From f9d205828430148b701c6417f75a5f2255a6dd52 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 21:03:14 -0500 Subject: [PATCH 1/6] [ci] remove codecov, enforce zizmor checks --- .ci/report_to_covr.sh | 9 --------- .ci/setup.sh | 2 +- .github/dependabot.yml | 2 ++ .github/workflows/build-docs.yaml | 17 ++++++++++++----- .github/workflows/ci.yml | 28 +++++++++++++++++++--------- .pre-commit-config.yaml | 6 +++++- README.md | 1 - 7 files changed, 39 insertions(+), 26 deletions(-) delete mode 100755 .ci/report_to_covr.sh diff --git a/.ci/report_to_covr.sh b/.ci/report_to_covr.sh deleted file mode 100755 index 835fc57..0000000 --- a/.ci/report_to_covr.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# failure is a natural part of life -set -e -u -o pipefail - -Rscript -e " \ - Sys.setenv(NOT_CRAN = 'true'); \ - covr::codecov('r-pkg/') \ - " diff --git a/.ci/setup.sh b/.ci/setup.sh index 8ecd187..8c7e4d9 100755 --- a/.ci/setup.sh +++ b/.ci/setup.sh @@ -19,5 +19,5 @@ sudo apt-get install \ tidy \ qpdf -Rscript -e "install.packages(c('covr', 'curl', 'data.table', 'jsonlite', 'knitr', 'lintr', 'markdown', 'purrr', 'stringr', 'testthat'), repos = 'https://cran.r-project.org', Ncpus = parallel::detectCores())" +Rscript -e "install.packages(c('curl', 'data.table', 'jsonlite', 'knitr', 'lintr', 'markdown', 'purrr', 'stringr', 'testthat'), repos = 'https://cran.r-project.org', Ncpus = parallel::detectCores())" cp test-data/* r-pkg/inst/testdata/ diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fdb6eba..998c4ae 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,8 @@ updates: directory: / schedule: interval: monthly + cooldown: + default-days: 10 groups: ci-dependencies: patterns: diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml index ae493b3..e750a57 100644 --- a/.github/workflows/build-docs.yaml +++ b/.github/workflows/build-docs.yaml @@ -4,6 +4,11 @@ concurrency: group: docs-build-on-${{ github.event_name }}-from-${{ github.ref_name }} cancel-in-progress: true +# default to 0 permissions +# (job-level overrides add the minimal permissions needed) +permissions: + contents: none + on: # run only when called by other workflows workflow_call: @@ -17,21 +22,23 @@ on: jobs: build: runs-on: macos-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: set up R - uses: r-lib/actions/setup-r@v2 + uses: r-lib/actions/setup-r@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 #v2.11.4 with: r-version: release - name: set up pandoc - uses: r-lib/actions/setup-pandoc@v2 + uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 #v2.11.4 - name: build docs run: | .ci/build-docs.sh - - uses: actions/upload-pages-artifact@v4 + - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: ./r-pkg/docs @@ -54,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d45582c..1ffdc97 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# default to 0 permissions +# (job-level overrides add the minimal permissions needed) +permissions: + contents: none + env: # parallelize compilation (extra important for Linux, where CRAN doesn't supply pre-compiled binaries) MAKEFLAGS: "-j4" @@ -27,22 +32,25 @@ env: jobs: build-docs: uses: ./.github/workflows/build-docs.yaml + permissions: + contents: read with: deploy: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags')) || (github.event_name == 'workflow_dispatch' && inputs.deploy-docs == true) }} - secrets: inherit lint: name: lint runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: set up R - uses: r-lib/actions/setup-r@v2 + uses: &setup_r r-lib/actions/setup-r@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4 - name: run lintr run: | Rscript -e "install.packages('lintr')" @@ -68,15 +76,16 @@ jobs: - 8.17.2 steps: - name: checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 + persist-credentials: false - name: set up R - uses: r-lib/actions/setup-r@v2 + uses: *setup_r with: r-version: release - name: set up pandoc - uses: r-lib/actions/setup-pandoc@v2 + uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4 - name: run tests shell: bash run: | @@ -85,7 +94,6 @@ jobs: $GITHUB_WORKSPACE/.ci/install.sh $GITHUB_WORKSPACE/setup_local.sh ${{ matrix.es_version }} $GITHUB_WORKSPACE/.ci/test.sh - $GITHUB_WORKSPACE/.ci/report_to_covr.sh all-successful: if: always() runs-on: ubuntu-latest @@ -93,8 +101,10 @@ jobs: - build-docs - lint - test + permissions: + statuses: read steps: - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@v1.2.2 + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8b14aa9..a91a1f4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,6 +20,10 @@ repos: - id: shellcheck args: ["--exclude=SC2002"] - repo: https://github.com/codespell-project/codespell - rev: v2.4.1 + rev: v2.4.2 hooks: - id: codespell + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: 'v1.23.1' + hooks: + - id: zizmor diff --git a/README.md b/README.md index adc4174..ff9e7da 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # uptasticsearch [![GitHub Actions Build Status](https://github.com/uptake/uptasticsearch/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/uptake/uptasticsearch/actions/workflows/ci.yml) -[![codecov](https://codecov.io/gh/uptake/uptasticsearch/branch/main/graph/badge.svg)](https://app.codecov.io/gh/uptake/uptasticsearch) [![CRAN\_Status\_Badge](https://www.r-pkg.org/badges/version-last-release/uptasticsearch)](https://cran.r-project.org/package=uptasticsearch) [![CRAN\_Download\_Badge](https://cranlogs.r-pkg.org/badges/grand-total/uptasticsearch)](https://cran.r-project.org/package=uptasticsearch) From 44bd6fc19605af2c74b36795176c4e52a6e57bc4 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 21:34:39 -0500 Subject: [PATCH 2/6] empty commit From 05e42365585b20f7ab49308d286b325262f285f6 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 21:35:47 -0500 Subject: [PATCH 3/6] defer to nested permissions --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ffdc97..faa2bec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,8 +32,6 @@ env: jobs: build-docs: uses: ./.github/workflows/build-docs.yaml - permissions: - contents: read with: deploy: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags')) || (github.event_name == 'workflow_dispatch' && inputs.deploy-docs == true) }} lint: From fd7f68fbc21e2484139f0cd0a9c1e2df2cc394eb Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 21:44:32 -0500 Subject: [PATCH 4/6] how do permissions for nested workflows work --- .github/workflows/build-docs.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml index e750a57..86aa1cf 100644 --- a/.github/workflows/build-docs.yaml +++ b/.github/workflows/build-docs.yaml @@ -4,10 +4,6 @@ concurrency: group: docs-build-on-${{ github.event_name }}-from-${{ github.ref_name }} cancel-in-progress: true -# default to 0 permissions -# (job-level overrides add the minimal permissions needed) -permissions: - contents: none on: # run only when called by other workflows From 7ad7b887c24ed0309f9c50e697dff3a2378a5bcc Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 21:45:54 -0500 Subject: [PATCH 5/6] hmmm --- .github/workflows/build-docs.yaml | 4 ++++ .github/workflows/ci.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml index 86aa1cf..e750a57 100644 --- a/.github/workflows/build-docs.yaml +++ b/.github/workflows/build-docs.yaml @@ -4,6 +4,10 @@ concurrency: group: docs-build-on-${{ github.event_name }}-from-${{ github.ref_name }} cancel-in-progress: true +# default to 0 permissions +# (job-level overrides add the minimal permissions needed) +permissions: + contents: none on: # run only when called by other workflows diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index faa2bec..076ea4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,6 +32,10 @@ env: jobs: build-docs: uses: ./.github/workflows/build-docs.yaml + permissions: + contents: read + id-token: write + pages: write with: deploy: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags')) || (github.event_name == 'workflow_dispatch' && inputs.deploy-docs == true) }} lint: From 99ccfb64223b39233d2f6ce03f69e237fd420b62 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 6 Apr 2026 22:01:16 -0500 Subject: [PATCH 6/6] empty commit