From 4d6064463c8ac27e3e88318a2a4bbedd6d394fbc Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 08:50:48 -0400 Subject: [PATCH 01/11] ci: use `persist-credentials: false` for actions/checkout actions/checkout persists a GitHub token for later git commands unless told otherwise. `persist-credentials: false` means later steps cannot accidentally use the token, it minimizes the risk of credential exposure through logs, disk, etc. --- .github/workflows/autofix.yml | 2 ++ .github/workflows/chromatic.yml | 1 + .github/workflows/ci.yml | 16 ++++++++++++++++ .github/workflows/dependency-diff.yml | 1 + .github/workflows/deploy-canary.yml | 2 ++ .github/workflows/lunaria.yml | 1 + .github/workflows/mirror-tangled.yml | 1 + .github/workflows/release-pr.yml | 1 + .github/workflows/release-tag.yml | 2 ++ 9 files changed, 27 insertions(+) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index d4df4beaa9..5f560e0d9f 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index df3a3ea8b0..4c7f770141 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -25,6 +25,7 @@ jobs: fetch-depth: 0 repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} ref: ${{ github.event.pull_request.head.sha || github.sha }} + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9181ebc8e7..795a227e9d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,6 +27,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -45,6 +47,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -60,6 +64,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -81,6 +87,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -113,6 +121,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: ๐Ÿ‘‘ Fix Git ownership run: git config --global --add safe.directory /__w/npmx.dev/npmx.dev @@ -139,6 +149,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -160,6 +172,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -175,6 +189,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/dependency-diff.yml b/.github/workflows/dependency-diff.yml index ae10eee370..ef8984539f 100644 --- a/.github/workflows/dependency-diff.yml +++ b/.github/workflows/dependency-diff.yml @@ -28,6 +28,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: ๐Ÿ”Ž Compare dependencies id: analyze diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml index 8dd5576933..e4d41621da 100644 --- a/.github/workflows/deploy-canary.yml +++ b/.github/workflows/deploy-canary.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/lunaria.yml b/.github/workflows/lunaria.yml index 51f83389d0..f17e56ea6a 100644 --- a/.github/workflows/lunaria.yml +++ b/.github/workflows/lunaria.yml @@ -27,6 +27,7 @@ jobs: # Necessary for Lunaria to work properly # Makes the action clone the entire git history fetch-depth: 0 + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/mirror-tangled.yml b/.github/workflows/mirror-tangled.yml index 8759487d06..e7f28d8c41 100644 --- a/.github/workflows/mirror-tangled.yml +++ b/.github/workflows/mirror-tangled.yml @@ -20,6 +20,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: ๐Ÿ”‘ Configure SSH env: diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 6ab11c41d8..9fb3bc8895 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -19,6 +19,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 659042c5ab..53d564b1c8 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: true - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: @@ -94,6 +95,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: release + persist-credentials: false - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 with: From fa8ee0a227fca79e2524731c6c7aa39ea9f85f0d Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:00:22 -0400 Subject: [PATCH 02/11] ci: fix all mismatched action versions in workflows --- .github/workflows/autofix.yml | 4 ++-- .github/workflows/chromatic.yml | 2 +- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/deploy-canary.yml | 2 +- .github/workflows/lunaria.yml | 4 ++-- .github/workflows/release-pr.yml | 2 +- .github/workflows/release-tag.yml | 4 ++-- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 5f560e0d9f..6a63404cec 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -22,7 +22,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -39,4 +39,4 @@ jobs: - name: ๐Ÿ”  Fix lint errors run: vp run lint:fix - - uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # 635ffb0c9798bd160680f18fd73371e355b85f27 + - uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # v1.3.2 diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 4c7f770141..8361c6237d 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -27,7 +27,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 795a227e9d..a6dd84731a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* run-install: false @@ -50,7 +50,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -67,7 +67,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -90,7 +90,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -127,7 +127,7 @@ jobs: - name: ๐Ÿ‘‘ Fix Git ownership run: git config --global --add safe.directory /__w/npmx.dev/npmx.dev - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -152,7 +152,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -175,7 +175,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true @@ -192,7 +192,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* run-install: false diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml index e4d41621da..6687f8e431 100644 --- a/.github/workflows/deploy-canary.yml +++ b/.github/workflows/deploy-canary.yml @@ -19,7 +19,7 @@ jobs: with: persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* run-install: false diff --git a/.github/workflows/lunaria.yml b/.github/workflows/lunaria.yml index f17e56ea6a..3be3649fe2 100644 --- a/.github/workflows/lunaria.yml +++ b/.github/workflows/lunaria.yml @@ -29,10 +29,10 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* cache: true - name: Generate Lunaria Overview - uses: lunariajs/action@4911ad0736d1e3b20af4cb70f5079aea2327ed8e # v1-prerelease + uses: lunariajs/action@4911ad0736d1e3b20af4cb70f5079aea2327ed8e # astro-docs diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 9fb3bc8895..0ef238bc69 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -21,7 +21,7 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* run-install: false diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 53d564b1c8..f9c92c236e 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 persist-credentials: true - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* run-install: false @@ -97,7 +97,7 @@ jobs: ref: release persist-credentials: false - - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1 + - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0 with: node-version: lts/* registry-url: https://registry.npmjs.org From e69e309e9eb53fb5365e8f6aafcd2689834f7e67 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:01:33 -0400 Subject: [PATCH 03/11] ci: opt in to least privilege needed --- .github/workflows/stale.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 064a9abde8..0115df8261 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,13 +6,13 @@ on: - cron: '0 2 * * *' workflow_dispatch: # Allow manual trigger -permissions: - issues: write - pull-requests: write +permissions: {} jobs: stale-bugs: runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: @@ -28,6 +28,8 @@ jobs: stale-prs: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: From 957aab1acd630254303c21c8efb5203e3a4c2822 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:41:47 -0400 Subject: [PATCH 04/11] ci: use concurrency controls in all workflows --- .github/workflows/autofix.yml | 4 ++++ .github/workflows/dependency-diff-comment.yml | 11 ++++++++--- .github/workflows/mirror-tangled.yml | 4 ++++ .github/workflows/release-pr.yml | 11 ++++++++--- .github/workflows/release-tag.yml | 4 ++++ .github/workflows/semantic-pull-requests.yml | 4 ++++ .github/workflows/stale.yml | 4 ++++ .github/workflows/welcome-close.yml | 4 ++++ .github/workflows/welcome-open.yml | 9 +++++++-- 9 files changed, 47 insertions(+), 8 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 6a63404cec..bf77cb7d6a 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -9,6 +9,10 @@ on: branches: - main +concurrency: + group: ${{ github.workflow }}-${{ github.event.number || github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/dependency-diff-comment.yml b/.github/workflows/dependency-diff-comment.yml index 8cb277bde7..4295dfb772 100644 --- a/.github/workflows/dependency-diff-comment.yml +++ b/.github/workflows/dependency-diff-comment.yml @@ -6,15 +6,20 @@ on: types: - completed -permissions: - pull-requests: write - actions: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.id }} + cancel-in-progress: true + +permissions: {} jobs: dependency-diff-comment: name: ๐Ÿ’ฌ Dependency diff comment runs-on: ubuntu-slim if: github.event.workflow_run.conclusion == 'success' + permissions: + pull-requests: write # post dependency diff comments on pull requests + actions: read # download artifacts from dependency-diff runs steps: - name: ๐Ÿ“ฅ Download artifact diff --git a/.github/workflows/mirror-tangled.yml b/.github/workflows/mirror-tangled.yml index e7f28d8c41..adae34ae0c 100644 --- a/.github/workflows/mirror-tangled.yml +++ b/.github/workflows/mirror-tangled.yml @@ -7,6 +7,10 @@ on: tags: - '*' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 0ef238bc69..23a517c374 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -5,15 +5,20 @@ on: branches: - main -permissions: - contents: read - pull-requests: write +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} jobs: release-pr: name: ๐Ÿš€ Create or update release PR runs-on: ubuntu-slim if: github.repository == 'npmx-dev/npmx.dev' + permissions: + contents: read + pull-requests: write # create or update the release pull request steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index f9c92c236e..9f52c2b2fd 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -5,6 +5,10 @@ on: branches: - release +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/semantic-pull-requests.yml b/.github/workflows/semantic-pull-requests.yml index ebbad4f932..c1718123bf 100644 --- a/.github/workflows/semantic-pull-requests.yml +++ b/.github/workflows/semantic-pull-requests.yml @@ -7,6 +7,10 @@ on: - edited - synchronize +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0115df8261..1b5ed80576 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,6 +6,10 @@ on: - cron: '0 2 * * *' workflow_dispatch: # Allow manual trigger +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/welcome-close.yml b/.github/workflows/welcome-close.yml