diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 55172b32..0c2cf933 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -16,6 +18,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -26,6 +30,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -36,6 +42,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -46,6 +54,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 @@ -56,6 +66,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: prefix: 'chore' ## prefix maximum string length of 15 diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index 70d1fbcc..e1072e81 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -22,6 +22,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 @@ -47,6 +49,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +75,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Generate Schema documentation run: ./gen.sh - name: Archive Schema documentation diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml index adff66f9..1fa6790f 100644 --- a/.github/workflows/bundle_2.0_schemas.yml +++ b/.github/workflows/bundle_2.0_schemas.yml @@ -21,10 +21,10 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' @@ -40,6 +40,8 @@ jobs: ../../../../schema/2.0/cyclonedx-2.0.schema.json - name: Check for changes and commit + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BUNDLED_FILE="schema/2.0/cyclonedx-2.0-bundled.schema.json" @@ -54,5 +56,5 @@ jobs: git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" git commit -m "chore: update bundled schema [skip ci]" - git push + git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" fi diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml index 8c0cbabb..5935a22c 100644 --- a/.github/workflows/test_java.yml +++ b/.github/workflows/test_java.yml @@ -24,6 +24,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml index f983c0c2..ee3db0f0 100644 --- a/.github/workflows/test_js.yml +++ b/.github/workflows/test_js.yml @@ -27,9 +27,11 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Node.js # see https://github.com/actions/setup-node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.x' package-manager-cache: false diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml index 6fbcaf28..e6259aa2 100644 --- a/.github/workflows/test_php.yml +++ b/.github/workflows/test_php.yml @@ -27,6 +27,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup PHP # see https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml index 4d8b68b4..65847aff 100644 --- a/.github/workflows/test_proto.yml +++ b/.github/workflows/test_proto.yml @@ -27,5 +27,7 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run test run: ./test.sh diff --git a/.github/workflows/update_spdx_licenses.yml b/.github/workflows/update_spdx_licenses.yml index 4ca16001..7d4512a6 100644 --- a/.github/workflows/update_spdx_licenses.yml +++ b/.github/workflows/update_spdx_licenses.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.ref_name }} + persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 @@ -77,6 +78,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.ref_name }} + persist-credentials: false - name: Switch branch id: branch run: | @@ -98,6 +100,8 @@ jobs: name: schema-spdx path: schema - name: Commit and push + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -eux if git diff --quiet -- 'schema/spdx.*' @@ -109,7 +113,7 @@ jobs: git config user.email 'spdx-license-bumper@bot.local' git add -A schema git commit -s -m "feat: bump SPDX licenses $SB_VERSION" - git push origin "$SB_BRANCH" + git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$SB_BRANCH" - name: Pull request if: ${{ steps.branch.outputs.existed == 'false' }} run: > diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..1e00042b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,33 @@ +name: Zizmor + +on: + pull_request: + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + push: + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + schedule: + - cron: '0 0 * * 6' + +permissions: + contents: read + +jobs: + zizmor: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true