Skip to content

Commit bf14efb

Browse files
crazy-maxcrazy-max
authored
Merge pull request #237 from crazy-max/zizmor
ci: zizmor workflow
2 parents 9d5b766 + 1fe53ba commit bf14efb

File tree

10 files changed

+106
-47
lines changed

10 files changed

+106
-47
lines changed

.github/dependabot.yml

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,21 @@ updates:
44
directory: "/"
55
schedule:
66
interval: "daily"
7-
ignore:
8-
# ignore this dependency
9-
# it seems a bug with dependabot as pining to commit sha should not
10-
# trigger a new version similar to https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
11-
- dependency-name: "docker/actions-toolkit"
7+
cooldown:
8+
default-days: 2
9+
groups:
10+
crazy-max-dot-github:
11+
patterns:
12+
- "crazy-max/.github/*"
1213
labels:
1314
- "dependencies"
1415
- "bot"
1516
- package-ecosystem: "npm"
1617
directory: "/"
1718
schedule:
1819
interval: "daily"
20+
cooldown:
21+
default-days: 2
1922
allow:
2023
- dependency-type: "production"
2124
labels:

.github/workflows/ci.yml

Lines changed: 20 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: ci
22

3+
permissions:
4+
contents: read
5+
36
concurrency:
47
group: ${{ github.workflow }}-${{ github.ref }}
58
cancel-in-progress: true
@@ -38,7 +41,7 @@ jobs:
3841
steps:
3942
-
4043
name: Checkout
41-
uses: actions/checkout@v6
44+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4245
-
4346
name: Set up Docker
4447
uses: ./
@@ -58,7 +61,7 @@ jobs:
5861
steps:
5962
-
6063
name: Checkout
61-
uses: actions/checkout@v6
64+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6265
-
6366
name: Set up Docker
6467
uses: ./
@@ -79,7 +82,7 @@ jobs:
7982
steps:
8083
-
8184
name: Checkout
82-
uses: actions/checkout@v6
85+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8386
-
8487
name: Set up Docker
8588
uses: ./
@@ -106,7 +109,7 @@ jobs:
106109
steps:
107110
-
108111
name: Checkout
109-
uses: actions/checkout@v6
112+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
110113
-
111114
name: Set up Docker
112115
uses: ./
@@ -123,7 +126,7 @@ jobs:
123126
steps:
124127
-
125128
name: Checkout
126-
uses: actions/checkout@v6
129+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
127130
-
128131
name: Set up Docker
129132
uses: ./
@@ -143,7 +146,7 @@ jobs:
143146
steps:
144147
-
145148
name: Checkout
146-
uses: actions/checkout@v6
149+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
147150
-
148151
name: Uninstall containerd
149152
if: matrix.containerd == 'containerd-tarball'
@@ -160,13 +163,13 @@ jobs:
160163
docker run -d -p 5000:5000 --restart=always --name registry registry:2
161164
-
162165
name: Set up Docker Buildx
163-
uses: docker/setup-buildx-action@v4
166+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
164167
with:
165168
driver: docker
166169
driver-opts: network=host
167170
-
168171
name: Build and push
169-
uses: docker/build-push-action@v7
172+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
170173
with:
171174
context: ./test
172175
push: true
@@ -187,7 +190,7 @@ jobs:
187190
steps:
188191
-
189192
name: Checkout
190-
uses: actions/checkout@v6
193+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
191194
-
192195
name: Set up Docker
193196
uses: ./
@@ -199,13 +202,13 @@ jobs:
199202
docker run -d -p 5000:5000 --restart=always --name registry registry:2
200203
-
201204
name: Set up Docker Buildx
202-
uses: docker/setup-buildx-action@v4
205+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
203206
with:
204207
driver: docker
205208
driver-opts: network=host
206209
-
207210
name: Build and push
208-
uses: docker/build-push-action@v7
211+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
209212
with:
210213
context: ./test
211214
push: true
@@ -221,7 +224,7 @@ jobs:
221224
steps:
222225
-
223226
name: Checkout
224-
uses: actions/checkout@v6
227+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
225228
-
226229
name: Set up Docker
227230
uses: ./
@@ -242,7 +245,7 @@ jobs:
242245
steps:
243246
-
244247
name: Checkout
245-
uses: actions/checkout@v6
248+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
246249
-
247250
name: Set up Docker
248251
uses: ./
@@ -259,7 +262,7 @@ jobs:
259262
steps:
260263
-
261264
name: Checkout
262-
uses: actions/checkout@v6
265+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
263266
-
264267
name: Set up Docker
265268
uses: ./
@@ -284,7 +287,7 @@ jobs:
284287
steps:
285288
-
286289
name: Checkout
287-
uses: actions/checkout@v6
290+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
288291
-
289292
name: Set up Docker
290293
id: setup_docker
@@ -313,7 +316,7 @@ jobs:
313316
steps:
314317
-
315318
name: Checkout
316-
uses: actions/checkout@v6
319+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
317320
-
318321
name: Set up Docker
319322
uses: ./
@@ -335,7 +338,7 @@ jobs:
335338
steps:
336339
-
337340
name: Checkout
338-
uses: actions/checkout@v6
341+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
339342
-
340343
name: Set up Docker
341344
uses: ./

