From 5556a89878e0827a7ffa4163bd625799c32bf9cc Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 1/3] Harden GitHub workflows --- .github/workflows/docs.yml | 16 +++++++++++----- .github/workflows/github-pages.yml | 16 ++++++++++------ .github/workflows/translate.yml | 16 ++++++++++++---- 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 34e479c9..b9876cbd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,14 +8,19 @@ on: permissions: contents: read - checks: write jobs: build: + permissions: + checks: write + contents: read + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Fetch styles run: | @@ -24,7 +29,7 @@ jobs: unzip Microsoft.zip -d .github/styles - name: Check - uses: errata-ai/vale-action@reviewdog + uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a with: reporter: github-check fail_on_error: false @@ -37,9 +42,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with: fetch-depth: 0 + persist-credentials: false - name: Find files to check id: links @@ -82,7 +88,7 @@ jobs: - name: Setup Node.js if: steps.links.outputs.count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index 8e20176a..c248de5a 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -8,8 +8,6 @@ on: permissions: contents: read - pages: write - id-token: write concurrency: group: "pages" @@ -20,10 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm @@ -35,12 +35,16 @@ jobs: run: npm run build - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b with: path: src/.vitepress/dist deploy: if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} + permissions: + pages: write + id-token: write + environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} @@ -49,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index 5b130cde..e13a119a 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -1,7 +1,7 @@ name: Update translations on: - pull_request_target: + pull_request: paths: - '_translations/**' push: @@ -10,31 +10,39 @@ on: - '_translations/**' - 'src/**' +permissions: + contents: write jobs: update-docs: name: Update docs runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Prepare po4a configuration run: _translations/prepare-config.sh - name: Use po4a - uses: vjik/docker-run@v1 + uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee with: image: ghcr.io/yiisoft-contrib/po4a:0.74 volumes: ${{ github.workspace }}:/src workdir: /src/_translations command: po4a po4a.conf && po4a po4a.conf + - name: Configure Git credentials + env: + GH_TOKEN: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} + run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f' + - name: Commit changed files - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 with: commit_message: Update translation file_pattern: '_translations src' From 29e9a9239abdbe7b55aa168ccea42aa078b2670a Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:36:00 +0300 Subject: [PATCH 2/3] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 28c125f87bb30eafc33628847481bca4fe798140 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:00:30 +0300 Subject: [PATCH 3/3] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca7982..00000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any