From 185354e57252e050ce51709515bdf0f995ebf9fe Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Thu, 21 May 2026 06:47:11 +0200 Subject: [PATCH 1/2] Add persist-credentials abdication Applied by zizmor. Prevent lingering access credentials. --- .github/workflows/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6e84964..616f954 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,6 +14,8 @@ jobs: name: Formatting steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v2 with: @@ -28,6 +30,8 @@ jobs: name: Typechecks steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v2 with: @@ -42,6 +46,8 @@ jobs: name: E2E on Chrome steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cypress-io/github-action@v6 with: @@ -52,6 +58,8 @@ jobs: name: E2E on Firefox steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cypress-io/github-action@v6 with: @@ -62,6 +70,8 @@ jobs: name: E2E on Edge steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cypress-io/github-action@v6 with: @@ -72,6 +82,8 @@ jobs: name: E2E on WebKit steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: cypress-io/github-action@v6 with: From 11b3cbb157c211bde45ce9e8830f1b09b3b9322c Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Thu, 21 May 2026 06:51:12 +0200 Subject: [PATCH 2/2] Pin specific versions of GitHub Action deps --- .github/workflows/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 616f954..1fc0564 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-latest name: Formatting steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: actions/setup-node@v2 + - uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 # v2 with: node-version: "20" @@ -29,11 +29,11 @@ jobs: runs-on: ubuntu-latest name: Typechecks steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: actions/setup-node@v2 + - uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 # v2 with: node-version: "20" @@ -45,11 +45,11 @@ jobs: runs-on: ubuntu-latest name: E2E on Chrome steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: cypress-io/github-action@v6 + - uses: cypress-io/github-action@f790eee7a50d9505912f50c2095510be7de06aa7 # v6 with: browser: chrome @@ -57,11 +57,11 @@ jobs: runs-on: ubuntu-latest name: E2E on Firefox steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: cypress-io/github-action@v6 + - uses: cypress-io/github-action@f790eee7a50d9505912f50c2095510be7de06aa7 # v6 with: browser: firefox @@ -69,11 +69,11 @@ jobs: runs-on: windows-latest name: E2E on Edge steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: cypress-io/github-action@v6 + - uses: cypress-io/github-action@f790eee7a50d9505912f50c2095510be7de06aa7 # v6 with: browser: edge @@ -81,10 +81,10 @@ jobs: runs-on: macos-latest name: E2E on WebKit steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - - uses: cypress-io/github-action@v6 + - uses: cypress-io/github-action@f790eee7a50d9505912f50c2095510be7de06aa7 # v6 with: browser: webkit