diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 921de01..5afc0b6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,19 +1,36 @@ version: 2 + updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 groups: - actions-deps: - patterns: - - '*' + actions: + patterns: ["*"] + commit-message: + prefix: ci + labels: + - dependencies + - github-actions + ignore: + - dependency-name: DeterminateSystems/* - - package-ecosystem: "npm" - directory: "/" + - package-ecosystem: npm + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 groups: npm-deps: - patterns: - - '*' + patterns: ["*"] + labels: + - dependencies + - npm + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0afdc0b..274348c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,8 +14,11 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v6 - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Check Nix formatting diff --git a/.github/workflows/update-downstream.yml b/.github/workflows/update-downstream.yml index 28dd34e..5a0779e 100644 --- a/.github/workflows/update-downstream.yml +++ b/.github/workflows/update-downstream.yml @@ -42,10 +42,11 @@ jobs: GH_TOKEN: ${{ secrets.detsys_pr_bot_token }} # for `gh pr create` steps: - name: Check out detsys-ts - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: current token: ${{ env.GH_TOKEN }} + persist-credentials: false - name: Get last detsys-ts commit message id: commit-msg @@ -55,23 +56,27 @@ jobs: echo "msg=${MSG}" >> $GITHUB_OUTPUT - name: Check out ${{ env.TARGET_REPO }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: target repository: ${{ env.TARGET_REPO }} token: ${{ env.GH_TOKEN }} + persist-credentials: false - name: Install Nix - uses: DeterminateSystems/determinate-nix-action@v3 + uses: DeterminateSystems/determinate-nix-action@main - name: Set up FlakeHub Cache uses: DeterminateSystems/flakehub-cache-action@main - name: Configure Git for ${{ env.GIT_USER }} working-directory: target + env: + GIT_EMAIL: ${{ env.GIT_EMAIL }} + GIT_USER: ${{ env.GIT_USER }} run: | - git config user.name "${{ env.GIT_USER }}" - git config user.email "${{ env.GIT_EMAIL }}" + git config user.name "$GIT_USER" + git config user.email "$GIT_EMAIL" - name: Make sure the repo is forked working-directory: target @@ -97,7 +102,7 @@ jobs: fi - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 env: COMMIT_MSG: ${{ steps.commit-msg.outputs.msg }} with: diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..abdc40b --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin