Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 33 additions & 5 deletions .github/workflows/basic-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,36 @@ on:
- '**.md'

jobs:
call-basic-validation:
name: Basic validation
uses: actions/reusable-workflows/.github/workflows/basic-validation.yml@main
with:
node-version: '24.x'
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
Comment on lines +22 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set persist-credentials: false on checkout.

Static analysis flags credential persistence (artipacked): the GitHub token is persisted to the local git config for the job's lifetime and could leak via later steps/artifacts. Since no subsequent step needs authenticated git access, disable persistence.

🔒 Proposed fix
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/basic-validation.yml around lines 22 - 23, The Checkout
step in the basic-validation workflow is persisting the GitHub token in the
local git config, which static analysis flags. Update the actions/checkout usage
in the workflow to disable credential persistence by setting persist-credentials
to false, since no later step needs authenticated git access.

Source: Linters/SAST tools


- name: Setup Node.js 24.x
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24.x
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts

- name: Run prettier
run: npm run format-check

- name: Run linter
run: npm run lint

- name: Build
run: npm run build

- name: Test
run: npm test

- name: Audit packages
run: npm audit --audit-level=high
39 changes: 34 additions & 5 deletions .github/workflows/check-dist.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,37 @@ on:
workflow_dispatch:

jobs:
call-check-dist:
name: Check dist/
uses: actions/reusable-workflows/.github/workflows/check-dist.yml@main
with:
node-version: '24.x'
check-dist:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Setup Node.js 24.x
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24.x
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts

- name: Rebuild the dist directory
run: npm run build

- name: Compare the expected and actual dist directories
run: |
if [ "$(git diff --ignore-space-at-eol ./dist | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes after the build. See the status below:"
git diff
exit 1
fi
id: diff

# If inners of the dist directory were different than expected, upload the expected version as an artifact
- name: Upload artifact
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: dist
path: ./dist
22 changes: 11 additions & 11 deletions .github/workflows/e2e-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Clean global cache
run: npm cache clean --force
- name: Setup Node
Expand All @@ -44,9 +44,9 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Install pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
with:
version: 6.10.0
- name: Generate pnpm file
Expand Down Expand Up @@ -77,7 +77,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Yarn version
run: yarn --version
- name: Generate yarn file
Expand Down Expand Up @@ -109,7 +109,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Update yarn
run: yarn set version 3.6.4
- name: Yarn version
Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh yarn1
Expand All @@ -170,7 +170,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh keepcache keepcache
Expand All @@ -197,7 +197,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh global
Expand All @@ -224,7 +224,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10

- name: prepare sub-projects
run: /bin/bash __tests__/prepare-yarn-subprojects.sh keepcache
Expand Down Expand Up @@ -253,7 +253,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Create package.json with packageManager field
run: |
echo '{ "name": "test-project", "version": "1.0.0", "packageManager": "npm@8.0.0" }' > package.json
Expand All @@ -278,7 +278,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Create package.json with devEngines field
run: |
echo '{
Expand Down
22 changes: 19 additions & 3 deletions .github/workflows/licensed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,22 @@ on:
workflow_dispatch:

jobs:
call-licensed:
name: Licensed
uses: actions/reusable-workflows/.github/workflows/licensed.yml@main
validate-cached-dependency-records:
name: Check licenses
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Install dependencies
run: npm ci --ignore-scripts

- name: Install licensed tool
run: |
cd "$RUNNER_TEMP"
curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.9.0/licensed-3.9.0-linux-x64.tar.gz
sudo tar -xzf licensed.tar.gz
sudo mv licensed /usr/local/bin/licensed

- name: Check cached dependency records
run: licensed status
4 changes: 2 additions & 2 deletions .github/workflows/proxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
env:
https_proxy: http://squid-proxy:3128
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
Comment thread
stormslowly marked this conversation as resolved.
- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
Expand All @@ -41,7 +41,7 @@ jobs:
https_proxy: http://no-such-proxy:3128
no_proxy: api.github.com,github.com,cdn.npmmirror.com,registry.npmjs.org,*.s3.amazonaws.com,s3.amazonaws.com
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-immutable-actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:

steps:
- name: Checking out
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
Comment thread
stormslowly marked this conversation as resolved.
- name: Publish
id: publish
uses: actions/publish-immutable-action@v0.0.4
20 changes: 10 additions & 10 deletions .github/workflows/versions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node
uses: ./
with:
Expand All @@ -37,7 +37,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20.10.0, 22.0.0, 24.9.0]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node
uses: ./
with:
Expand All @@ -54,7 +54,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node and check latest
uses: ./
with:
Expand All @@ -73,7 +73,7 @@ jobs:
node-version-file:
[.nvmrc, .tool-versions, .tool-versions-node, package.json]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -88,7 +88,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -103,7 +103,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -118,7 +118,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node from node version file
uses: ./
with:
Expand All @@ -134,7 +134,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest]
node-version: [17, 19]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup Node from dist
uses: ./
with:
Expand All @@ -150,7 +150,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-15-intel]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
# test old versions which didn't have npm and layout different
- name: Setup node 0.12.18 from dist
uses: ./
Expand All @@ -163,7 +163,7 @@ jobs:
arch:
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
- name: Setup node 20 x86 from dist
uses: ./
with:
Expand Down
2 changes: 1 addition & 1 deletion .licenses/npm/@actions/cache.dep.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/core-1.11.1.dep.yml

This file was deleted.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/core-2.0.1.dep.yml

This file was deleted.

20 changes: 0 additions & 20 deletions .licenses/npm/@actions/exec-1.1.1.dep.yml

This file was deleted.

Loading
Loading