From 5a2f62c4fb1ccdc1aa0999f92817522488621334 Mon Sep 17 00:00:00 2001 From: Thomas Weber Date: Tue, 24 Dec 2024 19:48:05 -0600 Subject: [PATCH] Update workflows based on zizmor audit --- .github/workflows/build-auto.yml | 5 +++-- .github/workflows/build.yml | 5 +++-- .github/workflows/release.yml | 14 +++++++------- .github/workflows/winget.yml | 2 +- 4 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-auto.yml b/.github/workflows/build-auto.yml index 44f7b0a6..d916b872 100644 --- a/.github/workflows/build-auto.yml +++ b/.github/workflows/build-auto.yml @@ -9,11 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: recursive + persist-credentials: false - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af with: node-version: 20 cache: npm diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cf1acfef..88beda9b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,11 +12,12 @@ jobs: os: [macos-latest, ubuntu-latest, windows-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: recursive + persist-credentials: false - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af with: node-version: 20.x cache: npm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6da54ed1..371f5d44 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,26 +5,26 @@ on: tags: - 'v*' -permissions: - contents: write - jobs: release: runs-on: ${{ matrix.os }} + permissions: + contents: write + strategy: matrix: os: [macos-latest, ubuntu-latest, windows-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: recursive + persist-credentials: false - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af with: node-version: 20.x - cache: npm - name: Install dependencies run: npm ci - name: Fetch @@ -43,7 +43,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Microsoft Store Artifact if: runner.os == 'Windows' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b with: name: appx path: dist/*.appx diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml index 0ec78a00..1d1901fb 100644 --- a/.github/workflows/winget.yml +++ b/.github/workflows/winget.yml @@ -8,7 +8,7 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: vedantmgoyal9/winget-releaser@main + - uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e with: identifier: GarboMuffin.TurboWarp installers-regex: 'TurboWarp-Setup-[\d.]+-\w+\.exe$'