mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-14 13:50:33 +00:00
46bb674500
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
53 lines
1.2 KiB
YAML
53 lines
1.2 KiB
YAML
name: Continuous Integration
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
- 'releases/*'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref_name }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
test-typescript:
|
|
name: TypeScript Tests
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
id: checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
persist-credentials: false
|
|
|
|
# `mise.toml` pins both Node and aube; mise-action installs
|
|
# whatever's listed there. Reads `package-lock.json`
|
|
# directly — no separate `aube-lock.yaml` to maintain.
|
|
# `.npmrc` pins `node-linker=hoisted` so the layout is
|
|
# npm-flat (rollup's `--configPlugin` resolution
|
|
# requires this).
|
|
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
|
|
with:
|
|
cache: false
|
|
|
|
- name: Install Dependencies
|
|
id: aube-ci
|
|
run: aube ci
|
|
|
|
- name: Check Format
|
|
id: aube-format-check
|
|
run: aubr format:check
|
|
|
|
- name: Lint
|
|
id: aube-lint
|
|
run: aubr lint
|
|
|
|
# - name: Test
|
|
# id: npm-ci-test
|
|
# run: npm run ci-test
|