diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5332e3..f50ca1e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: name: Lint (yamllint) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # pipx is preinstalled on ubuntu-24.04 (same path as diff-cover/zizmor); pin the version so the @@ -31,7 +31,7 @@ jobs: name: Lint (markdownlint) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # node is preinstalled on ubuntu-24.04; `make lint-md` runs the version-pinned markdownlint-cli2 @@ -48,7 +48,7 @@ jobs: SHFMT_VERSION: "3.13.1" SHFMT_SHA256: "fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # no pushes from CI; don't leave the token in .git/config (zizmor: artipacked) # Install PINNED, checksum-verified shellcheck + shfmt instead of the runner's preinstalled @@ -80,7 +80,7 @@ jobs: name: Test suite runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # Ubuntu is RigForge's supported target. The suite still exercises the macOS code path here via @@ -93,7 +93,7 @@ jobs: name: Test suite (macOS) runs-on: macos-14 # Apple silicon; pinned (not macos-latest) to avoid image drift steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # The Linux job only SIMULATES macOS (STUB_UNAME_S=Darwin + stubbed sed/launchctl). Here the suite @@ -117,7 +117,7 @@ jobs: name: End-to-end (Docker) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # Runs the real script end-to-end inside a disposable Ubuntu container (RigForge's documented @@ -136,7 +136,7 @@ jobs: # so fall back to the pushed branch itself — that's an empty diff that trivially passes. BASE_REF: ${{ github.base_ref || github.ref_name }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # diff-cover needs history to diff the PR against its base branch persist-credentials: false # the fetch below is read-only on a public repo (zizmor: artipacked) diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index ff4c039..235222d 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -24,7 +24,7 @@ jobs: # lychee uses GITHUB_TOKEN to make authenticated GitHub requests and dodge the anon rate limit. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked - name: Install pinned lychee diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6387165..4de293a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ github.ref_name }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # Releasing goes through `gh` with GH_TOKEN below, not `git push`, so the checkout never # needs the token left in .git/config (zizmor: artipacked). diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6707f1b..c08a064 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -35,7 +35,7 @@ jobs: GITLEAKS_VERSION: "8.30.1" GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # scan EVERY commit, not just the tip — a secret is still a leak once pushed persist-credentials: false # zizmor: artipacked @@ -59,7 +59,7 @@ jobs: env: ZIZMOR_VERSION: "1.25.2" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # zizmor: artipacked # pipx is preinstalled on ubuntu-24.04; same install path as diff-cover in ci.yml's coverage job.