diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index baa85868..b7684125 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,6 +19,8 @@ jobs: contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -56,6 +58,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 @@ -93,6 +96,9 @@ jobs: contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' + - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -116,6 +122,7 @@ jobs: - name: Checkout Code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - name: Lint Code Base @@ -124,13 +131,15 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MULTI_STATUS: false LINTER_RULES_PATH: . + GITHUB_ACTIONS_ZIZMOR_CONFIG_FILE: ./.github/zizmor.yml VALIDATE_ALL_CODEBASE: true VALIDATE_BASH: true VALIDATE_BASH_EXEC: true VALIDATE_EDITORCONFIG: true VALIDATE_ENV: true - # VALIDATE_GO_RELEASER: true + VALIDATE_GO_RELEASER: true VALIDATE_GITHUB_ACTIONS: true + VALIDATE_GITHUB_ACTIONS_ZIZMOR: true VALIDATE_HTML: true VALIDATE_JSON: true VALIDATE_NATURAL_LANGUAGE: true @@ -158,6 +167,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 diff --git a/.github/workflows/pr-check.yaml b/.github/workflows/pr-check.yaml index c66d83d2..4c9db7b3 100644 --- a/.github/workflows/pr-check.yaml +++ b/.github/workflows/pr-check.yaml @@ -8,10 +8,14 @@ on: - labeled - unlabeled +permissions: {} + jobs: required-labels-missing: name: required labels missing runs-on: ubuntu-latest + permissions: + contents: read steps: - name: check if: >- diff --git a/.github/workflows/wiki.yaml b/.github/workflows/wiki.yaml index 6f3f2768..7679103c 100644 --- a/.github/workflows/wiki.yaml +++ b/.github/workflows/wiki.yaml @@ -18,8 +18,12 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'true' repository: ${{ github.repository }}.wiki path: wiki.git diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..58b562cf --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + cache-poisoning: + disable: true diff --git a/.golangci.yaml b/.golangci.yaml index b4f5e373..afa3ac99 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -71,12 +71,14 @@ linters: - name: error-return - name: error-strings - name: errorf + - name: forbidden-call-in-wg-go - name: get-return - name: identical-branches - name: if-return - name: import-alias-naming - name: import-shadowing - name: increment-decrement + - name: inefficient-map-lookup - name: indent-error-flow - name: modifies-parameter - name: modifies-value-receiver @@ -106,6 +108,7 @@ linters: - name: time-naming - name: unconditional-recursion - name: unexported-naming + - name: unnecessary-if - name: unnecessary-stmt - name: unreachable-code - name: unused-parameter