actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-14 13:50:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
mise-action/.github/workflows/check-dist.yml
jdx 46bb674500
chore(ci): add zizmor workflow for github actions security analysis (#471) 
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
> 
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
> 
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 15:00:12 -05:00

63 lines
1.8 KiB
YAML
Raw Permalink Blame History

# In TypeScript actions, `dist/index.js` is a special file. When you reference
# an action with `uses:`, `dist/index.js` is the code that will be run. For this
# project, the `dist/index.js` file is generated from other source files through
# the build process. We need to make sure that the checked-in `dist/index.js`
# file matches what is expected from the build.
#
# This workflow will fail if the checked-in `dist/index.js` file does not match
# what is expected from the build.
name: Check dist/
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
jobs:
check-dist:
name: Check dist/
runs-on: ubuntu-latest
permissions:
contents: read
statuses: write
steps:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- name: Install Dependencies
id: install
run: aube ci
- name: Build dist/ Directory
id: build
run: aubr bundle
- name: Compare Expected and Actual Directories
id: diff
run: |
if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes after build. See status below:"
git diff --ignore-space-at-eol --text dist/
exit 1
fi
# If index.js was different than expected, upload the expected version as
# a workflow artifact.
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
path: dist/
Reference in a new issue View git blame Copy permalink