diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bc63aca35b..1bc0eb3ff2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: '/' schedule: interval: 'monthly' + cooldown: + default-days: 7 diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 5879ad3efb..677d49a694 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -4,7 +4,7 @@ on: issues: types: - opened - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c12508883..2a396cb75a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ on: types: [checks_requested] workflow_call: +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -25,6 +27,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -72,6 +76,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -149,6 +155,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 89f73d436c..6c863978c7 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -6,9 +6,13 @@ on: tags: - v7.** +permissions: {} + jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: @@ -23,6 +27,7 @@ jobs: submodules: true fetch-depth: 0 token: ${{ steps.generate-token.outputs.token }} + persist-credentials: false - name: Get short SHA for HEAD id: get-short-sha diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 924e048d39..a2f3f2cd68 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,14 @@ on: branches: - next +permissions: {} + jobs: check-release-criteria: name: Check Release Criteria runs-on: ubuntu-latest + permissions: + contents: read outputs: should_release: ${{ steps.check.outputs.should_release }} steps: @@ -16,6 +20,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 + persist-credentials: false - name: Check release criteria id: check @@ -94,6 +99,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -123,4 +130,5 @@ jobs: - name: Create GitHub release env: GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).GITHUB_TOKEN }} - run: gh release create "v${{ steps.version.outputs.version }}" --target ${{ github.sha }} --generate-notes --prerelease + STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }} + run: gh release create "v${STEPS_VERSION_OUTPUTS_VERSION}" --target ${{ github.sha }} --generate-notes --prerelease