diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml index c8ed3bcc5a..d5e04ec99f 100644 --- a/.github/workflows/binaries.yml +++ b/.github/workflows/binaries.yml @@ -5,7 +5,7 @@ on: branches: - main -permissions: read-all +permissions: {} jobs: binaries: @@ -42,6 +42,8 @@ jobs: name: Build binary artifacts steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Install packages (Ubuntu) if: startsWith(matrix.os, 'ubuntu') run: | @@ -61,7 +63,7 @@ jobs: run: | outdir="target/${{ matrix.target }}/release" BIN=$outdir/jj - [[ "${{ matrix.os }}" == "windows-latest" ]] && BIN+=".exe" + [[ "${{ matrix.os }}" == "windows-latest" ]] && BIN+=".exe" mkdir -p target/out cp $BIN target/out diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a2fae69c5..01ab54407f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} -permissions: read-all +permissions: {} env: CARGO_INCREMENTAL: 0 @@ -68,6 +68,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Set up Windows Builders uses: ./.github/actions/setup-windows - name: Install Rust @@ -91,6 +93,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 with: @@ -111,6 +115,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d - run: nix flake check -L --show-trace @@ -119,6 +124,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 with: toolchain: stable @@ -133,6 +140,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 with: toolchain: nightly @@ -146,6 +155,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 with: toolchain: stable @@ -168,6 +179,8 @@ jobs: name: check (cargo-deny, ${{ matrix.checks }}) steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: EmbarkStudios/cargo-deny-action@e2f4ede4a4e60ea15ff31bc0647485d80c66cfba with: command: check ${{ matrix.checks }} @@ -177,6 +190,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 with: python-version: 3.11 @@ -194,6 +209,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 with: toolchain: 1.76 @@ -214,6 +231,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 with: python-version: 3.11 @@ -232,9 +251,37 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # 'only-managed' means that uv will always download Python, even # if the runner happens to provide a compatible version - name: Check that `mkdocs` can build the docs run: uv run --python-preference=only-managed -- mkdocs build --strict + + check-zizmor: + name: check (zizmor) + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 654bb91546..99acb2d96a 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -8,7 +8,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} -permissions: read-all +permissions: {} jobs: dependabot-auto-merge: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 5ff79ceee7..2a66e2cbf0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -5,8 +5,7 @@ on: branches: - main -permissions: - contents: write +permissions: {} jobs: prerelease-docs-build-deploy: @@ -18,6 +17,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - run: "git fetch origin gh-pages --depth=1" - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 with: @@ -27,6 +28,8 @@ jobs: with: version: "0.5.1" - name: Install dependencies, compile and deploy docs + permissions: + contents: write run: | git config user.name 'jj-docs[bot]' git config user.email 'jj-docs[bot]@users.noreply.github.io' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c4e8a6aa4..84fd6b1819 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,6 +38,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Install packages (Ubuntu) if: startsWith(matrix.os, 'ubuntu') run: | @@ -55,7 +57,7 @@ jobs: shell: bash run: | outdir="target/${{ matrix.target }}/release" - staging="jj-${{ github.event.release.tag_name }}-${{ matrix.target }}" + staging="jj-${RELEASE_TAG_NAME}-${{ matrix.target }}" mkdir "$staging" cp {README.md,LICENSE} "$staging/" if [ "${{ matrix.os }}" = "windows-2022" ]; then @@ -68,6 +70,8 @@ jobs: tar czf "$staging.tar.gz" -C "$staging" . echo "ASSET=$staging.tar.gz" >> $GITHUB_ENV fi + env: + RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Upload release archive uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 env: @@ -89,6 +93,8 @@ jobs: sudo apt-get update sudo apt-get install -y --no-install-recommends xz-utils liblz4-tool musl-tools - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 with: python-version: 3.11 @@ -99,9 +105,11 @@ jobs: - name: Compile docs and zip them up run: | uv run -- mkdocs build -f mkdocs-offline.yml - archive="jj-${{ github.event.release.tag_name }}-docs-html.tar.gz" + archive="jj-${RELEASE_TAG_NAME}-docs-html.tar.gz" tar czf "$archive" -C "rendered-docs" . echo "ASSET=$archive" >> $GITHUB_ENV + env: + RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: Upload release archive uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 env: @@ -119,6 +127,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - run: "git fetch origin gh-pages --depth=1" - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 with: @@ -133,6 +143,8 @@ jobs: git config user.email 'jj-docs[bot]@users.noreply.github.io' # Using the 'latest' tag below makes the website default # to this version. - .github/scripts/docs-build-deploy "${{ github.event.release.tag_name }}" latest --update-aliases --push + .github/scripts/docs-build-deploy "${RELEASE_TAG_NAME}" latest --update-aliases --push + env: + RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: "Show `git diff --stat`" run: git diff --stat gh-pages^ gh-pages || echo "(No diffs)" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index f13eae3330..715b0ff475 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -7,17 +7,13 @@ on: push: branches: [ main ] -# Declare default permissions as read only. -permissions: read-all +# No default permissions +permissions: {} jobs: analysis: name: Scorecards analysis runs-on: ubuntu-24.04 - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - id-token: write steps: - name: "Checkout code" @@ -49,3 +45,7 @@ jobs: uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 with: sarif_file: results.sarif + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + id-token: write