diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml index e369fdd..3796c0b 100644 --- a/.github/workflows/acceptance.yml +++ b/.github/workflows/acceptance.yml @@ -11,16 +11,19 @@ on: tags: ['v*.*.*'] workflow_call: +permissions: + contents: read + jobs: acceptance: name: VM Acceptance runs-on: macos-15 timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Cache Tart images - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ~/.tart key: tart-sequoia-base-${{ hashFiles('scripts/vm-acceptance-test.sh') }} @@ -39,7 +42,7 @@ jobs: - name: Upload logs on failure if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: acceptance-logs-${{ github.run_id }} path: /tmp/mac-dev-setup-*.log diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 9d941ba..975c272 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,14 +5,16 @@ on: - cron: '0 9 * * 1' # Monday 09:00 UTC workflow_dispatch: +permissions: + contents: read + issues: write + jobs: check-brewfile: name: Check Outdated Brewfile Packages runs-on: macos-latest - permissions: - issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Update Homebrew run: brew update diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 5005e35..d2541b2 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -13,6 +13,6 @@ jobs: name: Label runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 3f110b5..0405e04 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,6 +16,6 @@ jobs: name: Update Release Draft runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@67e173cadb2fbd3de94f4a861e0c48c913b462ae # v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 783c40b..ba8f9ec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: tags: - 'v*.*.*' +permissions: + contents: read + jobs: # ── Gate: run full validation before cutting a release ──────────────────── validate: @@ -32,7 +35,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -60,12 +63,12 @@ jobs: fi - name: Draft release notes - uses: release-drafter/release-drafter@v7 + uses: release-drafter/release-drafter@a6acf82562eee06318b77ab8cb0b11ed81c677a7 # v7 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 with: prerelease: ${{ steps.prerelease.outputs.is_prerelease == 'true' }} generate_release_notes: true diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 0000000..3b04cca --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,34 @@ +name: SAST + +on: + push: + branches: [main, develop] + pull_request: + branches: [main, develop] + schedule: + - cron: '0 2 * * 1' # Every Monday at 02:00 UTC + +permissions: + contents: read + +jobs: + semgrep: + name: Semgrep + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1 + with: + config: >- + p/bash + p/secrets + generateSarif: "1" + + - uses: github/codeql-action/upload-sarif@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 + if: always() + with: + sarif_file: semgrep.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e339706..9661382 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,22 +19,22 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: ossf/scorecard-action@v2.4.0 + - uses: ossf/scorecard-action@ff5dd8929f96a8a4dc67d13f32b8c75057829621 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@v3 + - uses: github/codeql-action/upload-sarif@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0353e1f..426fc91 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,14 +5,16 @@ on: - cron: '0 9 * * *' workflow_dispatch: +permissions: + contents: read + issues: write + pull-requests: write + jobs: stale: runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 with: stale-issue-message: 'This issue has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.' stale-pr-message: 'This PR has been inactive for 30 days and is marked stale. It will be closed in 7 days unless there is activity.' diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index bb6279b..90155ab 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,13 +7,16 @@ on: branches: [main, develop] workflow_call: +permissions: + contents: read + jobs: # ── Job 1: Lint (fast, runs on Linux) ────────────────────────────────────── lint: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install shellcheck run: sudo apt-get install -y shellcheck @@ -50,7 +53,7 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -129,7 +132,7 @@ jobs: name: Formula Audit runs-on: macos-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Audit formula style and correctness run: | @@ -145,7 +148,7 @@ jobs: runs-on: macos-latest needs: [lint, formula-audit] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install CLI tools from Brewfile.ci run: |