diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 165375132..2517b0f8a 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Security audit (osv-scanner) run: bin/osv-audit --level critical pnpm-lock.yaml examples/web-cli/pnpm-lock.yaml packages/react-web-cli/pnpm-lock.yaml diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index 5d898e01e..3ec71cf20 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -31,19 +31,23 @@ jobs: contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Generate GitHub App Token id: generate-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.CLAUDE_APP_ID }} private-key: ${{ secrets.CLAUDE_APP_PRIVATE_KEY }} + permissions: >- + contents:read, + pull-requests:write, + issues:write - name: Run Claude review - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@1dc994ee7a008f0ecc866d9ac23ef036b7229f84 # v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/dependabot-claude-fix.yml b/.github/workflows/dependabot-claude-fix.yml index 2d2b5d1bb..427180807 100644 --- a/.github/workflows/dependabot-claude-fix.yml +++ b/.github/workflows/dependabot-claude-fix.yml @@ -287,27 +287,30 @@ jobs: - name: Generate App Token if: steps.gate.outputs.proceed == 'true' id: generate-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.CI_APP_ID }} private-key: ${{ secrets.CI_APP_PRIVATE_KEY }} + permissions: >- + contents:write, + pull-requests:write - name: Checkout Dependabot branch if: steps.gate.outputs.proceed == 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.pr.outputs.head_ref }} token: ${{ steps.generate-token.outputs.token }} - name: Set up pnpm if: steps.gate.outputs.proceed == 'true' - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js if: steps.gate.outputs.proceed == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" @@ -318,7 +321,7 @@ jobs: - name: Fix failures with Claude id: claude if: steps.gate.outputs.proceed == 'true' - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@1dc994ee7a008f0ecc866d9ac23ef036b7229f84 # v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml index 4b0d89171..413ff33ed 100644 --- a/.github/workflows/dependabot-lockfile.yml +++ b/.github/workflows/dependabot-lockfile.yml @@ -50,27 +50,29 @@ jobs: - name: Generate App Token if: steps.guard.outputs.skip != 'true' id: generate-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.CI_APP_ID }} private-key: ${{ secrets.CI_APP_PRIVATE_KEY }} + permissions: >- + contents:write - name: Checkout Dependabot branch if: steps.guard.outputs.skip != 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.ref }} token: ${{ steps.generate-token.outputs.token }} - name: Set up pnpm if: steps.guard.outputs.skip != 'true' - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js if: steps.guard.outputs.skip != 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 9f97fc3df..a68d84f2c 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -24,15 +24,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -52,7 +52,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} diff --git a/.github/workflows/e2e-web-cli-parallel.yml b/.github/workflows/e2e-web-cli-parallel.yml index 3ee550b61..bdeb2eadb 100644 --- a/.github/workflows/e2e-web-cli-parallel.yml +++ b/.github/workflows/e2e-web-cli-parallel.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -17,15 +20,15 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -53,7 +56,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -67,7 +70,7 @@ jobs: run: pnpm exec playwright install-deps chromium - name: Upload build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-artifacts path: | @@ -93,15 +96,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -115,7 +118,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -129,7 +132,7 @@ jobs: run: pnpm exec playwright install-deps chromium - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-artifacts @@ -158,15 +161,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -180,7 +183,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -194,7 +197,7 @@ jobs: run: pnpm exec playwright install-deps chromium - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-artifacts @@ -224,15 +227,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -246,7 +249,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -260,7 +263,7 @@ jobs: run: pnpm exec playwright install-deps chromium - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-artifacts @@ -291,15 +294,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" cache: "pnpm" @@ -313,7 +316,7 @@ jobs: - name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -327,7 +330,7 @@ jobs: run: pnpm exec playwright install-deps chromium - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-artifacts diff --git a/.github/workflows/pr-overview.yml b/.github/workflows/pr-overview.yml index 1518207b3..dc42c8c7b 100644 --- a/.github/workflows/pr-overview.yml +++ b/.github/workflows/pr-overview.yml @@ -7,7 +7,6 @@ on: permissions: contents: read pull-requests: write - issues: write jobs: generate-overview: @@ -21,19 +20,22 @@ jobs: timeout-minutes: 10 steps: - name: Checkout PR branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Generate GitHub App Token id: generate-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 with: app-id: ${{ secrets.CLAUDE_APP_ID }} private-key: ${{ secrets.CLAUDE_APP_PRIVATE_KEY }} + permissions: >- + contents:read, + pull-requests:write - name: Generate PR Overview - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@1dc994ee7a008f0ecc866d9ac23ef036b7229f84 # v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/release-web-cli.yml b/.github/workflows/release-web-cli.yml index 19d06980d..41d604a98 100644 --- a/.github/workflows/release-web-cli.yml +++ b/.github/workflows/release-web-cli.yml @@ -15,20 +15,19 @@ jobs: contents: "write" id-token: "write" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: true - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 # Use pnpm version 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} with: node-version: "22.x" # Use Node.js 22.x - cache: "pnpm" registry-url: "https://registry.npmjs.org/" # The version check is necessary because the web-cli is published as a separate package from the main CLI diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 26e79e769..d9b0181cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,20 +15,19 @@ jobs: contents: "write" id-token: "write" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: true - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 # Use pnpm version 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} with: node-version: "22.x" # Use Node.js 22.x - cache: "pnpm" registry-url: "https://registry.npmjs.org/" - name: Install dependencies and publish diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 710161e75..79d89c546 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,15 +35,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: version: 10 # Use pnpm version 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "22.x" # Use Node.js 22.x cache: "pnpm"