index 8dcae51db0..a29ab4fec3 100644 --- a/.github/workflows/welcome-close.yml +++ b/.github/workflows/welcome-close.yml @@ -5,6 +5,10 @@ on: types: - closed +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/welcome-open.yml b/.github/workflows/welcome-open.yml index ccdb5f8cbd..fcc531d209 100644 --- a/.github/workflows/welcome-open.yml +++ b/.github/workflows/welcome-open.yml @@ -5,14 +5,19 @@ on: branches: [main] types: [opened] -permissions: - pull-requests: write +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: greeting: name: Greet First-Time Contributors if: github.repository == 'npmx-dev/npmx.dev' runs-on: ubuntu-latest + permissions: + pull-requests: write # post first-time contributor greeting comments steps: - uses: zephyrproject-rtos/action-first-interaction@58853996b1ac504b8e0f6964301f369d2bb22e5c with: From 17f44f03d65d739fcbca555a70fec1aca11ca729 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:42:56 -0400 Subject: [PATCH 05/11] ci: pin playwright image to a specific digest --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6dd84731a..5fb1196b7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -117,7 +117,7 @@ jobs: name: ๐Ÿ–ฅ๏ธ Browser tests runs-on: ubuntu-24.04-arm container: - image: mcr.microsoft.com/playwright:v1.58.2-noble + image: mcr.microsoft.com/playwright:v1.58.2-noble@sha256:6446946a1d9fd62d9ae501312a2d76a43ee688542b21622056a372959b65d63d steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 4113a4eb640a438d6b2358479e1fefc4a775161a Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:44:16 -0400 Subject: [PATCH 06/11] ci: add names to anonymous workflows and jobs --- .github/workflows/deploy-canary.yml | 2 ++ .github/workflows/stale.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml index 6687f8e431..6ca5bc6dd4 100644 --- a/.github/workflows/deploy-canary.yml +++ b/.github/workflows/deploy-canary.yml @@ -1,3 +1,5 @@ +name: deploy-canary + on: push: branches: [main] diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1b5ed80576..ee8723e857 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -14,6 +14,7 @@ permissions: {} jobs: stale-bugs: + name: ๐Ÿงน Mark stale bug issues runs-on: ubuntu-latest permissions: issues: write @@ -31,6 +32,7 @@ jobs: operations-per-run: 500 stale-prs: + name: ๐Ÿงน Mark stale pull requests runs-on: ubuntu-latest permissions: pull-requests: write From ed31fabe78000aae6cad52abed00a13ef31716f6 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:44:49 -0400 Subject: [PATCH 07/11] ci: apply principle of least privilege to lunaria workflow --- .github/workflows/lunaria.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lunaria.yml b/.github/workflows/lunaria.yml index 3be3649fe2..633a455289 100644 --- a/.github/workflows/lunaria.yml +++ b/.github/workflows/lunaria.yml @@ -10,15 +10,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} cancel-in-progress: true -# Allow this job to clone the repository and comment on the pull request -permissions: - contents: read - pull-requests: write +permissions: {} jobs: lunaria-overview: name: ๐ŸŒ Generate Lunaria Overview runs-on: ubuntu-24.04-arm + permissions: + contents: read + pull-requests: write # post Lunaria overview comments on pull requests steps: - name: Checkout From 792ac0bd7e9433a5f27c9ca92ec12d0ab6960bb6 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:45:13 -0400 Subject: [PATCH 08/11] ci: document why each permission is needed --- .github/workflows/release-tag.yml | 4 ++-- .github/workflows/stale.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 9f52c2b2fd..703e3e575e 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-slim if: github.repository == 'npmx-dev/npmx.dev' permissions: - contents: write + contents: write # create release tags and GitHub releases outputs: version: ${{ steps.version.outputs.next }} skipped: ${{ steps.check.outputs.skip }} @@ -92,7 +92,7 @@ jobs: if: needs.tag.outputs.skipped == 'false' permissions: contents: read - id-token: write + id-token: write # authenticate npm trusted publishing via OIDC environment: npm-publish steps: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ee8723e857..84e9bced2b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -17,7 +17,7 @@ jobs: name: ๐Ÿงน Mark stale bug issues runs-on: ubuntu-latest permissions: - issues: write + issues: write # mark and close stale bug issues steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: @@ -35,7 +35,7 @@ jobs: name: ๐Ÿงน Mark stale pull requests runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # mark and close stale pull requests steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f with: From 0fb4575d53d9be7d5d586ed2a12324d672901a18 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 09:07:32 -0400 Subject: [PATCH 09/11] ci: configure zizmor See https://docs.zizmor.sh. This runs on PRs and pushes to main. It uses the most basic "regular" persona as a starting point. --- .github/workflows/zizmor.yml | 38 ++++++++++++++++++++++++++++++++++++ .github/zizmor.yml | 10 ++++++++++ CONTRIBUTING.md | 23 ++++++++++++++++++++++ vite.config.ts | 6 ++++++ 4 files changed, 77 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..bd7242502e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,38 @@ +# https://docs.zizmor.sh/ +name: zizmor + +on: + pull_request: + branches: + - main + push: + branches: + - main + merge_group: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number || github.sha }} + cancel-in-progress: true + +permissions: {} + +jobs: + zizmor: + name: ๐ŸŒˆ GitHub Actions security analysis + runs-on: ubuntu-slim + permissions: + contents: read # checkout repository + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + persona: pedantic + # Use annotations instead of SARIF as this doesn't need special permissions + annotations: true + advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..7194a0595e --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,10 @@ +# Existing privileged PR automation is intentionally isolated to these workflows: +# they do not checkout pull request head code, and they only comment or set status. +rules: + dangerous-triggers: + ignore: + - dependency-diff-comment.yml + - lunaria.yml + - semantic-pull-requests.yml + - welcome-close.yml + - welcome-open.yml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index be673d26f6..ed7189c6ca 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -123,6 +123,7 @@ pnpm mock-connector # Start the mock connector (no npm login needed) pnpm vp run lint # Run linter (oxlint + oxfmt) pnpm lint:fix # Auto-fix lint issues pnpm test:types # TypeScript type checking +pnpm vp run zizmor # GitHub Actions security analysis # Testing pnpm test # Run all Vitest tests @@ -133,6 +134,28 @@ pnpm test:a11y # Lighthouse accessibility audits pnpm test:perf # Lighthouse performance audits (CLS) ``` +### GitHub Actions security analysis + +CI runs [zizmor](https://docs.zizmor.sh/) against the repository's GitHub Actions workflows. The shared policy lives in `.github/zizmor.yml`, and the `zizmor` task uses the same pedantic persona as CI. + +You may run it locally by [installing `zizmor`](https://docs.zizmor.sh/installation/) and running: + +```bash +pnpm vp run zizmor +``` + +Some audits resolve action refs and vulnerability metadata through GitHub. To run those online checks locally, authenticate with the GitHub CLI and pass its token: + +```bash +GH_TOKEN="$(gh auth token)" pnpm vp run zizmor +``` + +To fix audit findings automatically, run: + +```bash +GH_TOKEN="$(gh auth token)" pnpm vp run zizmor:fix +``` + ### Clearing caches during development Nitro persists `defineCachedEventHandler` results to disk at `.nuxt/cache/nitro/`. This cache **survives dev server restarts**. If you're iterating on a cached API route and want fresh results, delete the relevant cache directory: diff --git a/vite.config.ts b/vite.config.ts index 46f5c6964f..9c6a1d96b7 100644 --- a/vite.config.ts +++ b/vite.config.ts @@ -31,6 +31,12 @@ export default defineConfig({ 'lint:css': { command: 'node scripts/unocss-checker.ts', }, + 'zizmor': { + command: 'zizmor --pedantic .', + }, + 'zizmor:fix': { + command: 'zizmor --pedantic --fix .', + }, 'build:lunaria': { command: 'node ./lunaria/lunaria.ts', }, From 2ce76abd2597fbfb072aac9ca2d388491539a1db Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 10:12:15 -0400 Subject: [PATCH 10/11] ci: run zizmor on an image with docker --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index bd7242502e..e3454a5dbe 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -21,7 +21,7 @@ permissions: {} jobs: zizmor: name: ๐ŸŒˆ GitHub Actions security analysis - runs-on: ubuntu-slim + runs-on: ubuntu-24.04-arm permissions: contents: read # checkout repository From 6e1a787f818d9b86f811a8544dd565af2a857302 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Sun, 26 Apr 2026 10:16:42 -0400 Subject: [PATCH 11/11] ci: fix a few more missing action version tags --- .github/workflows/stale.yml | 4 ++-- .github/workflows/welcome-open.yml | 2 +- .github/zizmor.yml | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 84e9bced2b..8367d2614f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: permissions: issues: write # mark and close stale bug issues steps: - - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-issue-stale: 30 days-before-issue-close: 7 @@ -37,7 +37,7 @@ jobs: permissions: pull-requests: write # mark and close stale pull requests steps: - - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-issue-stale: -1 days-before-issue-close: -1 diff --git a/.github/workflows/welcome-open.yml b/.github/workflows/welcome-open.yml index fcc531d209..544592b124 100644 --- a/.github/workflows/welcome-open.yml +++ b/.github/workflows/welcome-open.yml @@ -19,7 +19,7 @@ jobs: permissions: pull-requests: write # post first-time contributor greeting comments steps: - - uses: zephyrproject-rtos/action-first-interaction@58853996b1ac504b8e0f6964301f369d2bb22e5c + - uses: zephyrproject-rtos/action-first-interaction@58853996b1ac504b8e0f6964301f369d2bb22e5c # tag=v1.1.1+zephyr.6 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-opened-message: | diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 7194a0595e..0190ff6e67 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,6 +1,10 @@ # Existing privileged PR automation is intentionally isolated to these workflows: # they do not checkout pull request head code, and they only comment or set status. rules: + stale-action-refs: + ignore: + # lunariajs/action has no tag refs; keep the branch commit hash-pinned. + - lunaria.yml:38 dangerous-triggers: ignore: - dependency-diff-comment.yml