From c98b8af9ffa0d4e7eb2c1b7c25c32306f9addea4 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:20:20 +0200 Subject: [PATCH 1/2] ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/zizmor.yml | 29 +++++++++++++++++++++++++++++ .github/zizmor.yml | 3 +++ 2 files changed, 32 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..a485e93 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,29 @@ +name: zizmor + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'releases/v*' + tags: + - 'v*' + pull_request: + +jobs: + zizmor: + uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..6415720 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783 + disable: true From 1fe53ba57de8b17323afe85033252147454dbdf4 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:20:29 +0200 Subject: [PATCH 2/2] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 13 +++++---- .github/workflows/ci.yml | 37 ++++++++++++++------------ .github/workflows/codeql.yml | 19 ++++++------- .github/workflows/pr-assign-author.yml | 4 +-- .github/workflows/publish.yml | 11 ++++++-- .github/workflows/test.yml | 11 +++++--- .github/workflows/update-dist.yml | 17 ++++++++---- .github/workflows/validate.yml | 9 ++++--- 8 files changed, 74 insertions(+), 47 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 19cdeaa..3cb54c0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,11 +4,12 @@ updates: directory: "/" schedule: interval: "daily" - ignore: - # ignore this dependency - # it seems a bug with dependabot as pining to commit sha should not - # trigger a new version similar to https://github.com/docker/buildx/pull/2222#issuecomment-1919092153 - - dependency-name: "docker/actions-toolkit" + cooldown: + default-days: 2 + groups: + crazy-max-dot-github: + patterns: + - "crazy-max/.github/*" labels: - "dependencies" - "bot" @@ -16,6 +17,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 allow: - dependency-type: "production" labels: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d80d69..1e804d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: ci +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -38,7 +41,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -58,7 +61,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -79,7 +82,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -106,7 +109,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -123,7 +126,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -143,7 +146,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Uninstall containerd if: matrix.containerd == 'containerd-tarball' @@ -160,13 +163,13 @@ jobs: docker run -d -p 5000:5000 --restart=always --name registry registry:2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: driver: docker driver-opts: network=host - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ./test push: true @@ -187,7 +190,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -199,13 +202,13 @@ jobs: docker run -d -p 5000:5000 --restart=always --name registry registry:2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: driver: docker driver-opts: network=host - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ./test push: true @@ -221,7 +224,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -242,7 +245,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -259,7 +262,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -284,7 +287,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker id: setup_docker @@ -313,7 +316,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ @@ -335,7 +338,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: ./ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 07ce72d..843bacd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,8 @@ name: codeql +permissions: + contents: read + on: push: branches: @@ -7,21 +10,19 @@ on: - 'releases/v*' pull_request: -permissions: - actions: read - contents: read - security-events: write - env: NODE_VERSION: "24" jobs: analyze: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Enable corepack run: | @@ -29,17 +30,17 @@ jobs: yarn --version - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: javascript-typescript build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:javascript-typescript" diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml index 571b370..79e6137 100644 --- a/.github/workflows/pr-assign-author.yml +++ b/.github/workflows/pr-assign-author.yml @@ -4,14 +4,14 @@ permissions: contents: read on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout types: - opened - reopened jobs: run: - uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 + uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 permissions: contents: read pull-requests: write diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index edad97f..57635a7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,5 +1,12 @@ name: publish +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: release: types: @@ -15,7 +22,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Publish - uses: actions/publish-immutable-action@v0.0.4 + uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 122f898..668aec3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: test +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -17,16 +20,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Test - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: + source: . targets: test - name: Upload coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 with: - source: . files: ./coverage/clover.xml token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml index fefe728..8b57b08 100644 --- a/.github/workflows/update-dist.yml +++ b/.github/workflows/update-dist.yml @@ -1,5 +1,12 @@ name: update-dist +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: pull_request: types: @@ -8,27 +15,27 @@ on: jobs: update-dist: - if: github.actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: - name: GitHub auth token from GitHub App id: docker-read-app - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 with: app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }} private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }} owner: docker - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 - token: ${{ steps.docker-read-app.outputs.token || github.token }} + token: ${{ steps.docker-read-app.outputs.token }} - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: build diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 33aed91..2657986 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,8 @@ name: validate +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -19,11 +22,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate matrix id: generate - uses: docker/bake-action/subaction/matrix@v7 + uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: target: validate @@ -38,6 +41,6 @@ jobs: steps: - name: Validate - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }}