From 12498b92a5ddafdf77ff088175116f7270555aa4 Mon Sep 17 00:00:00 2001 From: Konstantinos Paparas Date: Wed, 10 Jun 2026 11:17:32 +0200 Subject: [PATCH] ci: refresh pinned action SHAs and harden workflows Update GitHub Actions to current releases (still digest-pinned): - actions/checkout v6 -> v6.0.3 - actions/setup-node v6 -> v6.4.0 - crate-ci/typos v1.45.0 -> v1.47.2 - pnpm/action-setup v5 -> v6.0.8 - actions/upload-pages-artifact v4 -> v5.0.0 (pairs with deploy-pages v5) - github/codeql-action v4 -> v4.36.2 (previous pin was a tag-object SHA) Harden codeql-analysis.yml with top-level permissions and concurrency, add job names and document write permissions to satisfy zizmor pedantic. --- .github/workflows/ci.yml | 12 +++++++----- .github/workflows/codeql-analysis.yml | 21 ++++++++++++++------- .github/workflows/deploy-docs.yml | 16 +++++++++------- 3 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 347f741..06ffacb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,29 +23,31 @@ concurrency: jobs: check-typos: + name: check-typos runs-on: ubuntu-latest steps: - name: Checkout 🛎 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Run typos checker - uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0 + uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2 ci: + name: ci runs-on: ubuntu-latest steps: - name: Checkout 🛎 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Setup node env 🏗 - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: pnpm node-version-file: .nvmrc diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3f1abd4..23c4044 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,14 +6,21 @@ on: pull_request: branches: [main] +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + jobs: analyze: name: analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read - security-events: write + actions: read # read workflow run metadata for CodeQL + contents: read # checkout the repository + security-events: write # upload CodeQL results to the Security tab strategy: fail-fast: false @@ -22,17 +29,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index c9af27c..ba6772f 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -16,19 +16,20 @@ concurrency: jobs: build: + name: build runs-on: ubuntu-latest steps: - name: Checkout 🛎 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Fetch all history for all branches persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - name: Setup node env 🏗 - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: pnpm node-version-file: .nvmrc @@ -64,16 +65,17 @@ jobs: rm -rf .vitepress/dist-main - name: Upload Pages artifact - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: .vitepress/dist/ deploy: + name: deploy needs: build permissions: - pages: write - id-token: write + pages: write # publish the built site to GitHub Pages + id-token: write # OIDC token for the Pages deployment environment: name: github-pages @@ -83,4 +85,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0