From 6573846d21fb06fadb4bd9da0737b058ea4c4f69 Mon Sep 17 00:00:00 2001 From: flakey5 <73616808+flakey5@users.noreply.github.com> Date: Wed, 20 May 2026 19:56:30 -0700 Subject: [PATCH 1/2] Use Zizmor Re https://discord.com/channels/814038676195115029/977075504760893470/1504917244981805307 Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com> --- .github/dependabot.yml | 8 ++++---- .github/workflows/checks.yml | 24 ++++++++++++++++++++++++ .github/workflows/update-pnpm.yml | 5 +++++ 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 17ed62ce..a32fb958 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,9 +14,9 @@ updates: day: wednesday time: "00:00" - # Only accept updates that have been published for at least 3 days + # Only accept updates that have been published for at least 7 days cooldown: - default-days: 3 + default-days: 7 # Create a grouped PR for minor/patch updates with majors getting dedicated PRs groups: @@ -32,9 +32,9 @@ updates: day: wednesday time: "00:00" - # Only accept updates that have been published for at least 3 days + # Only accept updates that have been published for at least 7 days cooldown: - default-days: 3 + default-days: 7 # Allow usage of any registry including npm-github w/ auth as above registries: "*" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 25e7f26a..cb67ee88 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -4,6 +4,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: types: runs-on: ubuntu-latest @@ -11,6 +14,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 @@ -36,6 +41,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 @@ -61,6 +68,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 @@ -79,3 +88,18 @@ jobs: - name: Build extension run: pnpm build + + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 diff --git a/.github/workflows/update-pnpm.yml b/.github/workflows/update-pnpm.yml index 848ba08c..3e61ca4e 100644 --- a/.github/workflows/update-pnpm.yml +++ b/.github/workflows/update-pnpm.yml @@ -6,6 +6,9 @@ on: # Run once per week on Monday at midnight, before Dependabot runs on Wednesday - cron: "0 0 * * 1" +permissions: + contents: read + jobs: update: runs-on: ubuntu-latest @@ -13,6 +16,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 From e30f8248eb4d29a40ce4e6a7990223c92e17419d Mon Sep 17 00:00:00 2001 From: Matt Cowley Date: Sat, 23 May 2026 20:01:39 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Matt Cowley --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a32fb958..1a994c13 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,7 +14,7 @@ updates: day: wednesday time: "00:00" - # Only accept updates that have been published for at least 7 days + # Only accept updates that have been published for at least a week cooldown: default-days: 7 @@ -32,7 +32,7 @@ updates: day: wednesday time: "00:00" - # Only accept updates that have been published for at least 7 days + # Only accept updates that have been published for at least a week cooldown: default-days: 7