From e7da6498fd2668c95d41c92c4558abc17e8fa928 Mon Sep 17 00:00:00 2001 From: Rob Hand <146272+sinon@users.noreply.github.com> Date: Sun, 18 May 2025 20:45:27 +0100 Subject: [PATCH 1/4] Zizmor --- .github/workflows/ci.yml | 31 +++++++++++++++++++++++++++++-- .github/workflows/deploy.yml | 13 +++++++++---- config.toml | 4 ++-- 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6df813..662bb7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,7 @@ on: pull_request: branches: - main +permissions: {} jobs: link-checker: @@ -15,8 +16,10 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check the links - uses: lycheeverse/lychee-action@v1 + uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1 with: args: --max-concurrency 1 -v content/*.md fail: true @@ -29,10 +32,34 @@ jobs: steps: - name: Checkout the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check spelling mistakes - uses: codespell-project/actions-codespell@master + uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 with: check_filenames: true check_hidden: true path: content ignore_words_file: .codespellignore + + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 + - name: Run zizmor 🌈 + run: uvx zizmor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 96986ea..2fa9f05 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -12,6 +12,7 @@ on: - closed concurrency: preview-${{ github.ref }} +permissions: {} jobs: build: @@ -20,9 +21,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build only if: github.event.action != 'closed' - uses: shalzz/zola-deploy-action@v0.19.2 + uses: shalzz/zola-deploy-action@c34a7626cd84c9c90499afeb310070ea838a8d1a # v0.20 env: BUILD_DIR: . BUILD_ONLY: true @@ -30,10 +33,10 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Deploy preview - uses: rossjrw/pr-preview-action@v1 + uses: rossjrw/pr-preview-action@2fb559e4766555e23d07b73d313fe97c4f8c3cfe # v1.6.1 with: source-dir: ./public/ - custom-url: sinon.github.io + pages-base-url: sinon.github.io build_and_deploy: runs-on: ubuntu-latest @@ -41,8 +44,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build and deploy - uses: shalzz/zola-deploy-action@v0.19.2 + uses: shalzz/zola-deploy-action@c34a7626cd84c9c90499afeb310070ea838a8d1a # v0.20 env: BUILD_DIR: . PAGES_BRANCH: gh-pages diff --git a/config.toml b/config.toml index f6e22df..632adf8 100644 --- a/config.toml +++ b/config.toml @@ -28,8 +28,8 @@ codeblock = true after_dark_menu = [ { name = "Home", url = "$BASE_URL" }, { name = "Tags", url = "$BASE_URL/tags" }, - { name = "Source", url = "https://github.com/Sinon/sinon.github.io" }, - { name = "GitHub", url = "https://github.com/Sinon" }, + { name = "Source", url = "https://github.com/sinon/sinon.github.io" }, + { name = "GitHub", url = "https://github.com/sinon" }, { name = "CV", url = "https://raw.githubusercontent.com/sinon/CV/main/cv.pdf" }, { name = "RSS", url = "$BASE_URL/rss.xml" }, ] From db1fdc4c25d1e95c1800f43a3329531987f5a5d2 Mon Sep 17 00:00:00 2001 From: Rob Hand <146272+sinon@users.noreply.github.com> Date: Sun, 18 May 2025 20:48:34 +0100 Subject: [PATCH 2/4] fix permissions --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2fa9f05..5de473c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,6 +17,8 @@ permissions: {} jobs: build: runs-on: ubuntu-latest + permissions: + id-token: write if: github.ref != 'refs/heads/main' steps: - name: Checkout From 1de7cb11c486f39a9c8e92b9f81069d7c2f5302f Mon Sep 17 00:00:00 2001 From: Rob Hand <146272+sinon@users.noreply.github.com> Date: Sun, 18 May 2025 20:50:07 +0100 Subject: [PATCH 3/4] fix permissions --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5de473c..4bec69a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -19,6 +19,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write + contents: write if: github.ref != 'refs/heads/main' steps: - name: Checkout From a66547b8e8646d6a036880cee476dea40ec16f80 Mon Sep 17 00:00:00 2001 From: Rob Hand <146272+sinon@users.noreply.github.com> Date: Sun, 18 May 2025 20:51:50 +0100 Subject: [PATCH 4/4] fix permissions --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4bec69a..38e5e47 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,6 +20,7 @@ jobs: permissions: id-token: write contents: write + pull-requests: write if: github.ref != 'refs/heads/main' steps: - name: Checkout