diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6df813..662bb7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,7 @@ on: pull_request: branches: - main +permissions: {} jobs: link-checker: @@ -15,8 +16,10 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check the links - uses: lycheeverse/lychee-action@v1 + uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1 with: args: --max-concurrency 1 -v content/*.md fail: true @@ -29,10 +32,34 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check spelling mistakes - uses: codespell-project/actions-codespell@master + uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 with: check_filenames: true check_hidden: true path: content ignore_words_file: .codespellignore + + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 + - name: Run zizmor 🌈 + run: uvx zizmor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 96986ea..38e5e47 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -12,17 +12,24 @@ on: - closed concurrency: preview-${{ github.ref }} +permissions: {} jobs: build: runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + pull-requests: write if: github.ref != 'refs/heads/main' steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build only if: github.event.action != 'closed' - uses: shalzz/zola-deploy-action@v0.19.2 + uses: shalzz/zola-deploy-action@c34a7626cd84c9c90499afeb310070ea838a8d1a # v0.20 env: BUILD_DIR: . BUILD_ONLY: true @@ -30,10 +37,10 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Deploy preview - uses: rossjrw/pr-preview-action@v1 + uses: rossjrw/pr-preview-action@2fb559e4766555e23d07b73d313fe97c4f8c3cfe # v1.6.1 with: source-dir: ./public/ - custom-url: sinon.github.io + pages-base-url: sinon.github.io build_and_deploy: runs-on: ubuntu-latest @@ -41,8 +48,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build and deploy - uses: shalzz/zola-deploy-action@v0.19.2 + uses: shalzz/zola-deploy-action@c34a7626cd84c9c90499afeb310070ea838a8d1a # v0.20 env: BUILD_DIR: . PAGES_BRANCH: gh-pages diff --git a/config.toml b/config.toml index f6e22df..632adf8 100644 --- a/config.toml +++ b/config.toml @@ -28,8 +28,8 @@ codeblock = true after_dark_menu = [ { name = "Home", url = "$BASE_URL" }, { name = "Tags", url = "$BASE_URL/tags" }, - { name = "Source", url = "https://github.com/Sinon/sinon.github.io" }, - { name = "GitHub", url = "https://github.com/Sinon" }, + { name = "Source", url = "https://github.com/sinon/sinon.github.io" }, + { name = "GitHub", url = "https://github.com/sinon" }, { name = "CV", url = "https://raw.githubusercontent.com/sinon/CV/main/cv.pdf" }, { name = "RSS", url = "$BASE_URL/rss.xml" }, ]