Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:
- closed

permissions:
contents: read
contents: read # Baseline for actions/checkout; elevated scopes are granted per-job

concurrency:
group: pages-preview-${{ github.event.pull_request.number }}
Expand All @@ -22,12 +22,13 @@ jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
contents: write # Needed to push the PR preview to the gh-pages branch
pull-requests: write # Needed to comment the preview link on the PR
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 24
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/ossf-scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
scorecard:
uses: platform-mesh/.github/.github/workflows/job-ossf-scorecard.yml@068efd5c6c7a6d0c4b28f5887de7ca156cb5f7b8 # main
permissions:
security-events: write
id-token: write
contents: read
actions: read
security-events: write # Needed to upload Scorecard results to the GitHub Security tab
id-token: write # Needed for keyless publishing of Scorecard results
contents: read # Needed to read repository contents
actions: read # Needed to read GitHub Actions workflows
11 changes: 6 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
workflow_dispatch:

permissions:
contents: read
contents: read # Baseline for actions/checkout; elevated scopes are granted per-job

concurrency:
group: pages-${{ github.ref_name }}
Expand All @@ -18,25 +18,26 @@ jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write
contents: write # Needed to push the built site to the gh-pages branch
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: 24
cache: npm
cache: npm # zizmor: ignore[cache-poisoning]

- id: configure
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6

- id: set-version
name: Set documentation version
run: |
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
echo "version=main" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" == refs/heads/release-* ]]; then
elif [[ "${GITHUB_REF}" == refs/heads/release-* ]]; then
echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
else
echo "version=" >> $GITHUB_OUTPUT
Expand Down
26 changes: 26 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Zizmor
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '30 4 * * 1'
workflow_dispatch:

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
zizmor:
uses: platform-mesh/.github/.github/workflows/job-zizmor.yml@03e076ff9aebe43ead6b9d77f3bb764a9d411347 # main
with:
persona: 'auditor'
permissions:
security-events: write # Needed to write to the GitHub Security tab
contents: read # Needed to read repository contents
actions: read # Needed to read GitHub Actions workflows
8 changes: 8 additions & 0 deletions .github/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# zizmor configuration for platform-mesh.github.io workflows.
# https://docs.zizmor.sh/configuration/
rules:
# Repo convention: jobs are identified by their key (e.g. `build`), not a
# separate display name. Adding `name:` to every job would fight the
# established style across the workflows here.
anonymous-definition:
disable: true
Loading