diff --git a/.github/workflows/markdown-link-check.json b/.github/markdown-link-check.json similarity index 100% rename from .github/workflows/markdown-link-check.json rename to .github/markdown-link-check.json diff --git a/.github/workflows/ci-bun.yml b/.github/workflows/ci-bun.yml index 50f8ec291..0f6d1c74e 100644 --- a/.github/workflows/ci-bun.yml +++ b/.github/workflows/ci-bun.yml @@ -6,8 +6,13 @@ on: push: branches: - '**' - tags: - - '!**' + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: test: @@ -19,20 +24,30 @@ jobs: - windows-latest runs-on: ${{ matrix.os }} name: ${{ matrix.os }} + permissions: + contents: read # checkout repository steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: 1.2.22 + - name: Install dependencies run: bun install --ignore-scripts + - name: Build knip run: bun run build working-directory: packages/knip + - name: Run knip run: ./packages/knip/bin/knip-bun.js + - name: Run knip (production/strict) run: ./packages/knip/bin/knip-bun.js --production --strict + - name: Test knip run: bun run test working-directory: packages/knip diff --git a/.github/workflows/ci-legacy-5.0.4.yml b/.github/workflows/ci-legacy-5.0.4.yml index 88dcd2d6a..465851ba8 100644 --- a/.github/workflows/ci-legacy-5.0.4.yml +++ b/.github/workflows/ci-legacy-5.0.4.yml @@ -8,8 +8,13 @@ on: push: branches: - '**' - tags: - - '!**' + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: test: @@ -22,37 +27,49 @@ jobs: node: - 20 - 22 - runs-on: ${{ matrix.os }} name: ${{ matrix.os }} (Node v${{ matrix.node }}) - + permissions: + contents: read # checkout repository steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ matrix.node }} + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 with: version: 10 package_json_file: packages/knip/package.json + - run: echo "manage-package-manager-versions=false" >> .npmrc + - name: Install dependencies run: pnpm install + - name: Build knip run: pnpm run build working-directory: packages/knip + - name: Install earliest supported peer dependencies run: pnpm add typescript@5.0.4 @types/node@20 --config.trustPolicy=allow working-directory: packages/knip + - name: Type-check against TS 5.0.4 run: | node -e "let f=require('fs'),p='tsconfig.json';f.writeFileSync(p,f.readFileSync(p,'utf8').replace(/.*(?:rewriteRelativeImportExtensions|erasableSyntaxOnly).*\n/g,''))" pnpm tsc --noEmit working-directory: packages/knip + - name: Test knip run: pnpm test --runtime node --smoke working-directory: packages/knip + - name: Run knip run: ./packages/knip/bin/knip.js --reporter github-actions + - name: Run knip in strict mode run: ./packages/knip/bin/knip.js --production --strict diff --git a/.github/workflows/ci-legacy-latest.yml b/.github/workflows/ci-legacy-latest.yml index 089ddcf56..82b19a51c 100644 --- a/.github/workflows/ci-legacy-latest.yml +++ b/.github/workflows/ci-legacy-latest.yml @@ -8,31 +8,48 @@ on: push: branches: - '**' - tags: - - '!**' + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: test: runs-on: ubuntu-latest name: Ubuntu/Node v22 + permissions: + contents: read # checkout repository steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 + - name: Install dependencies run: pnpm install + - name: Install latest peer dependencies run: pnpm add typescript@latest @types/node@22 --config.trustPolicy=allow working-directory: packages/knip + - name: Build knip run: pnpm run build working-directory: packages/knip + - name: Test knip run: pnpm test --runtime node working-directory: packages/knip + - name: Run knip run: ./packages/knip/bin/knip.js + - name: Run knip in strict mode run: ./packages/knip/bin/knip.js --production --strict diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b1a70102..2fc44ac80 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,33 +6,51 @@ on: push: branches: - '**' - tags: - - '!**' + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: test: runs-on: ubuntu-latest name: Ubuntu/Node v24 + permissions: + contents: read steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 + - name: Install dependencies run: pnpm install + - name: Install latest peer dependencies run: pnpm add typescript@next @types/node@24 --config.trustPolicy=allow working-directory: packages/knip + - name: Lint knip run: pnpm run ci + - name: Build knip run: pnpm run build working-directory: packages/knip + - name: Test knip run: pnpm test --runtime node working-directory: packages/knip + - name: Run knip run: ./packages/knip/bin/knip.js + - name: Run knip in strict mode run: ./packages/knip/bin/knip.js --production --strict diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index aecf3cf98..8369f2a7c 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -11,37 +11,52 @@ on: push: branches: - '**' - tags: - - '!**' -permissions: - issues: write +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: publish: name: Build and publish Knip runs-on: ubuntu-latest + permissions: + contents: read # checkout repository + issues: write # comment on referenced issues outputs: sha: ${{ steps.publish.outputs.sha }} steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 + - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 + - run: pnpm install --frozen-lockfile working-directory: packages/knip + - run: pnpm run build working-directory: packages/knip + - id: publish run: | pnpx pkg-pr-new publish --compact './packages/knip' './packages/language-server' './packages/mcp-server' + - name: Comment on referenced issues if: github.event_name == 'push' uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + PUBLISH_SHA: ${{ steps.publish.outputs.sha }} with: script: | - const sha = '${{ steps.publish.outputs.sha }}'; + const sha = process.env.PUBLISH_SHA; const commits = context.payload.commits || []; const messages = commits.map(commit => commit.message).join('\n'); const issueRefs = messages.match(/#(\d+)/g) || []; @@ -64,6 +79,8 @@ jobs: name: Run Knip in ${{ matrix.project.name }} needs: publish runs-on: ubuntu-latest + permissions: + contents: read # checkout repository env: PKG_URL: https://pkg.pr.new/knip@${{ needs.publish.outputs.sha }} SNAP: ${{ github.workspace }}/.github/workflows/scripts/snap.sh @@ -202,6 +219,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Check out ${{ matrix.project.repo }} uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 @@ -209,12 +228,15 @@ jobs: repository: ${{ matrix.project.repo }} path: ${{ matrix.project.name }} sparse-checkout: ${{ matrix.project.sparse-checkout }} + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + with: + no-cache: true - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 @@ -237,12 +259,15 @@ jobs: if: ${{ inputs.update_snapshots }} needs: integration runs-on: ubuntu-latest + permissions: + contents: read # download and upload artifacts steps: - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: snapshots-* path: snapshots/ merge-multiple: true + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: snapshots diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 1593822fd..b2e170a03 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -4,18 +4,28 @@ on: push: branches: - '**' - tags: - - '!**' + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: markdown-link-check: + name: Check Markdown links runs-on: ubuntu-latest + permissions: + contents: read # checkout repository steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Check Markdown links uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: - config-file: .github/workflows/markdown-link-check.json + config-file: .github/markdown-link-check.json use-quiet-mode: 'yes' use-verbose-mode: 'yes' diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..9b1376933 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,33 @@ +name: zizmor + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + +# Automatically cancel in-progress actions on the same branch +concurrency: + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + contents: read # checkout repository + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + inputs: .github/workflows + annotations: true + advanced-security: false