diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index 6976e04..35cd652 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -7,6 +7,12 @@ on: - main pull_request: +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + env: CLICOLOR: 1 @@ -14,9 +20,12 @@ jobs: clippy: name: cargo clippy runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: components: clippy @@ -29,9 +38,12 @@ jobs: deny: name: cargo deny runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 with: rust-version: "1.85.0" @@ -39,9 +51,12 @@ jobs: fmt: name: cargo fmt runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: components: rustfmt @@ -50,9 +65,12 @@ jobs: msrv: name: cargo msrv runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - uses: taiki-e/install-action@e49978b799e49ff429d162b7a30601a569ab6538 # v2.81.1 with: @@ -62,9 +80,12 @@ jobs: test: name: cargo test runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 - run: cargo build --tests --all-features - run: cargo test --all-features @@ -72,7 +93,25 @@ jobs: typos: name: typos runs-on: ubuntu-latest + timeout-minutes: 5 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: crate-ci/typos@f8a58b6b53f2279f71eb605f03a4ae4d10608f45 # v1.47.0 + + zizmor: + name: zizmor + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + security-events: write # reporting lint failures + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + inputs: . + persona: pedantic diff --git a/.github/workflows/prek-auto-update.yaml b/.github/workflows/prek-auto-update.yaml index ecf9e17..583a5e2 100644 --- a/.github/workflows/prek-auto-update.yaml +++ b/.github/workflows/prek-auto-update.yaml @@ -7,8 +7,13 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + jobs: prek-auto-update: + name: prek auto-update runs-on: ubuntu-latest timeout-minutes: 10 permissions: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ef47575..ab0f5bf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,14 +1,17 @@ # Mostly copied from https://github.com/taiki-e/cargo-hack/blob/main/.github/workflows/release.yml name: Release -permissions: - contents: read - on: push: tags: - v*.*.* +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: CARGO_INCREMENTAL: 0 CARGO_NET_GIT_FETCH_WITH_CLI: true @@ -21,9 +24,10 @@ env: jobs: create-release: if: github.repository_owner == 'danielparks' + name: Create runs-on: ubuntu-latest permissions: - contents: write + contents: write # To create release? steps: - uses: danielparks/github-actions/create-release@2f6c98c73f0a8130d737500b59a0fddf749b484d # v1.1.1 with: