From 20e5fa8b55cbe2e75e4ad2a4fde0f508d30d1069 Mon Sep 17 00:00:00 2001 From: Florian Imdahl Date: Sat, 20 Dec 2025 14:45:24 +0100 Subject: [PATCH 1/2] chore: Verify GH actions lock file --- .github/workflows/actions.lock.json | 76 +++++++++++++++++++ .github/workflows/build_test_publish.yml | 5 ++ .github/workflows/codeberg_mirror.yml | 8 +- .github/workflows/codeql.yml | 95 +++++++++++++----------- .github/workflows/gitlab_mirror.yml | 6 ++ 5 files changed, 144 insertions(+), 46 deletions(-) create mode 100644 .github/workflows/actions.lock.json diff --git a/.github/workflows/actions.lock.json b/.github/workflows/actions.lock.json new file mode 100644 index 000000000..9e4d61536 --- /dev/null +++ b/.github/workflows/actions.lock.json @@ -0,0 +1,76 @@ +{ + "version": 1, + "generated": "2025-12-20T13:42:38.193Z", + "actions": { + "actions/checkout": [ + { + "version": "v6", + "sha": "8e8c483db84b4bee98b60c0593521ed34d9990e8", + "integrity": "sha256-d414ece895ebce08c818601c45ca8489806731838f8eed6356031b3d1877a7a1", + "dependencies": [] + } + ], + "yesolutions/mirror-action": [ + { + "version": "v0.7.0", + "sha": "1708f16cdb28634fd3ba10c5c79abc91f5578a14", + "integrity": "sha256-d14a65d12b637636590fcac0b0283f59e5c0bf6875cbf260d743450ed3036275", + "dependencies": [] + } + ], + "github/codeql-action/init": [ + { + "version": "v4", + "sha": "5d4e8d1aca955e8d8589aabd499c5cae939e33c7", + "integrity": "sha256-ef09cb9701c722ee5f2758840cc6d1cf99017825aaa8aa451a239a7348a70a27", + "dependencies": [] + } + ], + "github/codeql-action/analyze": [ + { + "version": "v4", + "sha": "5d4e8d1aca955e8d8589aabd499c5cae939e33c7", + "integrity": "sha256-ef09cb9701c722ee5f2758840cc6d1cf99017825aaa8aa451a239a7348a70a27", + "dependencies": [] + } + ], + "SvanBoxel/gitlab-mirror-and-ci-action": [ + { + "version": "5c211f993d35256d96b772d995972f434b94e11a", + "sha": "5c211f993d35256d96b772d995972f434b94e11a", + "integrity": "sha256-5e32a00c0cce4bee092fa5150c70651fae8f2636dd1769e29de72677f33d3030", + "dependencies": [] + } + ], + "oven-sh/setup-bun": [ + { + "version": "v2", + "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76", + "integrity": "sha256-476f44de816b487b0b73224d623d1e7a788fa2d183a45647f836302486afe716", + "dependencies": [] + } + ], + "gjtorikian/gh-actions-lockfile": [ + { + "version": "v1.0.0", + "sha": "1d035750cf88b9cceae3ae6d9c351562bd160890", + "integrity": "sha256-129ffa3172da74903a9ecefd5b0db9f7679ae5c53978333b0bf07887ae3c619e", + "dependencies": [ + { + "ref": "oven-sh/setup-bun@v2", + "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76", + "integrity": "sha256-476f44de816b487b0b73224d623d1e7a788fa2d183a45647f836302486afe716" + } + ] + } + ], + "actions/setup-node": [ + { + "version": "v6", + "sha": "395ad3262231945c25e8478fd5baf05154b1d79f", + "integrity": "sha256-1a5a752048e0de0f754f1c3ca6b923503899bf080b3d08f81fca277de87b3794", + "dependencies": [] + } + ] + } +} diff --git a/.github/workflows/build_test_publish.yml b/.github/workflows/build_test_publish.yml index ac026c624..cfa2afbeb 100644 --- a/.github/workflows/build_test_publish.yml +++ b/.github/workflows/build_test_publish.yml @@ -18,6 +18,11 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Verify actions lockfile + uses: gjtorikian/gh-actions-lockfile@v1.0.0 + with: + mode: verify + - name: Set up Node.js uses: actions/setup-node@v6 with: diff --git a/.github/workflows/codeberg_mirror.yml b/.github/workflows/codeberg_mirror.yml index e59e8484a..53b5caffc 100644 --- a/.github/workflows/codeberg_mirror.yml +++ b/.github/workflows/codeberg_mirror.yml @@ -13,7 +13,13 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 - - uses: yesolutions/mirror-action@662fce0eced8996f64d7fa264d76cddd84827f33 + + - name: Verify actions lockfile + uses: gjtorikian/gh-actions-lockfile@v1.0.0 + with: + mode: verify + + - uses: yesolutions/mirror-action@v0.7.0 with: REMOTE: 'ssh://git@codeberg.org/ffflorian/node-packages.git' GIT_SSH_PRIVATE_KEY: ${{ secrets.CODEBERG_SECRET }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6c0b509e6..e78c22b89 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,13 +9,13 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL Advanced" +name: 'CodeQL Advanced' on: push: - branches: [ "main" ] + branches: ['main'] pull_request: - branches: [ "main" ] + branches: ['main'] schedule: - cron: '17 16 * * 0' @@ -43,10 +43,10 @@ jobs: fail-fast: false matrix: include: - - language: actions - build-mode: none - - language: javascript-typescript - build-mode: none + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both @@ -56,46 +56,51 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - - name: Checkout repository - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 + - name: Verify actions lockfile + uses: gjtorikian/gh-actions-lockfile@v1.0.0 + with: + mode: verify - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: '/language:${{matrix.language}}' diff --git a/.github/workflows/gitlab_mirror.yml b/.github/workflows/gitlab_mirror.yml index 466e5641e..e795077db 100644 --- a/.github/workflows/gitlab_mirror.yml +++ b/.github/workflows/gitlab_mirror.yml @@ -13,6 +13,12 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + + - name: Verify actions lockfile + uses: gjtorikian/gh-actions-lockfile@v1.0.0 + with: + mode: verify + - name: Mirror + trigger CI uses: SvanBoxel/gitlab-mirror-and-ci-action@5c211f993d35256d96b772d995972f434b94e11a with: From 2194156ff73971e075db71e67396e5bf05e878d6 Mon Sep 17 00:00:00 2001 From: Florian Imdahl Date: Sat, 20 Dec 2025 14:53:19 +0100 Subject: [PATCH 2/2] use commit hashes instead --- .github/workflows/actions.lock.json | 76 ------------------------ .github/workflows/build_test_publish.yml | 9 +-- .github/workflows/codeberg_mirror.yml | 9 +-- .github/workflows/codeql.yml | 11 +--- .github/workflows/gitlab_mirror.yml | 7 +-- 5 files changed, 8 insertions(+), 104 deletions(-) delete mode 100644 .github/workflows/actions.lock.json diff --git a/.github/workflows/actions.lock.json b/.github/workflows/actions.lock.json deleted file mode 100644 index 9e4d61536..000000000 --- a/.github/workflows/actions.lock.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "version": 1, - "generated": "2025-12-20T13:42:38.193Z", - "actions": { - "actions/checkout": [ - { - "version": "v6", - "sha": "8e8c483db84b4bee98b60c0593521ed34d9990e8", - "integrity": "sha256-d414ece895ebce08c818601c45ca8489806731838f8eed6356031b3d1877a7a1", - "dependencies": [] - } - ], - "yesolutions/mirror-action": [ - { - "version": "v0.7.0", - "sha": "1708f16cdb28634fd3ba10c5c79abc91f5578a14", - "integrity": "sha256-d14a65d12b637636590fcac0b0283f59e5c0bf6875cbf260d743450ed3036275", - "dependencies": [] - } - ], - "github/codeql-action/init": [ - { - "version": "v4", - "sha": "5d4e8d1aca955e8d8589aabd499c5cae939e33c7", - "integrity": "sha256-ef09cb9701c722ee5f2758840cc6d1cf99017825aaa8aa451a239a7348a70a27", - "dependencies": [] - } - ], - "github/codeql-action/analyze": [ - { - "version": "v4", - "sha": "5d4e8d1aca955e8d8589aabd499c5cae939e33c7", - "integrity": "sha256-ef09cb9701c722ee5f2758840cc6d1cf99017825aaa8aa451a239a7348a70a27", - "dependencies": [] - } - ], - "SvanBoxel/gitlab-mirror-and-ci-action": [ - { - "version": "5c211f993d35256d96b772d995972f434b94e11a", - "sha": "5c211f993d35256d96b772d995972f434b94e11a", - "integrity": "sha256-5e32a00c0cce4bee092fa5150c70651fae8f2636dd1769e29de72677f33d3030", - "dependencies": [] - } - ], - "oven-sh/setup-bun": [ - { - "version": "v2", - "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76", - "integrity": "sha256-476f44de816b487b0b73224d623d1e7a788fa2d183a45647f836302486afe716", - "dependencies": [] - } - ], - "gjtorikian/gh-actions-lockfile": [ - { - "version": "v1.0.0", - "sha": "1d035750cf88b9cceae3ae6d9c351562bd160890", - "integrity": "sha256-129ffa3172da74903a9ecefd5b0db9f7679ae5c53978333b0bf07887ae3c619e", - "dependencies": [ - { - "ref": "oven-sh/setup-bun@v2", - "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76", - "integrity": "sha256-476f44de816b487b0b73224d623d1e7a788fa2d183a45647f836302486afe716" - } - ] - } - ], - "actions/setup-node": [ - { - "version": "v6", - "sha": "395ad3262231945c25e8478fd5baf05154b1d79f", - "integrity": "sha256-1a5a752048e0de0f754f1c3ca6b923503899bf080b3d08f81fca277de87b3794", - "dependencies": [] - } - ] - } -} diff --git a/.github/workflows/build_test_publish.yml b/.github/workflows/build_test_publish.yml index cfa2afbeb..694f20fa5 100644 --- a/.github/workflows/build_test_publish.yml +++ b/.github/workflows/build_test_publish.yml @@ -16,15 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 - - - name: Verify actions lockfile - uses: gjtorikian/gh-actions-lockfile@v1.0.0 - with: - mode: verify + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version: 24.x cache: yarn diff --git a/.github/workflows/codeberg_mirror.yml b/.github/workflows/codeberg_mirror.yml index 53b5caffc..975398302 100644 --- a/.github/workflows/codeberg_mirror.yml +++ b/.github/workflows/codeberg_mirror.yml @@ -10,16 +10,11 @@ jobs: mirror: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - - name: Verify actions lockfile - uses: gjtorikian/gh-actions-lockfile@v1.0.0 - with: - mode: verify - - - uses: yesolutions/mirror-action@v0.7.0 + - uses: yesolutions/mirror-action@662fce0eced8996f64d7fa264d76cddd84827f33 with: REMOTE: 'ssh://git@codeberg.org/ffflorian/node-packages.git' GIT_SSH_PRIVATE_KEY: ${{ secrets.CODEBERG_SECRET }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e78c22b89..5114ec55f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,12 +57,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v6 - - - name: Verify actions lockfile - uses: gjtorikian/gh-actions-lockfile@v1.0.0 - with: - mode: verify + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -72,7 +67,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -101,6 +96,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 with: category: '/language:${{matrix.language}}' diff --git a/.github/workflows/gitlab_mirror.yml b/.github/workflows/gitlab_mirror.yml index e795077db..88eb47006 100644 --- a/.github/workflows/gitlab_mirror.yml +++ b/.github/workflows/gitlab_mirror.yml @@ -10,15 +10,10 @@ jobs: mirror: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - - name: Verify actions lockfile - uses: gjtorikian/gh-actions-lockfile@v1.0.0 - with: - mode: verify - - name: Mirror + trigger CI uses: SvanBoxel/gitlab-mirror-and-ci-action@5c211f993d35256d96b772d995972f434b94e11a with: