diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index f85b5be5..b7b05f74 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -4,13 +4,15 @@ on: push: branches: - master - tags: - - "**" pull_request: +permissions: {} + jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -26,13 +28,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" @@ -47,13 +51,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" @@ -68,13 +74,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 792bd65b..4c6b0cdf 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -9,12 +9,13 @@ on: pull_request: workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -46,7 +47,9 @@ jobs: before-script: | python3 -m pip install ziglang==0.11.0 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -58,7 +61,7 @@ jobs: sccache: ${{ matrix.platform.sccache }} before-script-linux: ${{ matrix.platform.before-script }} - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-linux-${{ matrix.platform.target }} path: crates/squawk/dist @@ -76,7 +79,9 @@ jobs: - runner: windows-latest target: x86 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -85,7 +90,7 @@ jobs: args: --release --out dist sccache: "true" - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-windows-${{ matrix.platform.target }} path: crates/squawk/dist @@ -103,7 +108,9 @@ jobs: - runner: macos-14 target: aarch64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -112,7 +119,7 @@ jobs: args: --release --out dist sccache: "true" - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-macos-${{ matrix.platform.target }} path: crates/squawk/dist @@ -123,7 +130,9 @@ jobs: if: needs.pre_job.outputs.should_skip != 'true' || startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build sdist uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -131,7 +140,7 @@ jobs: working-directory: crates/squawk args: --out dist - name: Upload sdist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-sdist path: crates/squawk/dist @@ -146,7 +155,7 @@ jobs: if: "startsWith(github.ref, 'refs/tags/')" needs: [linux, windows, macos, sdist] steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - name: Publish to PyPI uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 56f80ae5..45a60e91 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -8,6 +8,8 @@ on: - "**" pull_request: +permissions: {} + env: RUST_BACKTRACE: 1 CARGO_TERM_COLOR: always @@ -16,6 +18,8 @@ env: jobs: pre_job: runs-on: ubuntu-22.04 + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -28,6 +32,8 @@ jobs: build: needs: pre_job if: needs.pre_job.outputs.should_skip != 'true' || startsWith(github.ref, 'refs/tags/') + permissions: + contents: write strategy: fail-fast: false @@ -83,7 +89,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Update apt repositories if: matrix.target == 'aarch64-unknown-linux-gnu' || matrix.target == 'aarch64-unknown-linux-musl' || matrix.target == 'x86_64-unknown-linux-musl' @@ -141,7 +149,7 @@ jobs: run: mv target/${{ matrix.target }}/release/squawk target/release/${{ matrix.artifact_name }} - name: Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-${{ matrix.artifact_name }} path: target/release/${{ matrix.artifact_name }} @@ -166,7 +174,7 @@ jobs: version: 9 - name: VSCode - Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -181,13 +189,13 @@ jobs: run: pnpm exec vsce pack --no-dependencies --target ${{ matrix.vscode_artifact_name }} - name: VSCode - Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: squawk-vscode-${{ matrix.vscode_artifact_name }} path: squawk-vscode/*.vsix - name: Release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 # zizmor: ignore[superfluous-actions] if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -204,14 +212,16 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 - run: npm --version - name: Download release artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: artifacts pattern: release-squawk-* @@ -257,10 +267,12 @@ jobs: IMAGE_NAME: ${{ github.repository }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 # 65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -298,7 +310,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 @@ -309,7 +323,7 @@ jobs: - uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "playground/package.json" cache-dependency-path: "playground/pnpm-lock.yaml" @@ -347,7 +361,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -372,7 +388,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -390,8 +408,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 with: python-version-file: ".python-version" @@ -404,7 +424,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -425,13 +447,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -441,16 +465,16 @@ jobs: run: pnpm install - name: Download all VS Code artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: squawk-vscode-* path: ./dist - name: Publish Extension (VS Code Marketplace) working-directory: ./squawk-vscode - run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix + run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] trusted publishing isn't possible - name: Publish Extension (Open VSX) working-directory: ./squawk-vscode - run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix + run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] trusted publishing isn't possible timeout-minutes: 2 diff --git a/.github/workflows/vscode.yml b/.github/workflows/vscode.yml index 84d683c0..4ef824b4 100644 --- a/.github/workflows/vscode.yml +++ b/.github/workflows/vscode.yml @@ -4,13 +4,15 @@ on: push: branches: - master - tags: - - "**" pull_request: +permissions: {} + jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -26,13 +28,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -51,13 +55,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -76,13 +82,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml"