From 65f2dd47bf30829006e201155e778e9239bf3d3d Mon Sep 17 00:00:00 2001 From: Christopher Dignam Date: Fri, 22 May 2026 22:08:08 -0400 Subject: [PATCH 1/5] harden github action workflows ``` zizmor --gh-token=$(gh auth token) .github --fix=all ``` --- .github/workflows/js.yml | 22 ++++++++--- .github/workflows/python.yml | 37 ++++++++++++------- .github/workflows/rust.yml | 71 +++++++++++++++++++++++++++--------- .github/workflows/vscode.yml | 22 ++++++++--- 4 files changed, 108 insertions(+), 44 deletions(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index f85b5be5..8a11f5d3 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -8,9 +8,13 @@ on: - "**" pull_request: +permissions: {} + jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -26,13 +30,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" @@ -47,13 +53,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" @@ -68,13 +76,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "package.json" cache: "pnpm" diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 792bd65b..b37be1eb 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -9,12 +9,13 @@ on: pull_request: workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -46,7 +47,9 @@ jobs: before-script: | python3 -m pip install ziglang==0.11.0 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -55,10 +58,10 @@ jobs: working-directory: crates/squawk args: --release --out dist ${{ matrix.platform.maturin-options }} manylinux: ${{ matrix.platform.manylinux }} - sccache: ${{ matrix.platform.sccache }} + sccache: false before-script-linux: ${{ matrix.platform.before-script }} - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-linux-${{ matrix.platform.target }} path: crates/squawk/dist @@ -76,16 +79,18 @@ jobs: - runner: windows-latest target: x86 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: target: ${{ matrix.platform.target }} working-directory: crates/squawk args: --release --out dist - sccache: "true" + sccache: false - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-windows-${{ matrix.platform.target }} path: crates/squawk/dist @@ -103,16 +108,18 @@ jobs: - runner: macos-14 target: aarch64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build wheels uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: target: ${{ matrix.platform.target }} working-directory: crates/squawk args: --release --out dist - sccache: "true" + sccache: false - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-macos-${{ matrix.platform.target }} path: crates/squawk/dist @@ -123,7 +130,9 @@ jobs: if: needs.pre_job.outputs.should_skip != 'true' || startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Build sdist uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: @@ -131,7 +140,7 @@ jobs: working-directory: crates/squawk args: --out dist - name: Upload sdist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-sdist path: crates/squawk/dist @@ -146,7 +155,7 @@ jobs: if: "startsWith(github.ref, 'refs/tags/')" needs: [linux, windows, macos, sdist] steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - name: Publish to PyPI uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 56f80ae5..420dae96 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -8,6 +8,8 @@ on: - "**" pull_request: +permissions: {} + env: RUST_BACKTRACE: 1 CARGO_TERM_COLOR: always @@ -16,6 +18,8 @@ env: jobs: pre_job: runs-on: ubuntu-22.04 + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -28,6 +32,8 @@ jobs: build: needs: pre_job if: needs.pre_job.outputs.should_skip != 'true' || startsWith(github.ref, 'refs/tags/') + permissions: + contents: write strategy: fail-fast: false @@ -83,7 +89,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Update apt repositories if: matrix.target == 'aarch64-unknown-linux-gnu' || matrix.target == 'aarch64-unknown-linux-musl' || matrix.target == 'x86_64-unknown-linux-musl' @@ -102,6 +110,7 @@ jobs: uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.11.0 + use-cache: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -111,6 +120,8 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + lookup-only: true - name: Build run: | @@ -141,7 +152,7 @@ jobs: run: mv target/${{ matrix.target }}/release/squawk target/release/${{ matrix.artifact_name }} - name: Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: release-${{ matrix.artifact_name }} path: target/release/${{ matrix.artifact_name }} @@ -166,7 +177,7 @@ jobs: version: 9 - name: VSCode - Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -181,7 +192,7 @@ jobs: run: pnpm exec vsce pack --no-dependencies --target ${{ matrix.vscode_artifact_name }} - name: VSCode - Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: squawk-vscode-${{ matrix.vscode_artifact_name }} path: squawk-vscode/*.vsix @@ -204,14 +215,16 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 - run: npm --version - name: Download release artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: artifacts pattern: release-squawk-* @@ -257,7 +270,9 @@ jobs: IMAGE_NAME: ${{ github.repository }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Log in to the Container