diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3f34bedf..fac254db 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,7 @@ updates: commit-message: prefix: chore cooldown: - default-days: 3 + default-days: 7 open-pull-requests-limit: 10 - package-ecosystem: npm directory: '/' @@ -25,7 +25,7 @@ updates: commit-message: prefix: chore cooldown: - default-days: 3 + default-days: 7 groups: format: patterns: diff --git a/.github/workflows/build-directory-cache.yaml b/.github/workflows/build-directory-cache.yaml index d5cff8c9..ea22780e 100644 --- a/.github/workflows/build-directory-cache.yaml +++ b/.github/workflows/build-directory-cache.yaml @@ -3,6 +3,9 @@ name: Build Directory Cache on: workflow_dispatch: +permissions: + contents: write # needed by stefanzweifel/git-auto-commit-action + jobs: build-directory-cache: name: Build Directory Cache @@ -15,6 +18,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true # needed by stefanzweifel/git-auto-commit-action - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index de783236..ca0728c7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,20 +20,19 @@ on: # Once a week - cron: '41 12 * * 4' +permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories + actions: read + contents: read + jobs: analyze: name: Analyze (javascript-typescript) runs-on: 'ubuntu-latest' - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read strategy: fail-fast: false @@ -50,6 +49,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 2ecd5cb2..259d21c4 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 173a9bfa..a69bf880 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: deploy: name: Deploy Cloudflare Worker @@ -29,6 +32,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 24355ede..f1a5cdac 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: lint: name: Check Linting and Formatting @@ -29,6 +32,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0cfef72a..42747e6d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -33,6 +33,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/update-links.yml b/.github/workflows/update-links.yml index 65cafa27..0229517c 100644 --- a/.github/workflows/update-links.yml +++ b/.github/workflows/update-links.yml @@ -1,7 +1,7 @@ name: Update Redirect Links permissions: - contents: write + contents: write # needed by stefanzweifel/git-auto-commit-action on: # Triggered by https://github.com/nodejs/node/blob/main/.github/workflows/update-release-links.yml @@ -36,6 +36,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true # needed by stefanzweifel/git-auto-commit-action - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..d2ba84c4 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: main + pull_request: + branches: main + +permissions: + security-events: write + contents: read + actions: read + +jobs: + zizmor: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3