From 63d63e790e5eccef90e6cb0e810067e40f412ab0 Mon Sep 17 00:00:00 2001 From: Till Klampaeckel Date: Sun, 5 Apr 2026 18:32:04 +0200 Subject: [PATCH 1/2] fix(workflows): fetch-depth is for actions/checkout --- .github/workflows/main.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 43e3c4b9f..ed560e5ac 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,9 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 with: fetch-depth: 2 + - uses: actions/setup-node@v6 + with: node-version: "lts/*" cache: "npm" - name: Install dependencies @@ -35,9 +36,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 with: fetch-depth: 2 + - uses: actions/setup-node@v6 + with: node-version: "lts/*" cache: "npm" - name: Install dependencies @@ -53,9 +55,10 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 with: fetch-depth: 2 + - uses: actions/setup-node@v6 + with: node-version: "lts/*" cache: "npm" - name: Install dependencies @@ -83,9 +86,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 with: fetch-depth: 2 + - uses: actions/setup-node@v6 + with: node-version: "lts/*" cache: "npm" - name: Install dependencies @@ -109,10 +113,11 @@ jobs: steps: - uses: actions/checkout@v6 + with: + fetch-depth: 2 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v6 with: - fetch-depth: 2 node-version: ${{ matrix.node-version }} cache: "npm" - name: Install dependencies From 80bb9d0eb545244fda52d0b8ec6cd2373a7c23e5 Mon Sep 17 00:00:00 2001 From: Till Klampaeckel Date: Sun, 5 Apr 2026 18:36:39 +0200 Subject: [PATCH 2/2] chore(workflows): update - pin all actions to precise commits - avoid credential leakage from actions/checkout - group action updates going forward - add zimor config to ignore "secrets outside env" - add job to keep validating workflows --- .github/dependabot.yml | 6 ++++++ .github/workflows/main.yml | 37 +++++++++++++++++++++++++++---------- .github/zizmor.yml | 3 +++ 3 files changed, 36 insertions(+), 10 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600a..2cd6d34af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,9 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 + groups: + action-deps: + patterns: + - "*" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed560e5ac..2bb976789 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,10 +15,11 @@ jobs: prettier: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - - uses: actions/setup-node@v6 + persist-credentials: false + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "lts/*" cache: "npm" @@ -35,10 +36,11 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - - uses: actions/setup-node@v6 + persist-credentials: false + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "lts/*" cache: "npm" @@ -54,10 +56,11 @@ jobs: browser-test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - - uses: actions/setup-node@v6 + persist-credentials: false + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "lts/*" cache: "npm" @@ -85,10 +88,11 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - - uses: actions/setup-node@v6 + persist-credentials: false + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "lts/*" cache: "npm" @@ -112,11 +116,12 @@ jobs: node-version: [20, 22, 24] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: false - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node-version }} cache: "npm" @@ -127,3 +132,15 @@ jobs: PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: 1 - name: npm test run: npm run test-node + + validate-workflows: + permissions: + security-events: write + contents: read + actions: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..39d1b180c --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: + disable: true