registry uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 # 65b78e6e13532edd9afa3aa52ac7964289d1a9c1 @@ -298,10 +313,14 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + lookup-only: true - name: Install wasm-pack run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh @@ -309,7 +328,7 @@ jobs: - uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "playground/package.json" cache-dependency-path: "playground/pnpm-lock.yaml" @@ -347,7 +366,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -357,6 +378,8 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + lookup-only: true - name: Get Clippy Version run: cargo clippy --version @@ -372,7 +395,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -381,6 +406,8 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + lookup-only: true - name: Test run: ./s/test @@ -390,8 +417,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 with: python-version-file: ".python-version" @@ -404,7 +433,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -413,6 +444,8 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + lookup-only: true - name: Publish to crates.io run: cargo publish --workspace @@ -425,13 +458,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -441,7 +476,7 @@ jobs: run: pnpm install - name: Download all VS Code artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: squawk-vscode-* path: ./dist diff --git a/.github/workflows/vscode.yml b/.github/workflows/vscode.yml index 84d683c0..389de1c3 100644 --- a/.github/workflows/vscode.yml +++ b/.github/workflows/vscode.yml @@ -8,9 +8,13 @@ on: - "**" pull_request: +permissions: {} + jobs: pre_job: runs-on: ubuntu-latest + permissions: + actions: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} paths_result: ${{ steps.skip_check.outputs.paths_result }} @@ -26,13 +30,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -51,13 +57,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" @@ -76,13 +84,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 with: version: 9 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" From 984fba48581b0a2915536d70de2884e1758ac556 Mon Sep 17 00:00:00 2001 From: Christopher Dignam Date: Sat, 23 May 2026 17:21:31 -0400 Subject: [PATCH 2/5] restrict workflows more --- .github/workflows/js.yml | 2 -- .github/workflows/rust.yml | 26 ++++++++++++++++---------- .github/workflows/vscode.yml | 2 -- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 8a11f5d3..b7b05f74 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -4,8 +4,6 @@ on: push: branches: - master - tags: - - "**" pull_request: permissions: {} diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 420dae96..d2019940 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -180,8 +180,9 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" - cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" - cache: "pnpm" + # Explicitly disable package-manager caching to avoid cache poisoning + # in this artifact-publishing workflow (honored by setup-node v5+). + package-manager-cache: false - name: VSCode - Install JS dependencies working-directory: "squawk-vscode" @@ -198,7 +199,7 @@ jobs: path: squawk-vscode/*.vsix - name: Release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 # zizmor: ignore[superfluous-actions] if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -221,6 +222,9 @@ jobs: - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 + # Disable package-manager caching in this publishing workflow to + # prevent cache poisoning (honored by setup-node v5+). + package-manager-cache: false - run: npm --version - name: Download release artifacts @@ -275,7 +279,7 @@ jobs: persist-credentials: false - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 # 65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -331,8 +335,9 @@ jobs: - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "playground/package.json" - cache-dependency-path: "playground/pnpm-lock.yaml" - cache: "pnpm" + # Caching disabled to prevent cache poisoning: this job's build + # output is deployed to Netlify on tags. + package-manager-cache: false - name: Install JS dependencies working-directory: "playground" @@ -469,8 +474,9 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" - cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" - cache: "pnpm" + # Disable package-manager caching in this publishing workflow to + # prevent cache poisoning (honored by setup-node v5+). + package-manager-cache: false - name: Install JS dependencies working-directory: "squawk-vscode" run: pnpm install @@ -483,9 +489,9 @@ jobs: - name: Publish Extension (VS Code Marketplace) working-directory: ./squawk-vscode - run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix + run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] - name: Publish Extension (Open VSX) working-directory: ./squawk-vscode - run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix + run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] timeout-minutes: 2 diff --git a/.github/workflows/vscode.yml b/.github/workflows/vscode.yml index 389de1c3..4ef824b4 100644 --- a/.github/workflows/vscode.yml +++ b/.github/workflows/vscode.yml @@ -4,8 +4,6 @@ on: push: branches: - master - tags: - - "**" pull_request: permissions: {} From b9996810d89393b24dca5112e8ce4ca3cd54b9e3 Mon Sep 17 00:00:00 2001 From: Christopher Dignam Date: Sat, 23 May 2026 17:38:14 -0400 Subject: [PATCH 3/5] doc --- .github/workflows/rust.