diff --git a/.github/workflows/check-skills.yml b/.github/workflows/check-skills.yml index 267f8f79..13a017cc 100644 --- a/.github/workflows/check-skills.yml +++ b/.github/workflows/check-skills.yml @@ -16,22 +16,24 @@ on: types: [published] workflow_dispatch: {} -permissions: - contents: write - pull-requests: write +permissions: {} jobs: check: name: Check for stale skills runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: true # review job pushes a generated branch - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 @@ -108,8 +110,11 @@ jobs: if: steps.stale.outputs.has_stale == 'true' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PROMPT: ${{ steps.summary.outputs.prompt }} + RELEASE_VERSION: ${{ github.event.release.tag_name || 'manual' }} + SUMMARY: ${{ steps.summary.outputs.summary }} run: | - VERSION="${{ github.event.release.tag_name || 'manual' }}" + VERSION="$RELEASE_VERSION" BRANCH="skills/review-${VERSION}" git config user.name "github-actions[bot]" @@ -118,26 +123,20 @@ jobs: git commit --allow-empty -m "chore: review stale skills for ${VERSION}" git push origin "$BRANCH" + { + printf '%s\n\n' '## Stale Skills Detected' + printf '%s\n\n' 'The following skills may need updates after the latest release:' + printf '%s\n\n' "$SUMMARY" + printf '%s\n\n' '---' + printf '%s\n\n' '### Update Prompt' + printf '%s\n\n' 'Paste this into your coding agent (Claude Code, Cursor, etc.):' + printf '%s\n' '~~~' + printf '%s\n' "$PROMPT" + printf '%s\n' '~~~' + } > pr-body.md + gh pr create \ --title "Review stale skills (${VERSION})" \ - --body "$(cat <<'PREOF' - ## Stale Skills Detected - - The following skills may need updates after the latest release: - - ${{ steps.summary.outputs.summary }} - - --- - - ### Update Prompt - - Paste this into your coding agent (Claude Code, Cursor, etc.): - - ~~~ - ${{ steps.summary.outputs.prompt }} - ~~~ - - PREOF - )" \ + --body-file pr-body.md \ --head "$BRANCH" \ --base main diff --git a/.github/workflows/e2e-opportunistic-matrix.yml b/.github/workflows/e2e-opportunistic-matrix.yml index 625aa927..3d3fe8c7 100644 --- a/.github/workflows/e2e-opportunistic-matrix.yml +++ b/.github/workflows/e2e-opportunistic-matrix.yml @@ -34,11 +34,12 @@ jobs: - react-toolchain-deploy steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools - uses: tanstack/config/.github/setup@main + uses: tanstack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Install Playwright Chrome run: pnpm --filter @tanstack/cli exec playwright install --with-deps chrome - name: Run Matrix Scenario @@ -47,7 +48,7 @@ jobs: run: pnpm nx run @tanstack/cli:test:e2e:matrix - name: Upload Playwright Report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: playwright-report-${{ matrix.scenario }} path: packages/cli/playwright-report diff --git a/.github/workflows/notify-intent.yml b/.github/workflows/notify-intent.yml index ce2d15c4..cdba272b 100644 --- a/.github/workflows/notify-intent.yml +++ b/.github/workflows/notify-intent.yml @@ -22,15 +22,19 @@ on: - 'docs/**' - 'src/**' +permissions: + contents: read + jobs: notify: name: Notify TanStack Intent runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 + persist-credentials: false - name: Collect changed files id: changes @@ -39,7 +43,7 @@ jobs: echo "files=$FILES" >> "$GITHUB_OUTPUT" - name: Dispatch to intent repo - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.INTENT_NOTIFY_TOKEN }} repository: TanStack/intent diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 9017783c..ca506976 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -19,11 +19,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools - uses: tanstack/config/.github/setup@main + uses: tanstack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Build run: pnpm build - name: Test Unit @@ -33,11 +34,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Check Provenance - uses: danielroe/provenance-action@v0.1.1 + uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1 with: fail-on-downgrade: true test-e2e: @@ -45,13 +47,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools - uses: tanstack/config/.github/setup@main + uses: tanstack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Get base and head commits for `nx affected` - uses: nrwl/nx-set-shas@v4.4.0 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0 with: main-branch-name: main - name: Install Playwright Chrome diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 810cf93f..13afe5fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,24 +12,26 @@ env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -permissions: - contents: write - id-token: write - pull-requests: read - statuses: read +permissions: {} jobs: release: name: Release if: ${{ github.repository_owner == 'TanStack' && !contains(github.event.head_commit.message, '[skip ci]') }} runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pull-requests: read + statuses: read steps: - name: Checkout - uses: actions/checkout@v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools - uses: tanstack/config/.github/setup@main + uses: tanstack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Build run: pnpm build - name: Test Unit @@ -60,4 +62,6 @@ jobs: - name: Publish Packages if: steps.release.outputs.has_changesets == 'true' && steps.changes.outputs.has_changes == 'true' - run: pnpm changeset publish --tag "${{ steps.release.outputs.npm_tag }}" + env: + NPM_TAG: ${{ steps.release.outputs.npm_tag }} + run: pnpm changeset publish --tag "$NPM_TAG" diff --git a/.github/workflows/validate-skills.yml b/.github/workflows/validate-skills.yml index 8f39716a..823a88ca 100644 --- a/.github/workflows/validate-skills.yml +++ b/.github/workflows/validate-skills.yml @@ -12,16 +12,21 @@ on: - 'skills/**' - '**/skills/**' +permissions: + contents: read + jobs: validate: name: Validate skill files runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..049ac745 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,27 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: + - main + pull_request: + branches: + - '**' + +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true