diff --git a/.github/actions/build-upstream/action.yml b/.github/actions/build-upstream/action.yml index 958298471f..50a723dcb8 100644 --- a/.github/actions/build-upstream/action.yml +++ b/.github/actions/build-upstream/action.yml @@ -24,8 +24,15 @@ runs: - name: Compute NAPI binding cache key id: cache-key shell: bash + env: + BUILD_TARGET: ${{ inputs.target }} + RELEASE_BUILD_VALUE: ${{ env.RELEASE_BUILD }} + DEBUG_VALUE: ${{ env.DEBUG }} + VERSION_VALUE: ${{ env.VERSION }} + NPM_TAG_VALUE: ${{ env.NPM_TAG }} + CACHE_HASH: ${{ hashFiles('packages/tools/.upstream-versions.json', 'Cargo.lock', 'crates/**/*.rs', 'crates/*/Cargo.toml', 'packages/cli/binding/**/*.rs', 'packages/cli/binding/Cargo.toml', 'Cargo.toml', '.cargo/config.toml', 'packages/cli/package.json', 'packages/cli/build.ts', 'packages/cli/tsdown.config.ts') }} run: | - echo "key=napi-binding-v3-${{ inputs.target }}-${{ env.RELEASE_BUILD }}-${{ env.DEBUG }}-${{ env.VERSION }}-${{ env.NPM_TAG }}-${{ hashFiles('packages/tools/.upstream-versions.json', 'Cargo.lock', 'crates/**/*.rs', 'crates/*/Cargo.toml', 'packages/cli/binding/**/*.rs', 'packages/cli/binding/Cargo.toml', 'Cargo.toml', '.cargo/config.toml', 'packages/cli/package.json', 'packages/cli/build.ts', 'packages/cli/tsdown.config.ts') }}" >> $GITHUB_OUTPUT + echo "key=napi-binding-v3-${BUILD_TARGET}-${RELEASE_BUILD_VALUE}-${DEBUG_VALUE}-${VERSION_VALUE}-${NPM_TAG_VALUE}-${CACHE_HASH}" >> "$GITHUB_OUTPUT" # Resolve the Rust target directory (CARGO_TARGET_DIR from setup-rust, or default "target") - name: Resolve Rust target directory @@ -70,7 +77,9 @@ runs: - name: Add musl Rust target if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'musl') shell: bash - run: rustup target add ${{ inputs.target }} + env: + BUILD_TARGET: ${{ inputs.target }} + run: rustup target add "$BUILD_TARGET" - name: Setup zig (musl) if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'musl') @@ -90,8 +99,9 @@ runs: shell: bash if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'linux') && !contains(inputs.target, 'musl') run: | - pnpm --filter=vite-plus build-native --target ${{ inputs.target }} --use-napi-cross + pnpm --filter=vite-plus build-native --target "$BUILD_TARGET" --use-napi-cross env: + BUILD_TARGET: ${{ inputs.target }} TARGET_CC: clang TARGET_CFLAGS: ${{ contains(inputs.target, 'aarch64') && '-D_BSD_SOURCE' || '' }} DEBUG: napi:* @@ -100,8 +110,9 @@ runs: shell: bash if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'musl') run: | - pnpm --filter=vite-plus build-native --target ${{ inputs.target }} -x + pnpm --filter=vite-plus build-native --target "$BUILD_TARGET" -x env: + BUILD_TARGET: ${{ inputs.target }} TARGET_CC: clang TARGET_CFLAGS: ${{ contains(inputs.target, 'aarch64') && '-D_BSD_SOURCE' || '' }} DEBUG: napi:* @@ -110,16 +121,18 @@ runs: shell: bash if: steps.cache-restore.outputs.cache-hit != 'true' && !contains(inputs.target, 'linux') run: | - pnpm --filter=vite-plus build-native --target ${{ inputs.target }} + pnpm --filter=vite-plus build-native --target "$BUILD_TARGET" env: + BUILD_TARGET: ${{ inputs.target }} DEBUG: napi:* - name: Build Rust CLI binary (Linux gnu) if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'linux') && !contains(inputs.target, 'musl') shell: bash run: | - pnpm exec napi build --use-napi-cross --target ${{ inputs.target }} --release -p vite_global_cli + pnpm exec napi build --use-napi-cross --target "$BUILD_TARGET" --release -p vite_global_cli env: + BUILD_TARGET: ${{ inputs.target }} TARGET_CC: clang TARGET_CFLAGS: ${{ contains(inputs.target, 'aarch64') && '-D_BSD_SOURCE' || '' }} DEBUG: napi:* @@ -128,8 +141,9 @@ runs: if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'musl') shell: bash run: | - pnpm exec napi build -x --target ${{ inputs.target }} --release -p vite_global_cli + pnpm exec napi build -x --target "$BUILD_TARGET" --release -p vite_global_cli env: + BUILD_TARGET: ${{ inputs.target }} TARGET_CC: clang TARGET_CFLAGS: ${{ contains(inputs.target, 'aarch64') && '-D_BSD_SOURCE' || '' }} DEBUG: napi:* @@ -137,17 +151,23 @@ runs: - name: Build Rust CLI binary (non-Linux targets) if: steps.cache-restore.outputs.cache-hit != 