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index d2019940..e77f554f 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -489,9 +489,9 @@ jobs: - name: Publish Extension (VS Code Marketplace) working-directory: ./squawk-vscode - run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] + run: pnpm exec vsce publish --pat ${{ secrets.MARKETPLACE_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] trusted publishing isn't possible - name: Publish Extension (Open VSX) working-directory: ./squawk-vscode - run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] + run: pnpm exec ovsx publish --pat ${{ secrets.OPENVSX_TOKEN }} --packagePath ../dist/squawk-vscode-*/*.vsix # zizmor: ignore[use-trusted-publishing] trusted publishing isn't possible timeout-minutes: 2 From 739460c3d3dd6c16cde52dbe4f272be3835cd1f4 Mon Sep 17 00:00:00 2001 From: Christopher Dignam Date: Sat, 23 May 2026 17:38:51 -0400 Subject: [PATCH 4/5] add back caching --- .github/workflows/rust.yml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index e77f554f..dd3a6c4a 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -180,9 +180,8 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" - # Explicitly disable package-manager caching to avoid cache poisoning - # in this artifact-publishing workflow (honored by setup-node v5+). - package-manager-cache: false + cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" + cache: "pnpm" - name: VSCode - Install JS dependencies working-directory: "squawk-vscode" @@ -222,9 +221,6 @@ jobs: - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 - # Disable package-manager caching in this publishing workflow to - # prevent cache poisoning (honored by setup-node v5+). - package-manager-cache: false - run: npm --version - name: Download release artifacts @@ -335,9 +331,8 @@ jobs: - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "playground/package.json" - # Caching disabled to prevent cache poisoning: this job's build - # output is deployed to Netlify on tags. - package-manager-cache: false + cache-dependency-path: "playground/pnpm-lock.yaml" + cache: "pnpm" - name: Install JS dependencies working-directory: "playground" @@ -474,9 +469,8 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version-file: "squawk-vscode/package.json" - # Disable package-manager caching in this publishing workflow to - # prevent cache poisoning (honored by setup-node v5+). - package-manager-cache: false + cache-dependency-path: "squawk-vscode/pnpm-lock.yaml" + cache: "pnpm" - name: Install JS dependencies working-directory: "squawk-vscode" run: pnpm install From 0706845cdb10d38217f10ce256061bea8197763c Mon Sep 17 00:00:00 2001 From: Christopher Dignam Date: Sun, 24 May 2026 11:37:49 -0400 Subject: [PATCH 5/5] undo caching changes --- .github/workflows/python.yml | 6 +++--- .github/workflows/rust.yml | 11 ----------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index b37be1eb..4c6b0cdf 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -58,7 +58,7 @@ jobs: working-directory: crates/squawk args: --release --out dist ${{ matrix.platform.maturin-options }} manylinux: ${{ matrix.platform.manylinux }} - sccache: false + sccache: ${{ matrix.platform.sccache }} before-script-linux: ${{ matrix.platform.before-script }} - name: Upload wheels uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 @@ -88,7 +88,7 @@ jobs: target: ${{ matrix.platform.target }} working-directory: crates/squawk args: --release --out dist - sccache: false + sccache: "true" - name: Upload wheels uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: @@ -117,7 +117,7 @@ jobs: target: ${{ matrix.platform.target }} working-directory: crates/squawk args: --release --out dist - sccache: false + sccache: "true" - name: Upload wheels uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index dd3a6c4a..45a60e91 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -110,7 +110,6 @@ jobs: uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.11.0 - use-cache: false - name: Install Toolchain uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -120,8 +119,6 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - lookup-only: true - name: Build run: | @@ -319,8 +316,6 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - lookup-only: true - name: Install wasm-pack run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh @@ -378,8 +373,6 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - lookup-only: true - name: Get Clippy Version run: cargo clippy --version @@ -406,8 +399,6 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - lookup-only: true - name: Test run: ./s/test @@ -444,8 +435,6 @@ jobs: - name: Cache uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - lookup-only: true - name: Publish to crates.io run: cargo publish --workspace