.github/workflows/codeql.yml

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,45 +1,46 @@
11
name: codeql
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches:
69
- 'master'
710
- 'releases/v*'
811
pull_request:
912

10-
permissions:
11-
actions: read
12-
contents: read
13-
security-events: write
14-
1513
env:
1614
NODE_VERSION: "24"
1715

1816
jobs:
1917
analyze:
2018
runs-on: ubuntu-latest
19+
permissions:
20+
contents: read
21+
security-events: write
2122
steps:
2223
-
2324
name: Checkout
24-
uses: actions/checkout@v6
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2526
-
2627
name: Enable corepack
2728
run: |
2829
corepack enable
2930
yarn --version
3031
-
3132
name: Set up Node
32-
uses: actions/setup-node@v6
33+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
3334
with:
3435
node-version: ${{ env.NODE_VERSION }}
3536
-
3637
name: Initialize CodeQL
37-
uses: github/codeql-action/init@v4
38+
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
3839
with:
3940
languages: javascript-typescript
4041
build-mode: none
4142
-
4243
name: Perform CodeQL Analysis
43-
uses: github/codeql-action/analyze@v4
44+
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
4445
with:
4546
category: "/language:javascript-typescript"

.github/workflows/pr-assign-author.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,14 @@ permissions:
44
contents: read
55

66
on:
7-
pull_request_target:
7+
pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
88
types:
99
- opened
1010
- reopened
1111

1212
jobs:
1313
run:
14-
uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0
14+
uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
1515
permissions:
1616
contents: read
1717
pull-requests: write

.github/workflows/publish.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
11
name: publish
22

3+
permissions:
4+
contents: read
5+
6+
concurrency:
7+
group: ${{ github.workflow }}-${{ github.ref }}
8+
cancel-in-progress: true
9+
310
on:
411
release:
512
types:
@@ -15,7 +22,7 @@ jobs:
1522
steps:
1623
-
1724
name: Checkout
18-
uses: actions/checkout@v6
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1926
-
2027
name: Publish
21-
uses: actions/publish-immutable-action@v0.0.4
28+
uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4

.github/workflows/test.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: test
22

3+
permissions:
4+
contents: read
5+
36
concurrency:
47
group: ${{ github.workflow }}-${{ github.ref }}
58
cancel-in-progress: true
@@ -17,16 +20,16 @@ jobs:
1720
steps:
1821
-
1922
name: Checkout
20-
uses: actions/checkout@v6
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2124
-
2225
name: Test
23-
uses: docker/bake-action@v7
26+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
2427
with:
28+
source: .
2529
targets: test
2630
-
2731
name: Upload coverage
28-
uses: codecov/codecov-action@v5
32+
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
2933
with:
30-
source: .
3134
files: ./coverage/clover.xml
3235
token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/update-dist.yml

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
11
name: update-dist
22

3+
permissions:
4+
contents: read
5+
6+
concurrency:
7+
group: ${{ github.workflow }}-${{ github.ref }}
8+
cancel-in-progress: true
9+
310
on:
411
pull_request:
512
types:
@@ -8,27 +15,27 @@ on:
815

916
jobs:
1017
update-dist:
11-
if: github.actor == 'dependabot[bot]'
18+
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
1219
runs-on: ubuntu-latest
1320
steps:
1421
-
1522
name: GitHub auth token from GitHub App
1623
id: docker-read-app
17-
uses: actions/create-github-app-token@v3
24+
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
1825
with:
1926
app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
2027
private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
2128
owner: docker
2229
-
2330
name: Checkout
24-
uses: actions/checkout@v6
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2532
with:
2633
ref: ${{ github.event.pull_request.head.ref }}
2734
fetch-depth: 0
28-
token: ${{ steps.docker-read-app.outputs.token || github.token }}
35+
token: ${{ steps.docker-read-app.outputs.token }}
2936
-
3037
name: Build
31-
uses: docker/bake-action@v7
38+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
3239
with:
3340
source: .
3441
targets: build

.github/workflows/validate.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: validate
22

3+
permissions:
4+
contents: read
5+
36
concurrency:
47
group: ${{ github.workflow }}-${{ github.ref }}
58
cancel-in-progress: true
@@ -19,11 +22,11 @@ jobs:
1922
steps:
2023
-
2124
name: Checkout
22-
uses: actions/checkout@v6
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2326
-
2427
name: Generate matrix
2528
id: generate
26-
uses: docker/bake-action/subaction/matrix@v7
29+
uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
2730
with:
2831
target: validate
2932

@@ -38,6 +41,6 @@ jobs:
3841
steps:
3942
-
4043
name: Validate
41-
uses: docker/bake-action@v7
44+
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
4245
with:
4346
targets: ${{ matrix.target }}

0 commit comments

Comments
 (0)