diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c366d097..a65122cab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ on: - closed permissions: - contents: read + contents: read # Baseline for actions/checkout; elevated scopes are granted per-job concurrency: group: pages-preview-${{ github.event.pull_request.number }} @@ -22,12 +22,13 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # Needed to push the PR preview to the gh-pages branch + pull-requests: write # Needed to comment the preview link on the PR steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 820f2d1f3..1923fdaf0 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -13,7 +13,7 @@ jobs: scorecard: uses: platform-mesh/.github/.github/workflows/job-ossf-scorecard.yml@068efd5c6c7a6d0c4b28f5887de7ca156cb5f7b8 # main permissions: - security-events: write - id-token: write - contents: read - actions: read + security-events: write # Needed to upload Scorecard results to the GitHub Security tab + id-token: write # Needed for keyless publishing of Scorecard results + contents: read # Needed to read repository contents + actions: read # Needed to read GitHub Actions workflows diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 784a7a5f3..02adfed96 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ on: workflow_dispatch: permissions: - contents: read + contents: read # Baseline for actions/checkout; elevated scopes are granted per-job concurrency: group: pages-${{ github.ref_name }} @@ -18,15 +18,16 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: write + contents: write # Needed to push the built site to the gh-pages branch steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 - cache: npm + cache: npm # zizmor: ignore[cache-poisoning] - id: configure uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6 @@ -34,9 +35,9 @@ jobs: - id: set-version name: Set documentation version run: | - if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then echo "version=main" >> $GITHUB_OUTPUT - elif [[ "${{ github.ref }}" == refs/heads/release-* ]]; then + elif [[ "${GITHUB_REF}" == refs/heads/release-* ]]; then echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT else echo "version=" >> $GITHUB_OUTPUT diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..64b8327d3 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: Zizmor +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '30 4 * * 1' + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + uses: platform-mesh/.github/.github/workflows/job-zizmor.yml@03e076ff9aebe43ead6b9d77f3bb764a9d411347 # main + with: + persona: 'auditor' + permissions: + security-events: write # Needed to write to the GitHub Security tab + contents: read # Needed to read repository contents + actions: read # Needed to read GitHub Actions workflows diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..410b5cce4 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,8 @@ +# zizmor configuration for platform-mesh.github.io workflows. +# https://docs.zizmor.sh/configuration/ +rules: + # Repo convention: jobs are identified by their key (e.g. `build`), not a + # separate display name. Adding `name:` to every job would fight the + # established style across the workflows here. + anonymous-definition: + disable: true