegen-output
129144

@@ -135,7 +150,7 @@ jobs:
135150
run: yarn install --frozen-lockfile
136151

137152
- name: Cache Next.js build
138-
uses: actions/cache@v4
153+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
139154
with:
140155
path: playground/.next/cache
141156
key: ${{ runner.os }}-nextjs-${{ hashFiles('playground/yarn.lock') }}-${{ hashFiles('playground/src/**', 'playground/scripts/**', 'playground/public/**', 'playground/next.config.js', 'playground/tsconfig.json', 'playground/package.json') }}
@@ -157,14 +172,16 @@ jobs:
157172
env:
158173
TRUAPI_REQUIRE_GENERATED: 1
159174
steps:
160-
- uses: actions/checkout@v4
175+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
176+
with:
177+
persist-credentials: false
161178

162-
- uses: actions/setup-node@v4
179+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
163180
with:
164181
node-version: 22
165182

166183
- name: Download codegen output
167-
uses: actions/download-artifact@v4
184+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
168185
with:
169186
name: codegen-output
170187

@@ -193,20 +210,21 @@ jobs:
193210
env:
194211
TRUAPI_REQUIRE_GENERATED: 1
195212
steps:
196-
- uses: actions/checkout@v4
213+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
197214
with:
198215
submodules: recursive
216+
persist-credentials: false
199217

200-
- uses: actions/setup-node@v4
218+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
201219
with:
202220
node-version: 22
203221

204-
- uses: oven-sh/setup-bun@v2
222+
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
205223
with:
206224
bun-version: latest
207225

208226
- name: Download codegen output
209-
uses: actions/download-artifact@v4
227+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
210228
with:
211229
name: codegen-output
212230

@@ -231,7 +249,7 @@ jobs:
231249

232250
- name: Upload Playwright report
233251
if: failure()
234-
uses: actions/upload-artifact@v4
252+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
235253
with:
236254
name: playwright-report
237255
path: playground/playwright-report

.github/workflows/deploy-docs.yml

Lines changed: 18 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,27 +11,31 @@ concurrency:
1111

1212
permissions:
1313
contents: read
14-
pages: write
15-
id-token: write
1614

1715
jobs:
1816
build:
1917
runs-on: ubuntu-latest
2018
steps:
21-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
20+
with:
21+
persist-credentials: false
2222

23-
- uses: dtolnay/rust-toolchain@stable
23+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
24+
with:
25+
toolchain: stable
2426

25-
- uses: Swatinem/rust-cache@v2
27+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
2628

27-
- uses: actions/setup-node@v4
29+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2830
with:
2931
node-version: 22
3032

3133
- name: Configure Pages
32-
uses: actions/configure-pages@v5
34+
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
3335

34-
- uses: dtolnay/rust-toolchain@nightly
36+
- uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
37+
with:
38+
toolchain: nightly
3539

3640
- name: Install workspace dependencies
3741
run: npm ci
@@ -47,7 +51,7 @@ jobs:
4751
run: yarn install --frozen-lockfile
4852

4953
- name: Cache Next.js build
50-
uses: actions/cache@v4
54+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
5155
with:
5256
path: playground/.next/cache
5357
key: ${{ runner.os }}-nextjs-${{ hashFiles('playground/yarn.lock') }}-${{ hashFiles('playground/src/**', 'playground/scripts/**', 'playground/public/**', 'playground/next.config.js', 'playground/tsconfig.json', 'playground/package.json') }}
@@ -94,17 +98,20 @@ jobs:
9498
touch site/.nojekyll
9599
96100
- name: Upload Pages artifact
97-
uses: actions/upload-pages-artifact@v3
101+
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
98102
with:
99103
path: site
100104

101105
deploy:
102106
needs: build
103107
runs-on: ubuntu-latest
108+
permissions:
109+
pages: write
110+
id-token: write
104111
environment:
105112
name: github-pages
106113
url: ${{ steps.deployment.outputs.page_url }}
107114
steps:
108115
- name: Deploy to GitHub Pages
109116
id: deployment
110-
uses: actions/deploy-pages@v4
117+
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/deploy-playground.yml

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,23 @@ jobs:
2727
deploy-playground:
2828
runs-on: ubuntu-latest
2929
steps:
30-
- uses: actions/checkout@v4
30+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
31+
with:
32+
persist-credentials: false
3133

32-
- uses: actions/setup-node@v4
34+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
3335
with:
3436
node-version: 22
3537

36-
- uses: dtolnay/rust-toolchain@stable
38+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
39+
with:
40+
toolchain: stable
3741

38-
- uses: dtolnay/rust-toolchain@nightly
42+
- uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
43+
with:
44+
toolchain: nightly
3945

40-
- uses: Swatinem/rust-cache@v2
46+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
4147

4248
- name: Build @parity/truapi
4349
run: npm ci && ./scripts/codegen.sh
@@ -47,7 +53,7 @@ jobs:
4753
run: yarn install --frozen-lockfile
4854

4955
- name: Cache Next.js build
50-
uses: actions/cache@v4
56+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
5157
with:
5258
path: playground/.next/cache
5359
key: ${{ runner.os }}-nextjs-${{ hashFiles('playground/yarn.lock') }}-${{ hashFiles('playground/src/**', 'playground/scripts/**', 'playground/public/**', 'playground/next.config.js', 'playground/tsconfig.json', 'playground/package.json') }}

.github/workflows/diagnosis-report.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,9 @@ jobs:
2525
if: github.event.label.name == 'diagnosis-report'
2626
runs-on: ubuntu-latest
2727
steps:
28-
- uses: actions/checkout@v4
28+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
29+
with:
30+
persist-credentials: false
2931

3032
- name: Build the report PR
3133
env:

.github/workflows/number-rfc.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,10 @@ jobs:
1414
number-rfc:
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1818
with:
1919
fetch-depth: 0
20+
persist-credentials: false
2021

2122
- name: Number unnumbered RFCs
2223
run: |

.github/workflows/release-version-check.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ jobs:
1212
if: startsWith(github.event.pull_request.title, 'release:')
1313
runs-on: ubuntu-latest
1414
steps:
15-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
16+
with:
17+
persist-credentials: false
1618

1719
- name: Verify package.json and Cargo.toml versions match
1820
run: |

0 commit comments

Comments
 (0)