diff --git a/.github/workflows/buildjet.yml b/.github/workflows/buildjet.yml index 56b2134..4fef9d6 100644 --- a/.github/workflows/buildjet.yml +++ b/.github/workflows/buildjet.yml @@ -2,6 +2,8 @@ name: buildjet on: [push, pull_request] +permissions: {} + jobs: buildjet: if: github.repository == 'Swatinem/rust-cache' @@ -17,7 +19,9 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index de97634..7fbba80 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -11,15 +11,19 @@ on: - "**.md" workflow_dispatch: +permissions: {} + jobs: check-dist: if: github.repository == 'Swatinem/rust-cache' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Node.js 20.x - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 20.x cache: npm @@ -39,7 +43,7 @@ jobs: fi id: diff - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 5dcc1ca..f78ef51 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -2,6 +2,8 @@ name: coverage on: [push, pull_request] +permissions: {} + jobs: coverage: if: github.repository == 'Swatinem/rust-cache' @@ -17,11 +19,15 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --component llvm-tools-preview --no-self-update - - uses: taiki-e/install-action@cargo-llvm-cov + - uses: taiki-e/install-action@cd39cb0572834c149bf3533a143f05e09def0f3c # v2.62.2 + with: + tool: cargo-llvm-cov - uses: ./ with: diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 787de3f..87b07aa 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -3,23 +3,25 @@ name: Dependabot Automation on: pull_request -permissions: - contents: write - pull-requests: write +permissions: {} jobs: automerge: runs-on: ubuntu-latest + permissions: + contents: write # for pushing commits + pull-requests: write # for merging PRs if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Swatinem/rust-cache' steps: - name: Fetch metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - - uses: actions/checkout@v5 - with: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: fetch-depth: 2 + persist-credentials: false if: steps.metadata.outputs.update-type == 'version-update:semver-patch' - name: Check if package-lock.json has been changed if: steps.metadata.outputs.update-type == 'version-update:semver-patch' @@ -35,7 +37,7 @@ jobs: fi - name: Setup node if necessary if: steps.npm.outputs.changed != '' - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/git-registry.yml b/.github/workflows/git-registry.yml index 393d2db..ab652d1 100644 --- a/.github/workflows/git-registry.yml +++ b/.github/workflows/git-registry.yml @@ -2,6 +2,8 @@ name: git-registry on: [push, pull_request] +permissions: {} + jobs: git-registry: if: github.repository == 'Swatinem/rust-cache' @@ -18,7 +20,9 @@ jobs: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: git steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml index 8079364..ac85ac6 100644 --- a/.github/workflows/install.yml +++ b/.github/workflows/install.yml @@ -2,6 +2,8 @@ name: install on: [push, pull_request] +permissions: {} + jobs: install: if: github.repository == 'Swatinem/rust-cache' @@ -17,7 +19,9 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml index c4a31aa..8e55261 100644 --- a/.github/workflows/simple.yml +++ b/.github/workflows/simple.yml @@ -2,6 +2,8 @@ name: simple on: [push, pull_request] +permissions: {} + jobs: simple: if: github.repository == 'Swatinem/rust-cache' @@ -17,7 +19,9 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/target-dir.yml b/.github/workflows/target-dir.yml index 604416c..d3ba657 100644 --- a/.github/workflows/target-dir.yml +++ b/.github/workflows/target-dir.yml @@ -2,6 +2,8 @@ name: target-dir on: [push, pull_request] +permissions: {} + jobs: target-dir: if: github.repository == 'Swatinem/rust-cache' @@ -17,7 +19,9 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --no-self-update diff --git a/.github/workflows/workspaces.yml b/.github/workflows/workspaces.yml index 0bf5068..b0689ab 100644 --- a/.github/workflows/workspaces.yml +++ b/.github/workflows/workspaces.yml @@ -2,6 +2,8 @@ name: workspaces on: [push, pull_request] +permissions: {} + jobs: workspaces: if: github.repository == 'Swatinem/rust-cache' @@ -17,7 +19,9 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - run: rustup toolchain install stable --profile minimal --target wasm32-unknown-unknown --no-self-update diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..72c984b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # for uploading results to the Security tab + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0