diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ea8ee58..40186e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,7 @@ on: - "[0-9]+.[0-9]+.[0-9]+*" permissions: - contents: write - + contents: read jobs: build-macos: @@ -17,13 +16,13 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - run: git fetch --tags --force origin ${{ github.ref }} - - run: git checkout ${{ github.ref }} + persist-credentials: false + - run: git fetch --tags --force origin ${GITHUB_REF} + - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11 - run: nix develop --command make crossbuild_mac - run: nix develop --command make crossbuild_mac_bundles - name: 'Upload Artifacts' @@ -39,13 +38,13 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - run: git fetch --tags --force origin ${{ github.ref }} - - run: git checkout ${{ github.ref }} + persist-credentials: false + - run: git fetch --tags --force origin ${GITHUB_REF} + - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11 - run: nix develop --command make crossbuild - name: 'Upload Artifacts' id: upload @@ -57,11 +56,14 @@ jobs: release: needs: [build-macos, build-others] runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78ccaef..70e86d4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: Build and test +permissions: + contents: read + on: pull_request: push: @@ -9,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} @@ -21,6 +26,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} @@ -31,6 +38,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..2a9919a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,21 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6