'true' && !contains(inputs.target, 'linux') shell: bash - run: cargo build --release --target ${{ inputs.target }} -p vite_global_cli + env: + BUILD_TARGET: ${{ inputs.target }} + run: cargo build --release --target "$BUILD_TARGET" -p vite_global_cli - name: Build trampoline shim binary (Windows only) if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'windows') shell: bash - run: cargo build --release --target ${{ inputs.target }} -p vite_trampoline + env: + BUILD_TARGET: ${{ inputs.target }} + run: cargo build --release --target "$BUILD_TARGET" -p vite_trampoline - name: Build installer binary (Windows only) if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'windows') shell: bash - run: cargo build --release --target ${{ inputs.target }} -p vite_installer + env: + BUILD_TARGET: ${{ inputs.target }} + run: cargo build --release --target "$BUILD_TARGET" -p vite_installer - name: Save NAPI binding cache if: steps.cache-restore.outputs.cache-hit != 'true' diff --git a/.github/actions/clone/action.yml b/.github/actions/clone/action.yml index c10333217d..c19b184111 100644 --- a/.github/actions/clone/action.yml +++ b/.github/actions/clone/action.yml @@ -26,22 +26,31 @@ runs: shell: bash id: ecosystem-ci-project-hash if: ${{ inputs.ecosystem-ci-project != '' }} + env: + ECOSYSTEM_CI_PROJECT: ${{ inputs.ecosystem-ci-project }} run: | - node -e "console.log('ECOSYSTEM_CI_PROJECT_HASH=' + require('./ecosystem-ci/repo.json')['${{ inputs.ecosystem-ci-project }}'].hash)" >> $GITHUB_OUTPUT - node -e "console.log('ECOSYSTEM_CI_PROJECT_REPOSITORY=' + require('./ecosystem-ci/repo.json')['${{ inputs.ecosystem-ci-project }}'].repository.replace('https://github.com/', '').replace('.git', ''))" >> $GITHUB_OUTPUT - echo "ECOSYSTEM_CI_PROJECT_PATH=${{ runner.temp }}/vite-plus-ecosystem-ci/${{ inputs.ecosystem-ci-project }}" >> $GITHUB_OUTPUT + node <<'EOF' >> "$GITHUB_OUTPUT" + const repos = require('./ecosystem-ci/repo.json'); + const project = process.env.ECOSYSTEM_CI_PROJECT; + const repo = repos[project]; + console.log(`ECOSYSTEM_CI_PROJECT_HASH=${repo.hash}`); + console.log(`ECOSYSTEM_CI_PROJECT_REPOSITORY=${repo.repository.replace('https://github.com/', '').replace('.git', '')}`); + EOF + echo "ECOSYSTEM_CI_PROJECT_PATH=${RUNNER_TEMP}/vite-plus-ecosystem-ci/${ECOSYSTEM_CI_PROJECT}" >> "$GITHUB_OUTPUT" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: rolldown/rolldown path: rolldown ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }} + persist-credentials: false - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: vitejs/vite path: vite ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_VITE_HASH }} + persist-credentials: false # Disable autocrlf to preserve LF line endings on Windows # This prevents prettier/eslint from failing with "Delete ␍" errors @@ -53,4 +62,6 @@ runs: - name: Clone ecosystem ci project if: ${{ inputs.ecosystem-ci-project != '' }} shell: bash - run: npx tsx ecosystem-ci/clone.ts ${{ inputs.ecosystem-ci-project }} + env: + ECOSYSTEM_CI_PROJECT: ${{ inputs.ecosystem-ci-project }} + run: npx tsx ecosystem-ci/clone.ts "$ECOSYSTEM_CI_PROJECT" diff --git a/.github/actions/set-snapshot-version/action.yml b/.github/actions/set-snapshot-version/action.yml index f53ddb18ad..44da31a346 100644 --- a/.github/actions/set-snapshot-version/action.yml +++ b/.github/actions/set-snapshot-version/action.yml @@ -18,9 +18,12 @@ runs: - name: Compute next patch version id: version shell: bash + env: + ACTION_PATH: ${{ github.action_path }} + NPM_TAG: ${{ inputs.npm_tag }} run: | git fetch --tags --quiet - npm install --prefix ${{ github.action_path }} semver > /dev/null 2>&1 - VERSION_OUTPUT=$(node ${{ github.action_path }}/compute-version.mjs "${{ inputs.npm_tag }}") + npm install --prefix "$ACTION_PATH" semver > /dev/null 2>&1 + VERSION_OUTPUT=$(node "$ACTION_PATH/compute-version.mjs" "$NPM_TAG") echo "$VERSION_OUTPUT" echo "$VERSION_OUTPUT" | tail -n 1 >> $GITHUB_OUTPUT diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dabae30715..17af2ee299 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: outputs: code-changed: ${{ steps.filter.outputs.code }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -60,7 +60,7 @@ jobs: contents: read packages: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/download-rolldown-binaries with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -80,7 +80,7 @@ jobs: target: aarch64-apple-darwin runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Setup Dev Drive @@ -133,7 +133,7 @@ jobs: shell: sh {0} run: apk add --no-cache bash curl git musl-dev gcc g++ python3 cmake make - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Install rustup @@ -159,7 +159,7 @@ jobs: name: Lint runs-on: namespace-profile-linux-x64-default steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 @@ -206,7 +206,7 @@ jobs: target: x86_64-pc-windows-msvc runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Setup Dev Drive @@ -640,7 +640,7 @@ jobs: shardTotal: 3 runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Setup Dev Drive @@ -698,7 +698,7 @@ jobs: - download-previous-rolldown-binaries runs-on: namespace-profile-linux-x64-default steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 @@ -777,7 +777,7 @@ jobs: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'test: install-e2e') steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 042c816b06..97ca19358e 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 100 - persist-credentials: true + persist-credentials: false - name: Run Claude Code id: claude diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml deleted file mode 100644 index cd551f041c..0000000000 --- a/.github/workflows/deny.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Cargo Deny - -permissions: {} - -on: - workflow_dispatch: - pull_request: - types: [opened, synchronize] - paths: - - 'Cargo.lock' - - 'deny.toml' - - '.github/workflows/deny.yml' - push: - branches: - - main - paths: - - 'Cargo.lock' - - 'deny.toml' - - '.github/workflows/deny.yml' - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} - cancel-in-progress: ${{ github.ref_name != 'main' }} - -jobs: - deny: - name: Cargo Deny - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Output rolldown hash - id: upstream-versions - run: node -e "console.log('ROLLDOWN_HASH=' + require('./packages/tools/.upstream-versions.json').rolldown.hash)" >> $GITHUB_OUTPUT - - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: rolldown/rolldown - path: rolldown - ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }} - - - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 - with: - restore-cache: false - # Pinned to 0.18.6+ for CVSS 4.0 support (EmbarkStudios/cargo-deny#805) - tools: cargo-deny@0.19.0 - - - run: cargo deny check diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 1cd7565f8a..8ddaac459b 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -32,7 +32,7 @@ jobs: outputs: related-files-changed: ${{ steps.filter.outputs.related-files }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -55,7 +55,7 @@ jobs: contents: read packages: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/download-rolldown-binaries with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -77,7 +77,7 @@ jobs: - os: windows-latest target: x86_64-pc-windows-msvc steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone # Disable Windows Defender real-time scanning to speed up I/O-heavy builds (~30-50% faster) @@ -337,7 +337,7 @@ jobs: name: npmx.dev steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone with: ecosystem-ci-project: ${{ matrix.project.name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f78b139d2..afd6241569 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,6 +36,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - uses: ./.github/actions/set-snapshot-version if: ${{ inputs.version == '' }} id: computed @@ -44,7 +45,9 @@ jobs: - name: Set final version id: version - run: echo "version=${{ inputs.version || steps.computed.outputs.version }}" >> $GITHUB_OUTPUT + env: + VERSION: ${{ inputs.version || steps.computed.outputs.version }} + run: echo "version=${VERSION}" >> "$GITHUB_OUTPUT" build-rust: runs-on: ${{ matrix.settings.os }} @@ -74,7 +77,7 @@ jobs: - target: aarch64-pc-windows-msvc os: windows-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 @@ -188,7 +191,7 @@ jobs: env: VERSION: ${{ needs.prepare.outputs.version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 @@ -198,7 +201,6 @@ jobs: node-version-file: .node-version package-manager-cache: false registry-url: 'https://registry.npmjs.org' - cache: 'pnpm' - name: Install dependencies run: pnpm install diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000000..bed2882806 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,24 @@ +name: Security Analysis + +on: + workflow_dispatch: + pull_request: + types: [opened, synchronize] + push: + branches: + - main + paths: + - '.github/workflows/**' + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: ${{ github.ref_name != 'main' }} + +jobs: + security: + name: Security Analysis + runs-on: ubuntu-slim + steps: + - uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1 diff --git a/.github/workflows/test-standalone-install.yml b/.github/workflows/test-standalone-install.yml index c8bf0b4bbd..4f60f15826 100644 --- a/.github/workflows/test-standalone-install.yml +++ b/.github/workflows/test-standalone-install.yml @@ -40,7 +40,7 @@ jobs: - os: macos-latest name: macOS ARM64 steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Run install.sh run: cat packages/cli/install.sh | bash @@ -122,7 +122,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Make shell config files read-only run: | @@ -157,7 +157,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -221,7 +221,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Run install.sh in Alpine container run: | @@ -274,7 +274,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -333,7 +333,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Assert PowerShell 5.x shell: powershell @@ -415,7 +415,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Run install.ps1 shell: pwsh @@ -482,7 +482,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Install PowerShell 7.6 shell: pwsh @@ -562,9 +562,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Verify minimumReleaseAge blocks non-interactive install shell: powershell @@ -642,7 +640,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - name: Run install.ps1 shell: pwsh @@ -795,7 +793,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Setup Dev Drive diff --git a/.github/workflows/test-vp-create.yml b/.github/workflows/test-vp-create.yml index 72e3644aa0..14b4db0fb1 100644 --- a/.github/workflows/test-vp-create.yml +++ b/.github/workflows/test-vp-create.yml @@ -32,7 +32,7 @@ jobs: outputs: related-files-changed: ${{ steps.filter.outputs.related-files }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -55,7 +55,7 @@ jobs: contents: read packages: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/download-rolldown-binaries with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -69,7 +69,7 @@ jobs: needs: - download-previous-rolldown-binaries steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16 @@ -145,7 +145,7 @@ jobs: # vite-plus dep gets overridden with the local tgz VP_FORCE_MIGRATE: '1' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: diff --git a/.github/workflows/upgrade-deps.yml b/.github/workflows/upgrade-deps.yml index 0e5e599c81..d968b2feed 100644 --- a/.github/workflows/upgrade-deps.yml +++ b/.github/workflows/upgrade-deps.yml @@ -17,7 +17,7 @@ jobs: actions: read id-token: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2 - uses: ./.github/actions/clone - name: Set up metadata directory diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml deleted file mode 100644 index c7c603d530..0000000000 --- a/.github/workflows/zizmor.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Zizmor - -permissions: {} - -on: - workflow_dispatch: - pull_request: - types: [opened, synchronize] - paths: - - '.github/workflows/**' - push: - branches: - - main - - 'renovate/**' - paths: - - '.github/workflows/**' - -jobs: - zizmor: - name: zizmor - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - submodules: true - - - uses: taiki-e/install-action@ae97ff9daf1cd2e216671a047d80ff48461e30bb # v2.49.1 - with: - tool: zizmor - - - name: Run zizmor - run: zizmor --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 - with: - sarif_file: results.sarif - category: zizmor