From 890af21ea1820c457c28498390d0d140367f3d1f Mon Sep 17 00:00:00 2001 From: sunyiteng Date: Thu, 21 May 2026 16:17:22 +0800 Subject: [PATCH 1/2] chore(ci): harden github actions --- .github/workflows/release.yml | 16 +++++++++------- .github/workflows/test.yml | 10 +++++++--- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68f22a7..9ddecae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,22 +9,24 @@ on: workflow_dispatch: -permissions: - contents: write - id-token: write +permissions: {} jobs: publish: runs-on: ubuntu-latest environment: npm + permissions: + contents: write + id-token: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.20.0 + package-manager-cache: false # Update npm to the latest version to enable OIDC # Use corepack to install pnpm @@ -39,11 +41,11 @@ jobs: run: pnpm install - name: Publish - uses: JS-DevTools/npm-publish@v3 + uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1 with: token: empty - name: Create GitHub Release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: generateReleaseNotes: "true" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ef0a323..d012627 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,10 +10,14 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: {} + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: test: runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: matrix: os: [ubuntu-latest, windows-latest] @@ -21,16 +25,16 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install Pnpm run: npm i -g corepack@latest --force && corepack enable - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.20.0 - cache: "pnpm" + package-manager-cache: false - name: Install Dependencies run: pnpm install && npx playwright install chromium From 4d33e62490f209fc210974e448d2962af5990054 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 08:44:33 +0000 Subject: [PATCH 2/2] chore(ci): remove stale publish token comment --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81fa8bb..417d0f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,6 @@ jobs: - name: Publish uses: JS-DevTools/npm-publish@0fd2f4369c5d6bcfcde6091a7c527d810b9b5c3f # v4.1.5 with: - # token: empty # unnecessary if you use trusted publishing via OIDC provenance: true - name: Create GitHub Release