diff --git a/.github/workflows/buildbundles.yml b/.github/workflows/buildbundles.yml index 56137e73..91b2518a 100644 --- a/.github/workflows/buildbundles.yml +++ b/.github/workflows/buildbundles.yml @@ -9,14 +9,17 @@ on: jobs: Generating-Bound-Versions: runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: '20' - run: ./tools/InstallUbuntuBuildDependencies.sh - run: ./tools/PreCheckinUpdate.sh - #- run: mkdir ./docs/bound_docs & df > ./docs/bound_docs/foo.pdf - name: Upload bound_docs as artifact uses: actions/upload-artifact@v4 with: @@ -29,11 +32,14 @@ jobs: Create-Release: needs: Generating-Bound-Versions runs-on: ubuntu-latest - if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) permissions: - contents: write + contents: write + + if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download bound_docs artifact uses: actions/download-artifact@v4 @@ -71,10 +77,10 @@ jobs: prerelease: ${{ !startsWith(github.ref, 'refs/tags/v') }} - name: Upload all release files - uses: softprops/action-gh-release@v1 + uses: actions/create-release@v1 with: tag_name: ${{ steps.tag.outputs.tag }} - files: | + artifacts: | ./release-files/*.docx ./release-files/*.epub ./release-files/*.pdf diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml index 0ae20e45..a662571e 100644 --- a/.github/workflows/markdownlint.yml +++ b/.github/workflows/markdownlint.yml @@ -9,13 +9,17 @@ on: jobs: run-markdownlint: runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: run markdownlint - uses: DavidAnson/markdownlint-cli2-action@v18.0.0 + uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e with: globs: | **/*.md diff --git a/.github/workflows/publish_mkdocs.yml b/.github/workflows/publish_mkdocs.yml index f273bf43..7767ff15 100644 --- a/.github/workflows/publish_mkdocs.yml +++ b/.github/workflows/publish_mkdocs.yml @@ -8,12 +8,6 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write - # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: @@ -24,9 +18,14 @@ jobs: # Build job build: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Set up Python uses: actions/setup-python@v4 with: @@ -57,6 +56,10 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest + permissions: + contents: read + pages: write + id-token: write needs: build steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/sanitycheck.yml b/.github/workflows/sanitycheck.yml index 465e66b9..a2b98e34 100644 --- a/.github/workflows/sanitycheck.yml +++ b/.github/workflows/sanitycheck.yml @@ -9,10 +9,14 @@ on: jobs: run-misspell: runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: install misspell run: | @@ -24,10 +28,15 @@ jobs: run-sanitycheck: runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: detect non-ASCII encoding and trailing space run: python3 ./main/sanitycheck.py + diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ead7511d..9daecdd3 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,6 +9,8 @@ on: jobs: stale: runs-on: ubuntu-22.04 + permissions: + contents: read steps: - uses: actions/stale@v9 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..97bf52d0 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read # only needed for private repos + actions: read # only needed for private repos + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2 diff --git a/tools/Banner.Template.html b/tools/Banner.Template.html index ed4557f7..cc178efa 100644 --- a/tools/Banner.Template.html +++ b/tools/Banner.Template.html @@ -39,6 +39,6 @@ } console.log("DEBUG ----"); -document.getElementById("bannerText").innerHTML=getQueryVariable("title"); +document.getElementById("bannerText").innerText=getQueryVariable("title");