diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 165dad4e01..ce593666e8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -55,3 +55,5 @@ updates: - "react-dom" - "yjs" - "y-prosemirror" + cooldown: + default-days: 7 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 91b5ca0414..fef3e24484 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,9 @@ on: pull_request: types: [opened, synchronize, reopened, edited] +permissions: + contents: read + env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN }} @@ -18,23 +21,24 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 100 + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: nrwl/nx-set-shas@v5 + - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "pnpm" cache-dependency-path: "**/pnpm-lock.yaml" node-version-file: ".nvmrc" - name: Cache NX - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .nx/cache key: nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }} @@ -59,7 +63,7 @@ jobs: run: NEXTJS_TEST_MODE=build npx vitest run tests/src/unit/nextjs/serverUtil.test.ts - name: Upload webpack stats artifact (editor) - uses: relative-ci/agent-upload-artifact-action@v2 + uses: relative-ci/agent-upload-artifact-action@a2b5741b4f7e6a989c84ec1a3059696b23c152e5 # v2 with: webpackStatsFile: ./playground/dist/webpack-stats.json artifactName: relative-ci-artifacts-editor @@ -73,23 +77,24 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 100 + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: nrwl/nx-set-shas@v5 + - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "pnpm" cache-dependency-path: "**/pnpm-lock.yaml" node-version-file: ".nvmrc" - name: Cache NX - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .nx/cache key: nx-playwright-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }} @@ -105,7 +110,7 @@ jobs: run: pnpm run build - name: Upload build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: playwright-build path: | @@ -127,21 +132,22 @@ jobs: shardIndex: [1, 2] shardTotal: [2] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 100 + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "pnpm" cache-dependency-path: "**/pnpm-lock.yaml" node-version-file: ".nvmrc" - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: playwright-build @@ -153,7 +159,7 @@ jobs: HOME=/root PLAYWRIGHT_CONFIG="--project ${{ matrix.browser }} --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}" pnpm run e2e - name: Upload blob report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ !cancelled() }} with: name: blob-report-${{ matrix.browser }}-${{ matrix.shardIndex }} @@ -161,7 +167,7 @@ jobs: retention-days: 1 - name: Upload HTML report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ !cancelled() }} with: name: playwright-report-${{ matrix.browser }}-${{ matrix.shardIndex }} @@ -174,12 +180,14 @@ jobs: needs: playwright runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "pnpm" cache-dependency-path: "**/pnpm-lock.yaml" @@ -189,7 +197,7 @@ jobs: run: pnpm install - name: Download blob reports - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: tests/all-blob-reports pattern: blob-report-* @@ -200,7 +208,7 @@ jobs: working-directory: tests - name: Upload merged HTML report - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: playwright-report-merged path: tests/playwright-report/ diff --git a/.github/workflows/fresh-install-tests.yml b/.github/workflows/fresh-install-tests.yml index 6d6ed4a452..d5698a1fbc 100644 --- a/.github/workflows/fresh-install-tests.yml +++ b/.github/workflows/fresh-install-tests.yml @@ -15,6 +15,9 @@ on: - cron: "0 2 * * *" # Daily at 02:00 UTC workflow_dispatch: # Allow manual runs +permissions: + contents: read + env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true pnpm_config_store_dir: ./node_modules/.pnpm-store @@ -27,14 +30,16 @@ jobs: steps: - id: checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - id: install_pnpm name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - id: setup_node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ".nvmrc" # Intentionally no pnpm cache — we want fresh prod dep resolution @@ -99,6 +104,14 @@ jobs: RUN_NUMBER: ${{ github.run_number }} RUN_ATTEMPT: ${{ github.run_attempt }} BRANCH: ${{ github.ref_name }} + STEPS_CHECKOUT_OUTCOME: ${{ steps.checkout.outcome }} + STEPS_INSTALL_PNPM_OUTCOME: ${{ steps.install_pnpm.outcome }} + STEPS_SETUP_NODE_OUTCOME: ${{ steps.setup_node.outcome }} + STEPS_INSTALL_DEPENDENCIES_OUTCOME: ${{ steps.install_dependencies.outcome }} + STEPS_UPDATE_PROD_DEPS_OUTCOME: ${{ steps.update_prod_deps.outcome }} + STEPS_DEDUPE_DEPS_OUTCOME: ${{ steps.dedupe_deps.outcome }} + STEPS_BUILD_PACKAGES_OUTCOME: ${{ steps.build_packages.outcome }} + STEPS_RUN_UNIT_TESTS_OUTCOME: ${{ steps.run_unit_tests.outcome }} run: | if [ -z "$SLACK_WEBHOOK_URL" ]; then echo "SLACK_WEBHOOK_URL is not configured; skipping Slack notification." @@ -106,21 +119,21 @@ jobs: fi failed_step="Unknown step" - if [ "${{ steps.checkout.outcome }}" = "failure" ]; then + if [ "${STEPS_CHECKOUT_OUTCOME}" = "failure" ]; then failed_step="Checkout repository" - elif [ "${{ steps.install_pnpm.outcome }}" = "failure" ]; then + elif [ "${STEPS_INSTALL_PNPM_OUTCOME}" = "failure" ]; then failed_step="Install pnpm" - elif [ "${{ steps.setup_node.outcome }}" = "failure" ]; then + elif [ "${STEPS_SETUP_NODE_OUTCOME}" = "failure" ]; then failed_step="Setup Node.js" - elif [ "${{ steps.install_dependencies.outcome }}" = "failure" ]; then + elif [ "${STEPS_INSTALL_DEPENDENCIES_OUTCOME}" = "failure" ]; then failed_step="Install dependencies" - elif [ "${{ steps.update_prod_deps.outcome }}" = "failure" ]; then + elif [ "${STEPS_UPDATE_PROD_DEPS_OUTCOME}" = "failure" ]; then failed_step="Update prod deps of published packages" - elif [ "${{ steps.dedupe_deps.outcome }}" = "failure" ]; then + elif [ "${STEPS_DEDUPE_DEPS_OUTCOME}" = "failure" ]; then failed_step="Dedupe transitive dependencies" - elif [ "${{ steps.build_packages.outcome }}" = "failure" ]; then + elif [ "${STEPS_BUILD_PACKAGES_OUTCOME}" = "failure" ]; then failed_step="Build packages" - elif [ "${{ steps.run_unit_tests.outcome }}" = "failure" ]; then + elif [ "${STEPS_RUN_UNIT_TESTS_OUTCOME}" = "failure" ]; then failed_step="Run unit tests" fi diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 280d5a5af1..12bda34238 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -29,32 +29,34 @@ jobs: attestations: write timeout-minutes: 10 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.version }} fetch-depth: 100 + persist-credentials: false - name: Display version being published run: | - echo "Publishing version: ${{ inputs.version }}" + echo "Publishing version: ${INPUTS_VERSION}" + env: + INPUTS_VERSION: ${{ inputs.version }} - run: jq '.packageManager' package.json | tr -d '"pnpm@' id: package-manager-version - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 with: version: ${{ steps.package-manager-version.outputs.stdout }} - - uses: nrwl/nx-set-shas@v5 + - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 # zizmor: ignore[cache-poisoning] with: - cache: "pnpm" - cache-dependency-path: "**/pnpm-lock.yaml" + # No pnpm cache -- correctness over speed for publish workflows node-version-file: ".nvmrc" - name: Cache NX - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: .nx/cache key: nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }} @@ -62,6 +64,7 @@ jobs: nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}- nx-${{ env.NX_BRANCH }}- nx- + lookup-only: true - name: Install Dependencies & Build run: pnpm install && pnpm build diff --git a/.github/workflows/relative-ci.yaml b/.github/workflows/relative-ci.yaml index c2b848e202..fdee2a57f5 100644 --- a/.github/workflows/relative-ci.yaml +++ b/.github/workflows/relative-ci.yaml @@ -1,17 +1,24 @@ name: RelativeCI on: + # zizmor: ignore[dangerous-triggers] -- workflow_run is the recommended pattern + # for RelativeCI; this workflow only downloads artifacts and reports bundle stats. workflow_run: workflows: ["build"] types: - completed +permissions: + actions: read + contents: read + jobs: build: runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' steps: - name: Send bundle stats and build information to RelativeCI (editor) - uses: relative-ci/agent-action@v2 + uses: relative-ci/agent-action@fcf45416581928e8dd62eded78ce98c78e5149f8 # v3.2.3 with: artifactName: relative-ci-artifacts-editor key: ${{ secrets.RELATIVE_CI_KEY }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..1111b104a8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6