diff --git a/.github/workflows/auto-tag-release.yml b/.github/workflows/auto-tag-release.yml index 271bf71..e291032 100644 --- a/.github/workflows/auto-tag-release.yml +++ b/.github/workflows/auto-tag-release.yml @@ -17,16 +17,18 @@ jobs: contents: write actions: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.pull_request.merge_commit_sha }} fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Extract and validate version id: version + env: + BRANCH: ${{ github.event.pull_request.head.ref }} run: | - BRANCH="${{ github.event.pull_request.head.ref }}" VERSION="${BRANCH#release/}" if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then @@ -48,12 +50,18 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Create and push tag + env: + GH_TOKEN: ${{ github.token }} + VERSION: ${{ steps.version.outputs.version }} + MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }} run: | - git tag "v${{ steps.version.outputs.version }}" - git push origin "v${{ steps.version.outputs.version }}" + gh api --method POST "repos/${GITHUB_REPOSITORY}/git/refs" \ + -f ref="refs/tags/v${VERSION}" \ + -f sha="${MERGE_COMMIT_SHA}" - name: Trigger release workflow env: GH_TOKEN: ${{ github.token }} + VERSION: ${{ steps.version.outputs.version }} run: | - gh workflow run release.yml --ref "v${{ steps.version.outputs.version }}" + gh workflow run release.yml --ref "v${VERSION}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 22c8cd7..537b7ef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,10 +7,14 @@ on: pull_request: workflow_dispatch: +permissions: {} + jobs: build: name: Build executable for ${{ matrix.os }}-${{ matrix.arch }} runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: matrix: include: @@ -33,24 +37,27 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Full history needed for git operations + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22.22" + package-manager-cache: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: version: 10.22.0 - name: Setup Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest + no-cache: true - name: Install dependencies run: pnpm install @@ -99,7 +106,7 @@ jobs: rm ./bin/linear-release.zip - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linear-release-${{ matrix.platform }} path: bin/linear-release* @@ -118,12 +125,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 + persist-credentials: false - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: ./artifacts @@ -157,7 +165,7 @@ jobs: ls -la ./release-files/ - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: tag_name: ${{ steps.tag.outputs.tag_name }} name: Release ${{ steps.tag.outputs.tag_name }} @@ -171,19 +179,25 @@ jobs: label-release: name: Label release with version needs: release + permissions: + contents: read uses: ./.github/workflows/run-linear-release.yml with: action: sync name: Release ${{ needs.release.outputs.version_number }} version: ${{ needs.release.outputs.tag_name }} - secrets: inherit + secrets: + LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }} complete-release: name: Complete release needs: [release, label-release] + permissions: + contents: read uses: ./.github/workflows/run-linear-release.yml with: action: complete name: Release ${{ needs.release.outputs.version_number }} version: ${{ needs.release.outputs.tag_name }} - secrets: inherit + secrets: + LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }} diff --git a/.github/workflows/run-linear-release.yml b/.github/workflows/run-linear-release.yml index 5a18cb3..94416fd 100644 --- a/.github/workflows/run-linear-release.yml +++ b/.github/workflows/run-linear-release.yml @@ -15,6 +15,9 @@ on: description: "Release version" required: false type: string + secrets: + LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: + required: true workflow_dispatch: inputs: @@ -43,9 +46,10 @@ jobs: if: inputs.action == 'sync' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 + persist-credentials: false - name: Download CLI env: @@ -73,9 +77,10 @@ jobs: if: inputs.action == 'complete' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 + persist-credentials: false - name: Download CLI env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dac92b9..169623c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,13 +14,15 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: version: 10.22.0 @@ -41,4 +43,5 @@ jobs: uses: ./.github/workflows/run-linear-release.yml with: action: sync - secrets: inherit + secrets: + LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..9c49b08 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: Static Analysis GH Actions (zizmor) + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + merge_group: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + timeout-minutes: 2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + inputs: .github/ + min-severity: medium + advanced-security: false + version: v1.24.1