diff --git a/.github/workflows/ci.common.yml b/.github/workflows/ci.common.yml index 04cbb07..bd2b952 100644 --- a/.github/workflows/ci.common.yml +++ b/.github/workflows/ci.common.yml @@ -12,11 +12,15 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node ${{ inputs.node_version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ inputs.node_version }} package-manager-cache: false @@ -33,7 +37,11 @@ jobs: run: pnpm install --frozen-lockfile - name: Build - run: pnpm turbo run build --filter=${{ inputs.package_name }} + env: + PACKAGE_NAME: ${{ inputs.package_name }} + run: pnpm turbo run build --filter="$PACKAGE_NAME" - name: Run Tests - run: pnpm turbo run test --filter=${{ inputs.package_name }} + env: + PACKAGE_NAME: ${{ inputs.package_name }} + run: pnpm turbo run test --filter="$PACKAGE_NAME" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bafbe82..275b59b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,14 +6,20 @@ on: - main pull_request: +permissions: {} + jobs: changed-files-job: name: Get changed packages runs-on: ubuntu-latest + permissions: + contents: read outputs: packages: ${{ steps.detect.outputs.packages }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -71,11 +77,15 @@ jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.x package-manager-cache: false @@ -96,11 +106,15 @@ jobs: # examples depend on the library packages via `workspace:*`, so any # library change that breaks an example surfaces here. runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.x package-manager-cache: false @@ -130,6 +144,8 @@ jobs: examples-e2e: name: E2E smoke (${{ matrix.shell }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -148,7 +164,9 @@ jobs: runtime_path: packages/tanstack-router-runtime core_path: packages/tanstack-router-core steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Detect relevant changes id: changes @@ -177,7 +195,7 @@ jobs: - name: Setup Node if: steps.changes.outputs.any_changed == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.x package-manager-cache: false @@ -197,15 +215,19 @@ jobs: - name: Install Playwright browsers if: steps.changes.outputs.any_changed == 'true' - run: pnpm --filter ${{ matrix.shell }} exec playwright install --with-deps chromium + env: + SHELL_FILTER: ${{ matrix.shell }} + run: pnpm --filter "$SHELL_FILTER" exec playwright install --with-deps chromium - name: Run E2E smoke test if: steps.changes.outputs.any_changed == 'true' - run: pnpm --filter ${{ matrix.shell }} test:e2e + env: + SHELL_FILTER: ${{ matrix.shell }} + run: pnpm --filter "$SHELL_FILTER" test:e2e - name: Upload Playwright report on failure if: failure() && steps.changes.outputs.any_changed == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: # `actions/upload-artifact` rejects `/` in artifact names, so the # matrix may set `shell_artifact` to a slash-free fallback (the @@ -218,8 +240,12 @@ jobs: catalog-e2e: name: Catalog E2E runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Detect relevant changes id: changes @@ -237,7 +263,7 @@ jobs: - name: Setup Node if: steps.changes.outputs.any_changed == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.x package-manager-cache: false @@ -265,7 +291,7 @@ jobs: - name: Upload Playwright report on failure if: failure() && steps.changes.outputs.any_changed == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: playwright-report-catalog path: examples/catalog/playwright-report/ @@ -279,6 +305,6 @@ jobs: pull-requests: write contents: write steps: - - uses: fastify/github-action-merge-dependabot@v3 + - uses: fastify/github-action-merge-dependabot@e820d631adb1d8ab16c3b93e5afe713450884a4a # v3.11.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ensure-labels.yml b/.github/workflows/ensure-labels.yml index 8f95b05..e18e636 100644 --- a/.github/workflows/ensure-labels.yml +++ b/.github/workflows/ensure-labels.yml @@ -12,10 +12,14 @@ on: - labeled - unlabeled +permissions: {} + jobs: ensure_labels: name: Ensure PR has proper labeling runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - name: Check one of required labels are set uses: docker://agilepathway/pull-request-label-checker:v1.6.65 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f309787..cebbb42 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -7,6 +7,8 @@ on: branches: - main +permissions: {} + # Prevent overlapping releases if multiple PRs merge close together concurrency: group: release-main @@ -32,9 +34,10 @@ jobs: bump: ${{ steps.version.outputs.bump }} same_version: ${{ steps.version.outputs.same_version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Determine version strategy id: version @@ -69,7 +72,7 @@ jobs: fi - id: filter - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3 with: filters: | pkg_core: @@ -138,6 +141,8 @@ jobs: - name: Build dynamic matrix id: build-matrix + env: + CHANGED: ${{ steps.filter.outputs.changes }} run: | # Each entry: filter_key -> dir:npmName declare -A PKG_MAP=( @@ -157,7 +162,6 @@ jobs: ["pkg_tr_testing"]="tanstack-router-testing:@tanstack-react-modules/testing" ) - CHANGED='${{ steps.filter.outputs.changes }}' echo "Changed filters: $CHANGED" MATRIX="[" @@ -198,7 +202,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ github.token }} @@ -213,7 +217,7 @@ jobs: run: git pull --ff-only origin main - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24.x registry-url: "https://registry.npmjs.org" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9568e8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,40 @@ +name: Zizmor + +on: + push: + branches: + - main + pull_request: + paths: + - '.github/workflows/**' + - '.github/actions/**' + - '.github/workflows/zizmor.yml' + +permissions: {} + +jobs: + zizmor: + name: Static analysis of GitHub Actions workflows + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1 + + - name: Run zizmor + run: uvx zizmor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF results + uses: github/codeql-action/upload-sarif@439137e1b50c27ba9e2f9befc93e43091b449c34 # v3.32.0 + with: + sarif_file: results.sarif + category: zizmor