From b09e2c5e1af98eadd4452632be9ec9c39e06bec3 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 14:32:08 +0200 Subject: [PATCH 1/7] ci: pinned action comments exact versions Signed-off-by: Jan Kowalleck --- .github/workflows/build_docs.yml | 16 ++++++++-------- .github/workflows/bundle_2.0_schemas.yml | 6 ++++-- .../workflows/generate_algorithm_families.yml | 6 ++++-- .github/workflows/test_java.yml | 4 ++-- .github/workflows/test_js.yml | 4 ++-- .github/workflows/test_php.yml | 4 ++-- .github/workflows/test_proto.yml | 2 +- .github/workflows/update_spdx_licenses.yml | 10 +++++----- .github/workflows/zizmor.yml | 2 +- 9 files changed, 29 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index e1072e81..b919ba5b 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -21,12 +21,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '21' distribution: 'zulu' @@ -35,7 +35,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: XML-Schema-documentation path: docgen/xml/docs @@ -48,12 +48,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -61,7 +61,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: JSON-Schema-documentation path: docgen/json/docs @@ -74,14 +74,14 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Generate Schema documentation run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: PROTO-Schema-documentation path: docgen/proto/docs diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml index 1fa6790f..5808d63d 100644 --- a/.github/workflows/bundle_2.0_schemas.yml +++ b/.github/workflows/bundle_2.0_schemas.yml @@ -19,12 +19,14 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + # see https://github.com/actions/setup-node + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' diff --git a/.github/workflows/generate_algorithm_families.yml b/.github/workflows/generate_algorithm_families.yml index ec03cb24..ae5ee2c5 100644 --- a/.github/workflows/generate_algorithm_families.yml +++ b/.github/workflows/generate_algorithm_families.yml @@ -17,13 +17,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + # see https://github.com/actions/setup-python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml index 5935a22c..061300a8 100644 --- a/.github/workflows/test_java.yml +++ b/.github/workflows/test_java.yml @@ -23,12 +23,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '8' distribution: 'zulu' diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml index ee3db0f0..02e5dcdf 100644 --- a/.github/workflows/test_js.yml +++ b/.github/workflows/test_js.yml @@ -26,12 +26,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Node.js # see https://github.com/actions/setup-node - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' package-manager-cache: false diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml index 21dfa042..b761bc7b 100644 --- a/.github/workflows/test_php.yml +++ b/.github/workflows/test_php.yml @@ -26,12 +26,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup PHP # see https://github.com/shivammathur/setup-php - uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: "8.4" tools: composer:v2 diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml index 65847aff..30b9acda 100644 --- a/.github/workflows/test_proto.yml +++ b/.github/workflows/test_proto.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run test diff --git a/.github/workflows/update_spdx_licenses.yml b/.github/workflows/update_spdx_licenses.yml index 7d4512a6..fe95faa7 100644 --- a/.github/workflows/update_spdx_licenses.yml +++ b/.github/workflows/update_spdx_licenses.yml @@ -23,13 +23,13 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ github.ref_name }} persist-credentials: false - name: Set up JDK # see https://github.com/actions/setup-java - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '21' distribution: 'zulu' @@ -55,7 +55,7 @@ jobs: - name: Artifact changes if: ${{ steps.diff.outputs.changed == 'true' }} # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: retention-days: 1 name: schema-spdx @@ -75,7 +75,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ github.ref_name }} persist-credentials: false @@ -95,7 +95,7 @@ jobs: fi - name: Fetch changes # https://github.com/actions/download-artifact - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: schema-spdx path: schema diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 57ae263b..514bb6bc 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor From 45ea3f85effb09152bbd791327270fab5489ef07 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 14:46:15 +0200 Subject: [PATCH 2/7] chore: adjust zizmor Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 514bb6bc..5abf34f8 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,19 +1,14 @@ name: Zizmor on: - pull_request: - paths: - - '.github/workflows/**' - - '.github/dependabot.yml' push: - paths: - - '.github/workflows/**' - - '.github/dependabot.yml' + branches: ['master', 'main'] + pull_request: + branches: ['**'] schedule: - cron: '0 0 * * 6' -permissions: - contents: read +permissions: {} jobs: zizmor: From 731f7adb0a6a8cc54c8a16918de1d1fcce32e120 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 14:47:49 +0200 Subject: [PATCH 3/7] chore: adjust zizmor Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 5abf34f8..a6fdd568 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -10,6 +10,10 @@ on: permissions: {} +concurrency: + group: '${{ github.workflow }}-${{ github.ref }}' + cancel-in-progress: true + jobs: zizmor: runs-on: ubuntu-latest From 18d6e15bf078d8d152a84afac86e0a29f0bf1a53 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 14:59:56 +0200 Subject: [PATCH 4/7] wip Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index a6fdd568..087c28dd 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -5,6 +5,7 @@ on: branches: ['master', 'main'] pull_request: branches: ['**'] + workflow_dispatch: schedule: - cron: '0 0 * * 6' From 9d83527492f76bf71c65f48a254dfd29987c323a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:02:28 +0200 Subject: [PATCH 5/7] wip Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 087c28dd..f446ae3a 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,17 +17,26 @@ concurrency: jobs: zizmor: + name: Zizmor runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - name: Run zizmor + - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: + # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than + # uploading a SARIF report to GitHub's Security tab. + # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), + # both of which are unnecessary here and would violate the least-privilege policy. + # The two modes are mutually exclusive: advanced-security must be false for + # annotations to take effect. advanced-security: false annotations: true From 88dbd0e54a7185931db5d14f2cf0ce7df53ec1d0 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:03:41 +0200 Subject: [PATCH 6/7] wip Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index f446ae3a..6baa00d7 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor 🌈 From e5069604da335924d60ab361b64e5881c66aa333 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 3 Jun 2026 15:07:41 +0200 Subject: [PATCH 7/7] wip Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 6baa00d7..03725caf 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab.