From 9242fb99411642928e8cbeb3a2fa0a02c6aa8769 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:30:32 +0100 Subject: [PATCH 1/2] zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/zizmor.yml | 26 ++++++++++++++++++++++++++ .github/zizmor.yml | 4 ++++ 2 files changed, 30 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..eded5e3b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: zizmor + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +on: + workflow_dispatch: + push: + branches: + - 'main' + pull_request: + +jobs: + run: + uses: crazy-max/.github/.github/workflows/zizmor.yml@bbd31df64ee0f097a02f12495f541f9236f18c46 # v1.2.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..e326fcec --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +# https://docs.zizmor.sh/configuration/ +rules: + secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783 + disable: true From a4ec5f5780139ba2c6c6da0626929baf94f9c7ad Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:31:21 +0100 Subject: [PATCH 2/2] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 8 +++++ .github/workflows/build.yml | 5 ++- .../workflows/buildx-lab-releases-json.yml | 11 +++++-- .github/workflows/buildx-releases-json.yml | 11 +++++-- .github/workflows/codeql.yml | 15 ++++----- .../workflows/compose-lab-releases-json.yml | 11 +++++-- .github/workflows/compose-releases-json.yml | 11 +++++-- .github/workflows/cosign-releases-json.yml | 11 +++++-- .github/workflows/docker-releases-json.yml | 11 +++++-- .github/workflows/pr-assign-author.yml | 2 +- .github/workflows/publish.yml | 22 +++++-------- .github/workflows/regclient-releases-json.yml | 11 +++++-- .github/workflows/test.yml | 31 ++++++++++--------- .github/workflows/undock-releases-json.yml | 11 +++++-- .github/workflows/validate.yml | 9 ++++-- .github/workflows/virtual-env.yml | 9 +++++- 16 files changed, 124 insertions(+), 65 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4bd77d4c..5f6ad820 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,12 @@ updates: directory: "/" schedule: interval: "daily" + groups: + crazy-max-dot-github: + patterns: + - "crazy-max/.github/*" + cooldown: + default-days: 2 labels: - "dependencies" - "bot" @@ -13,6 +19,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 versioning-strategy: "increase" allow: - dependency-type: "production" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0226884..a0bbf564 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: push: branches: @@ -24,7 +27,7 @@ jobs: steps: - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: build env: diff --git a/.github/workflows/buildx-lab-releases-json.yml b/.github/workflows/buildx-lab-releases-json.yml index 84b2191f..c89d99a5 100644 --- a/.github/workflows/buildx-lab-releases-json.yml +++ b/.github/workflows/buildx-lab-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: docker/buildx-desktop artifact_name: buildx-lab-releases-json filename: buildx-lab-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: buildx-lab-releases-json path: .github diff --git a/.github/workflows/buildx-releases-json.yml b/.github/workflows/buildx-releases-json.yml index 42b012a8..e0f6fda7 100644 --- a/.github/workflows/buildx-releases-json.yml +++ b/.github/workflows/buildx-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: docker/buildx artifact_name: buildx-releases-json filename: buildx-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: buildx-releases-json path: .github diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 46d72d15..c2dc9aa4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,9 +7,7 @@ on: pull_request: permissions: - actions: read contents: read - security-events: write env: NODE_VERSION: "24" @@ -17,10 +15,13 @@ env: jobs: analyze: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Enable corepack run: | @@ -28,19 +29,19 @@ jobs: yarn --version - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: javascript-typescript - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: category: "/language:javascript-typescript" diff --git a/.github/workflows/compose-lab-releases-json.yml b/.github/workflows/compose-lab-releases-json.yml index 36902643..e30f2303 100644 --- a/.github/workflows/compose-lab-releases-json.yml +++ b/.github/workflows/compose-lab-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: docker/compose-desktop artifact_name: compose-lab-releases-json filename: compose-lab-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: compose-lab-releases-json path: .github diff --git a/.github/workflows/compose-releases-json.yml b/.github/workflows/compose-releases-json.yml index dafdd3ca..d92a9ec6 100644 --- a/.github/workflows/compose-releases-json.yml +++ b/.github/workflows/compose-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: docker/compose artifact_name: compose-releases-json filename: compose-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: compose-releases-json path: .github diff --git a/.github/workflows/cosign-releases-json.yml b/.github/workflows/cosign-releases-json.yml index 60c80897..dd36d3c1 100644 --- a/.github/workflows/cosign-releases-json.yml +++ b/.github/workflows/cosign-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: sigstore/cosign artifact_name: cosign-releases-json filename: cosign-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: cosign-releases-json path: .github diff --git a/.github/workflows/docker-releases-json.yml b/.github/workflows/docker-releases-json.yml index d2daa331..0c3e2760 100644 --- a/.github/workflows/docker-releases-json.yml +++ b/.github/workflows/docker-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -25,20 +28,22 @@ jobs: tag_patterns: | ^docker-(.*)$ ^(v.*)$ - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: docker-releases-json path: .github diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml index 571b3707..572d7ed4 100644 --- a/.github/workflows/pr-assign-author.yml +++ b/.github/workflows/pr-assign-author.yml @@ -4,7 +4,7 @@ permissions: contents: read on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target types: - opened - reopened diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 531da6f4..abeaaff1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,13 +1,12 @@ name: publish -permissions: - id-token: write # required for OIDC - contents: write # required to create GitHub Release - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: push: tags: @@ -19,10 +18,13 @@ env: jobs: publish: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # required for OIDC steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Enable corepack run: | @@ -30,7 +32,7 @@ jobs: yarn --version - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} cache: 'yarn' @@ -51,11 +53,3 @@ jobs: run: | npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v} npm publish --provenance --access public - - - name: Create Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 - with: - draft: true - generate_release_notes: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/regclient-releases-json.yml b/.github/workflows/regclient-releases-json.yml index d65e4cc8..6a9b550c 100644 --- a/.github/workflows/regclient-releases-json.yml +++ b/.github/workflows/regclient-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: regclient/regclient artifact_name: regclient-releases-json filename: regclient-releases.json - secrets: inherit open-pr: runs-on: ubuntu-latest if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: regclient-releases-json path: .github diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fa1ddb9d..dcd81296 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -33,10 +36,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Test - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: test-coverage @@ -55,7 +58,7 @@ jobs: shell: bash - name: Upload coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 if: env.RUN_CODECOV == 'true' && matrix.node_version == env.NODE_VERSION with: files: ./coverage/clover.xml @@ -69,7 +72,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Enable corepack run: | @@ -77,7 +80,7 @@ jobs: yarn --version - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} cache: 'yarn' @@ -87,7 +90,7 @@ jobs: - name: Create includes id: set - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | let tests = []; @@ -153,15 +156,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@v4 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - # FIXME: Needs to setup node twice on Windows: https://github.com/actions/setup-node/issues/1357#issuecomment-3254613964 name: Setup Node if: startsWith(matrix.os, 'windows') - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} package-manager-cache: false @@ -172,14 +175,14 @@ jobs: yarn --version - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} cache: 'yarn' - name: Set up Docker Buildx if: startsWith(matrix.os, 'ubuntu') - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} driver: docker @@ -187,7 +190,7 @@ jobs: name: Set up container builder if: startsWith(matrix.os, 'ubuntu') id: builder - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} driver-opts: image=${{ env.BUILDKIT_IMAGE }} @@ -197,7 +200,7 @@ jobs: run: yarn install - name: Test - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const testName = `${{ matrix.test_name }}`; @@ -225,7 +228,7 @@ jobs: shell: bash - name: Upload coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 if: env.RUN_CODECOV == 'true' with: files: ./coverage/clover.xml diff --git a/.github/workflows/undock-releases-json.yml b/.github/workflows/undock-releases-json.yml index d40a4d2b..9aed81d6 100644 --- a/.github/workflows/undock-releases-json.yml +++ b/.github/workflows/undock-releases-json.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -22,20 +25,22 @@ jobs: repository: crazy-max/undock artifact_name: undock-releases-json filename: undock-releases.json - secrets: inherit open-pr: runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' + permissions: + contents: write + pull-requests: write needs: - generate steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: undock-releases-json path: .github diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 3b387522..60c383db 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -4,6 +4,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -21,11 +24,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate matrix id: generate - uses: docker/bake-action/subaction/matrix@v7 + uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: target: validate @@ -40,6 +43,6 @@ jobs: steps: - name: Validate - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }} diff --git a/.github/workflows/virtual-env.yml b/.github/workflows/virtual-env.yml index 810a88c7..95bf1978 100644 --- a/.github/workflows/virtual-env.yml +++ b/.github/workflows/virtual-env.yml @@ -1,5 +1,12 @@ name: virtual-env +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + on: workflow_dispatch: schedule: @@ -68,4 +75,4 @@ jobs: - name: Dump context if: always() - uses: crazy-max/ghaction-dump-context@v2 + uses: crazy-max/ghaction-dump-context@5355a8e5e6ac5a302e746a1c4b7747a0393863c8 # v2.3.0