diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6d3e42f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,35 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + commit-message: + prefix: ci + labels: + - dependencies + - github-actions + ignore: + - dependency-name: DeterminateSystems/* + + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 + groups: + npm-deps: + patterns: ["*"] + labels: + - dependencies + - npm diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 413fb5c..877a2d0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -22,12 +22,17 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: DeterminateSystems/flake-checker-action@main with: fail-mode: true + - if: success() || failure() uses: DeterminateSystems/determinate-nix-action@main + - if: success() || failure() uses: DeterminateSystems/flakehub-cache-action@main @@ -95,9 +100,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@main if: ${{ github.event_name == 'merge_group' }} + - uses: DeterminateSystems/flakehub-cache-action@main if: ${{ github.event_name == 'merge_group' }} @@ -125,7 +134,9 @@ jobs: id-token: "write" contents: "read" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 245a9c6..a383996 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -14,8 +14,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/update-flake-lock@main with: pr-title: "Update Nix flake inputs" # Title of PR to be created diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e60cfa7 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: zizmor + +on: + push: + branches: + - main + pull_request: + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + config: .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..abdc40b --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin