actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-18 23:41:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
mise-action/.github/workflows/ci.yml
jdx d878aee510
ci: address zizmor findings across existing workflows 
Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).

- artipacked: add `persist-credentials: false` to every
  `actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
  `ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
  move `steps.bad.outcome` from inline template into an
  env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
  `permissions: contents: read` blocks to ci.yml, test.yml,
  and test-redacted-env.yml; move release.yml's workflow-
  level `contents: write` down to the `release` job only,
  with `enhance-release` getting `contents: read`.

postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 14:55:38 -05:00

53 lines
1.2 KiB
YAML
Raw Blame History

name: Continuous Integration
on:
pull_request:
push:
branches:
- main
- 'releases/*'
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
jobs:
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
# `mise.toml` pins both Node and aube; mise-action installs
# whatever's listed there. Reads `package-lock.json`
# directly — no separate `aube-lock.yaml` to maintain.
# `.npmrc` pins `node-linker=hoisted` so the layout is
# npm-flat (rollup's `--configPlugin` resolution
# requires this).
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
with:
cache: false
- name: Install Dependencies
id: aube-ci
run: aube ci
- name: Check Format
id: aube-format-check
run: aubr format:check
- name: Lint
id: aube-lint
run: aubr lint
# - name: Test
# id: npm-ci-test
# run: npm run ci-test
Reference in a new issue View git blame Copy permalink