diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f6faee6938..c20187016c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,5 @@ updates: github-actions: patterns: - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/code-style-lint.yml b/.github/workflows/code-style-lint.yml index 9e90858df0..14cdec97eb 100644 --- a/.github/workflows/code-style-lint.yml +++ b/.github/workflows/code-style-lint.yml @@ -3,13 +3,23 @@ name: Lint code style issues on: pull_request: +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - lint-code-styling: + lint-code-styling: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -20,7 +30,7 @@ jobs: - name: Check PHP code style issues if: steps.changed-files.outputs.any_modified == 'true' - uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # v2.6 + uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6 with: testMode: true verboseMode: true diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index a4ecda7248..371f8a26b1 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -4,9 +4,16 @@ on: pull_request: types: [opened, edited, synchronize, reopened] +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - pr-title: + pr-title: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: {} steps: - name: Validate PR title matches target branch env: diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 99bb1af860..b1919640cb 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -4,16 +4,21 @@ name: Pull Requests # https://github.com/laravel/.github/blob/main/.github/workflows/pull-requests.yml on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened -permissions: - pull-requests: write +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true jobs: - uneditable: + uneditable: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: + pull-requests: write # post comment and close PRs that don't allow maintainer edits steps: - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd472c2074..85847f9b71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,21 +1,28 @@ name: Create Release -on: +on: # zizmor: ignore[concurrency-limits] push: tags: - 'v*' +permissions: {} + jobs: - build: + build: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: + contents: write # create GitHub release and upload assets steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use Node.js 20.19.0 uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.19.0 + package-manager-cache: false - name: Install dependencies run: npm ci @@ -30,57 +37,22 @@ jobs: version: ${{ github.ref }} - name: Create release - id: create_release - uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.changelog.outputs.version }} - release_name: ${{ steps.changelog.outputs.version }} - body: ${{ steps.changelog.outputs.text }} - prerelease: false - - - name: Upload dist zip to release - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist.tar.gz - asset_name: dist.tar.gz - asset_content_type: application/tar+gz - - - name: Upload dist-dev zip to release - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist-dev.tar.gz - asset_name: dist-dev.tar.gz - asset_content_type: application/tar+gz - - - name: Upload dist-frontend zip to release - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist-frontend.tar.gz - asset_name: dist-frontend.tar.gz - asset_content_type: application/tar+gz - - - name: Upload dist-package zip to release - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist-package.tar.gz - asset_name: dist-package.tar.gz - asset_content_type: application/tar+gz + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ steps.changelog.outputs.version }} + RELEASE_NOTES: ${{ steps.changelog.outputs.text }} + run: | + gh release create "$RELEASE_VERSION" \ + --title "$RELEASE_VERSION" \ + --notes "$RELEASE_NOTES" \ + ./resources/dist.tar.gz \ + ./resources/dist-dev.tar.gz \ + ./resources/dist-frontend.tar.gz \ + ./resources/dist-package.tar.gz - name: Deploy Storybook to Forge continue-on-error: true + env: + FORGE_STORYBOOK_WEBHOOK: ${{ secrets.FORGE_STORYBOOK_WEBHOOK }} run: | - curl -X POST "${{ secrets.FORGE_STORYBOOK_WEBHOOK }}" + curl -X POST "$FORGE_STORYBOOK_WEBHOOK" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 151e58c369..ae6fcda0c0 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,12 +1,17 @@ name: "Close stale issues" -on: +on: # zizmor: ignore[concurrency-limits] workflow_dispatch: schedule: - cron: "30 1 * * *" +permissions: {} + jobs: - stale: + stale: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: + issues: write # mark issues stale and close them + pull-requests: write # mark pull requests stale and close them steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index fca6256b8f..1096a92ab5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -9,10 +9,18 @@ on: schedule: - cron: '0 0 * * *' +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: php-tests: runs-on: ${{ matrix.os }} if: "!contains(github.event.head_commit.message, '[ci skip]')" + permissions: + contents: read strategy: matrix: @@ -31,6 +39,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -96,12 +106,16 @@ jobs: js-tests: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]')" + permissions: + contents: read name: JavaScript tests steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -146,16 +160,21 @@ jobs: name: Slack Notification runs-on: ubuntu-latest needs: [php-tests, js-tests] + permissions: + actions: read # required by workflow-conclusion-action to determine overall workflow status if: always() steps: - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3 - name: Send Slack notification - uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3 + uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 if: env.WORKFLOW_CONCLUSION == 'failure' && github.event_name == 'schedule' with: - status: failure - fields: repo,message,commit,author,action,eventName,ref,workflow - author_name: ${{ github.actor }} - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + webhook: ${{ secrets.SLACK_WEBHOOK }} + webhook-type: incoming-webhook + payload: | + text: ":x: *${{ github.repository }}* tests failed" + blocks: + - type: section + text: + type: mrkdwn + text: ":x: *${{ github.repository }}* tests failed\n*Ref:* ${{ github.ref }}\n*Author:* ${{ github.actor }}\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..7088be7ef9 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: + - master + - '*.x' + paths: + - '.github/**.yml' + pull_request: + paths: + - '.github/**.yml' + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true + persona: pedantic