harden github actions

Author: Perminder Singh

.github/workflows/auto-close-issues.yml

@@ -4,15 +4,21 @@ on:
   pull_request:
     types: [closed]
     branches:
+      - 2.0
       - dev-2.0
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: read
+
 jobs:
   close_issues:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
       - name: Close linked issues on non-default branches
-        uses: processing/branch-pr-close-issue@v1
+        uses: processing/branch-pr-close-issue@9fd7b409a12c677c5cdd8ff82c45600f790074e1 # v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          branch: dev-2.0
+          branch: dev-2.0

.github/workflows/ci-lint.yml

@@ -7,20 +7,24 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
-      - name: Use Node.js 22.x
-        uses: actions/setup-node@v1
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          node-version: 22.x
+          persist-credentials: false
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20.x
       - name: Get node modules
         run: npm ci
         env:
           CI: true
       - name: Lint source code
-        run: npm run lint
+        run: npm run lint

.github/workflows/ci-test.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -22,10 +25,12 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 22.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22.x
 
@@ -59,7 +64,7 @@ jobs:
           CI: true
       - name: Upload Visual Test Report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: visual-test-report
           path: test/unit/visual/visual-report.html
@@ -74,9 +79,10 @@ jobs:
           CI: true
       - name: report test coverage
         if: steps.test.outcome == 'success'
-        run: bash <(curl -s https://codecov.io/bash) -f coverage/coverage-final.json
-        env:
-          CI: true
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        with:
+          files: coverage/coverage-final.json
+          fail_ci_if_error: false
       - name: fail job if tests failed
         if: steps.test.outcome != 'success'
         run: exit 1

.github/workflows/contributors-png.yml

@@ -5,15 +5,20 @@ on:
     paths:
       - '.all-contributorsrc'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.ref == 'refs/heads/main' && github.repository == 'processing/p5.js'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 
@@ -30,7 +35,7 @@ jobs:
           git checkout -- .
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           commit-message: "Update contributors.png from .all-contributorsrc"
           branch: update-contributors-png

.github/workflows/labeler.yml

@@ -3,12 +3,13 @@ on:
   issues:
     types: [opened, edited]
 permissions:
+  contents: read
   issues: write
 jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: github/issue-labeler@v3.2
+      - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler.yml

.github/workflows/release-workflow-v2.yml

@@ -18,13 +18,15 @@ jobs:
       INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       # 1. Setup
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
-          node-version: 22
+          persist-credentials: false
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
+        with:
+          node-version: 20
       - name: Get semver info
         id: semver
-        uses: akshens/semver-tag@v4
+        uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
         with:
           version: ${{ github.ref_name }}
 
@@ -42,22 +44,16 @@ jobs:
         env:
           CI: true
       - name: Run test
-        run: npm test -- --project=unit-tests
+        run: npm test
         env:
           CI: true
       - name: Run build
         run: npm run build
-      - name: Generate types
-        run: npm run generate-types
-      - name: test TypeScript types
-        run: npm run test:types
-        env:
-          CI: true
 
       # 2. Prepare release files
       - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
       - name: Create release zip file
-        uses: TheDoctor0/zip-release@0.6.2
+        uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
         with:
           type: zip
           filename: release/p5.zip
@@ -68,29 +64,30 @@ jobs:
 
       # 3. Release p5.js
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v0.1.15
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           draft: true
           prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
           files: release/*
           generate_release_notes: true
-          token: ${{ secrets.ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish to NPM
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939
         with:
           token: ${{ secrets.NPM_TOKEN }}
           tag: ${{ steps.semver.outputs.is-prerelease != 'true' && 'latest' || 'beta' }}
 
       # 4. Update p5.js website
       - name: Clone p5.js website
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           repository: processing/p5.js-website
           ref: '2.0'
           path: website
           fetch-depth: 0
           token: ${{ secrets.ACCESS_TOKEN }}
+          persist-credentials: false
       - name: Updated website files
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
         run: |
@@ -111,9 +108,9 @@ jobs:
           git commit -m "Update p5.js to ${{ github.ref_name }}"
       - name: Push updated website repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: ad-m/github-push-action@v0.6.0
+        uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
         with:
           github_token: ${{ secrets.ACCESS_TOKEN }}
           branch: '2.0'
           directory: website/
-          repository: processing/p5.js-website
+          repository: processing/p5.js-website

.github/workflows/release-workflow.yml

@@ -18,13 +18,15 @@ jobs:
       INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       # 1. Setup
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
-          node-version: 22
+          persist-credentials: false
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
+        with:
+          node-version: 20
       - name: Get semver info
         id: semver
-        uses: akshens/semver-tag@v4
+        uses: akshens/semver-tag@8e427cd48c699c97d021df4946f3a0e65af5047e # v4
         with:
           version: ${{ github.ref_name }}
 
@@ -41,17 +43,16 @@ jobs:
         run: npm ci
         env:
           CI: true
-      - name: Run test
+      - name: Run build
         run: npm test
         env:
           CI: true
-      - name: Run build
-        run: npm run build
+      - run: rm ./lib/p5-test.js ./lib/p5.pre-min.js
 
       # 2. Prepare release files
       - run: mkdir release && mkdir p5 && cp -r ./lib/* p5/
       - name: Create release zip file
-        uses: TheDoctor0/zip-release@0.6.2
+        uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2
         with:
           type: zip
           filename: release/p5.zip
@@ -62,7 +63,7 @@ jobs:
 
       # 3. Release p5.js
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v0.1.15
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           draft: true
           prerelease: ${{ steps.semver.outputs.is-prerelease == 'true' }}
@@ -71,19 +72,21 @@ jobs:
           token: ${{ secrets.ACCESS_TOKEN }}
       - name: Publish to NPM
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
         with:
           token: ${{ secrets.NPM_TOKEN }}
+          tag: r1
 
       # 4. Update p5.js website
       - name: Clone p5.js website
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           repository: processing/p5.js-website
           path: website
           fetch-depth: 0
           token: ${{ secrets.ACCESS_TOKEN }}
+          persist-credentials: false
       - name: Updated website files
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
         run: |
@@ -104,7 +107,7 @@ jobs:
           git commit -m "Update p5.js to ${{ github.ref_name }}"
       - name: Push updated website repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: ad-m/github-push-action@v0.6.0
+        uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
         with:
           github_token: ${{ secrets.ACCESS_TOKEN }}
           branch: main
@@ -114,12 +117,13 @@ jobs:
       # 5. Update Bower files
       - name: Checkout Bower repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           repository: processing/p5.js-release
           path: bower
           fetch-depth: 0
           token: ${{ secrets.ACCESS_TOKEN }}
+          persist-credentials: false
       - name: Copy new version files to Bower repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
         run: |
@@ -135,7 +139,7 @@ jobs:
           git commit -m "Update p5.js to ${{ github.ref_name }}"
       - name: Push updated Bower repo
         if: ${{ steps.semver.outputs.is-prerelease != 'true' }}
-        uses: ad-m/github-push-action@v0.6.0
+        uses: ad-m/github-push-action@40bf560936a8022e68a3c00e7d2abefaf01305a6 # v0.6.0
         with:
           github_token: ${{ secrets.ACCESS_TOKEN }}
           branch: master