From 1daea9a137c9d5a9cffd6923b080d80d45f796b9 Mon Sep 17 00:00:00 2001 From: Sheraff Date: Tue, 12 May 2026 21:00:02 +0200 Subject: [PATCH 1/3] ci: add zizmor workflow --- .github/workflows/autofix.yml | 4 +++- .github/workflows/benchmarks.yml | 10 +++++++--- .github/workflows/pr.yml | 8 +++++--- .github/workflows/release.yml | 21 ++++++++++++++------- .github/workflows/zizmor.yml | 24 ++++++++++++++++++++++++ 5 files changed, 53 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 0ddce7f..f2b1f71 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -18,7 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Fix formatting diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 2c0e1ac..85f51b7 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -19,7 +19,6 @@ on: permissions: contents: read - id-token: write env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} @@ -29,16 +28,21 @@ jobs: benchmarks: name: Run intent CodSpeed benchmark runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Run intent CodSpeed benchmark continue-on-error: true - uses: CodSpeedHQ/action@v4 + uses: CodSpeedHQ/action@346a2d8a8d9d38909abd0bc3d23f773110f076ad # v4.4.1 with: mode: simulation run: WITH_INSTRUMENTATION=1 pnpm exec nx run @benchmarks/intent:test:perf diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0129631..6f9c44e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -23,13 +23,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Get base and head commits for `nx affected` - uses: nrwl/nx-set-shas@v4.4.0 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0 with: main-branch-name: main - name: Run Checks @@ -39,9 +40,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Build Packages diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b129049..5966463 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,20 +13,23 @@ env: SERVER_PRESET: 'node-server' permissions: - contents: write - id-token: write - pull-requests: write + contents: read jobs: release: name: Release if: "!contains(github.event.head_commit.message, 'ci: changeset release')" runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Check for changesets id: changesets run: | @@ -61,7 +64,7 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" git add . if git commit -m "ci: changeset release"; then - git push + git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:${GITHUB_REF_NAME}" echo "committed=true" >> "$GITHUB_OUTPUT" fi env: @@ -80,10 +83,14 @@ jobs: fi - name: Publish Packages if: steps.commit.outputs.committed == 'true' - run: pnpm run changeset:publish ${{ steps.dist-tag.outputs.tag && format('--tag {0}', steps.dist-tag.outputs.tag) }} + run: pnpm run changeset:publish ${DIST_TAG_ARG} + env: + DIST_TAG_ARG: ${{ steps.dist-tag.outputs.tag && format('--tag {0}', steps.dist-tag.outputs.tag) }} - name: Create GitHub Release if: steps.commit.outputs.committed == 'true' - run: node scripts/create-github-release.mjs ${{ steps.dist-tag.outputs.prerelease == 'true' && '--prerelease' }} ${{ steps.dist-tag.outputs.latest == 'true' && '--latest' }} + run: node scripts/create-github-release.mjs ${PRERELEASE_ARG} ${LATEST_ARG} env: + PRERELEASE_ARG: ${{ steps.dist-tag.outputs.prerelease == 'true' && '--prerelease' }} + LATEST_ARG: ${{ steps.dist-tag.outputs.latest == 'true' && '--latest' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..86d4b5b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: [main] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true From 7f57ee068689ea1584281edb96e928e44993f202 Mon Sep 17 00:00:00 2001 From: Sheraff Date: Tue, 12 May 2026 23:34:55 +0200 Subject: [PATCH 2/3] ci: clarify release checkout credentials --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5966463..288bfb6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - persist-credentials: false + persist-credentials: true # release job pushes version changes - name: Check for changesets id: changesets run: | @@ -64,7 +64,7 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" git add . if git commit -m "ci: changeset release"; then - git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:${GITHUB_REF_NAME}" + git push origin "HEAD:${GITHUB_REF_NAME}" echo "committed=true" >> "$GITHUB_OUTPUT" fi env: From e7d78d971631b87ea19d606a076a8dcb86bb921d Mon Sep 17 00:00:00 2001 From: Flo Date: Tue, 12 May 2026 23:38:37 +0200 Subject: [PATCH 3/3] Update .github/workflows/benchmarks.yml --- .github/workflows/benchmarks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 85f51b7..051c036 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -42,7 +42,7 @@ jobs: - name: Run intent CodSpeed benchmark continue-on-error: true - uses: CodSpeedHQ/action@346a2d8a8d9d38909abd0bc3d23f773110f076ad # v4.4.1 + uses: CodSpeedHQ/action@3194d9a39c4d46684cb44bf7207fc56626aad8fd # v4.15.1 with: mode: simulation run: WITH_INSTRUMENTATION=1 pnpm exec nx run @benchmarks/intent:test:perf