From 1fba7f51a1d8adb8507f73a05831ddafbbd8d000 Mon Sep 17 00:00:00 2001 From: flakey5 <73616808+flakey5@users.noreply.github.com> Date: Thu, 14 May 2026 15:53:16 -0700 Subject: [PATCH 1/4] ci: apply zizmor recommendations Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com> --- .github/dependabot.yml | 4 ++-- .github/workflows/build-directory-cache.yaml | 5 ++++ .github/workflows/codeql.yml | 2 ++ .github/workflows/dependency-review.yml | 2 ++ .github/workflows/deploy.yml | 5 ++++ .github/workflows/format.yml | 5 ++++ .github/workflows/test.yml | 2 ++ .github/workflows/update-links.yml | 2 ++ .github/workflows/zizmor.yaml | 25 ++++++++++++++++++++ 9 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3f34bedf..fac254db 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,7 @@ updates: commit-message: prefix: chore cooldown: - default-days: 3 + default-days: 7 open-pull-requests-limit: 10 - package-ecosystem: npm directory: '/' @@ -25,7 +25,7 @@ updates: commit-message: prefix: chore cooldown: - default-days: 3 + default-days: 7 groups: format: patterns: diff --git a/.github/workflows/build-directory-cache.yaml b/.github/workflows/build-directory-cache.yaml index d5cff8c9..93684cbe 100644 --- a/.github/workflows/build-directory-cache.yaml +++ b/.github/workflows/build-directory-cache.yaml @@ -3,6 +3,9 @@ name: Build Directory Cache on: workflow_dispatch: +permissions: + contents: read + jobs: build-directory-cache: name: Build Directory Cache @@ -15,6 +18,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index de783236..0e7d696a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,6 +50,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 2ecd5cb2..259d21c4 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 173a9bfa..a69bf880 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: deploy: name: Deploy Cloudflare Worker @@ -29,6 +32,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 24355ede..f1a5cdac 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: lint: name: Check Linting and Formatting @@ -29,6 +32,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0cfef72a..42747e6d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -33,6 +33,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/update-links.yml b/.github/workflows/update-links.yml index 65cafa27..ce4431e2 100644 --- a/.github/workflows/update-links.yml +++ b/.github/workflows/update-links.yml @@ -36,6 +36,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..7c2c0f14 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: main + pull_request: + branches: main + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 2cfbe9e45dea8885683479db2a09c681f7d66922 Mon Sep 17 00:00:00 2001 From: flakey5 <73616808+flakey5@users.noreply.github.com> Date: Thu, 14 May 2026 16:13:49 -0700 Subject: [PATCH 2/4] review Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com> --- .github/workflows/build-directory-cache.yaml | 4 ++-- .github/workflows/update-links.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-directory-cache.yaml b/.github/workflows/build-directory-cache.yaml index 93684cbe..3032c99e 100644 --- a/.github/workflows/build-directory-cache.yaml +++ b/.github/workflows/build-directory-cache.yaml @@ -4,7 +4,7 @@ on: workflow_dispatch: permissions: - contents: read + contents: write jobs: build-directory-cache: @@ -19,7 +19,7 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: false + persist-credentials: true # needed by stefanzweifel/git-auto-commit-action - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/update-links.yml b/.github/workflows/update-links.yml index ce4431e2..634d116c 100644 --- a/.github/workflows/update-links.yml +++ b/.github/workflows/update-links.yml @@ -37,7 +37,7 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - persist-credentials: false + persist-credentials: true # needed by stefanzweifel/git-auto-commit-action - name: Cache Dependencies uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 From 9141662e8cc063a95136c26a9b170e0758befa4a Mon Sep 17 00:00:00 2001 From: flakey5 <73616808+flakey5@users.noreply.github.com> Date: Thu, 14 May 2026 16:58:31 -0700 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Matt Cowley Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com> --- .github/workflows/build-directory-cache.yaml | 2 +- .github/workflows/update-links.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-directory-cache.yaml b/.github/workflows/build-directory-cache.yaml index 3032c99e..ea22780e 100644 --- a/.github/workflows/build-directory-cache.yaml +++ b/.github/workflows/build-directory-cache.yaml @@ -4,7 +4,7 @@ on: workflow_dispatch: permissions: - contents: write + contents: write # needed by stefanzweifel/git-auto-commit-action jobs: build-directory-cache: diff --git a/.github/workflows/update-links.yml b/.github/workflows/update-links.yml index 634d116c..0229517c 100644 --- a/.github/workflows/update-links.yml +++ b/.github/workflows/update-links.yml @@ -1,7 +1,7 @@ name: Update Redirect Links permissions: - contents: write + contents: write # needed by stefanzweifel/git-auto-commit-action on: # Triggered by https://github.com/nodejs/node/blob/main/.github/workflows/update-release-links.yml From 3fa978f1c0a8d3a8023aaafaffd512a370d2bb53 Mon Sep 17 00:00:00 2001 From: flakey5 <73616808+flakey5@users.noreply.github.com> Date: Thu, 14 May 2026 17:13:03 -0700 Subject: [PATCH 4/4] review Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com> --- .github/workflows/codeql.yml | 19 +++++++++---------- .github/workflows/zizmor.yaml | 9 ++++----- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e7d696a..ca0728c7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,20 +20,19 @@ on: # Once a week - cron: '41 12 * * 4' +permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories + actions: read + contents: read + jobs: analyze: name: Analyze (javascript-typescript) runs-on: 'ubuntu-latest' - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read strategy: fail-fast: false diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 7c2c0f14..d2ba84c4 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -6,15 +6,14 @@ on: pull_request: branches: main -permissions: {} +permissions: + security-events: write + contents: read + actions: read jobs: zizmor: runs-on: ubuntu-latest - permissions: - security-events: write - contents: read - actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2