From 85e3477937db1481786e4052dacb5d9bfa969ba1 Mon Sep 17 00:00:00 2001 From: Chun Date: Wed, 18 Mar 2026 07:15:47 +0000 Subject: [PATCH] chore(ci): switch to OIDC trusted publishing and harden workflows --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/examples.yml | 18 ++++++++++-------- .github/workflows/playwright.yml | 11 +++++++---- .github/workflows/pr.yml | 9 ++++++--- .github/workflows/release.yml | 13 +++++++++---- 5 files changed, 36 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fc52169..13ca4cb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,11 +39,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 0c1bd41..d2a4c59 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -3,20 +3,23 @@ on: push: branches: - main +permissions: + contents: write + jobs: release: name: Release runs-on: ubuntu-latest strategy: matrix: - node-version: [22] + node-version: [24] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' @@ -25,9 +28,8 @@ jobs: - name: Build examples run: pnpm gh-predeploy - name: Deploy to GitHub Pages - uses: JamesIves/github-pages-deploy-action@3.6.2 + uses: JamesIves/github-pages-deploy-action@v4 with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - BRANCH: gh-pages - FOLDER: demo/examples - CLEAN: true + branch: gh-pages + folder: demo/examples + clean: true diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index ec256b7..cdca801 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -4,19 +4,22 @@ on: branches: [main] pull_request: branches: [main] +permissions: + contents: read + jobs: test: timeout-minutes: 60 runs-on: ubuntu-latest strategy: matrix: - node-version: [22] + node-version: [24] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' @@ -26,7 +29,7 @@ jobs: run: pnpm playwright install --with-deps - name: Run Playwright tests run: pnpm playwright test - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v5 if: always() with: name: playwright-report diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d671960..e0230cb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -2,19 +2,22 @@ name: PR on: [pull_request] +permissions: + contents: read + jobs: install-build-and-test: name: Install, build and test PR runs-on: ubuntu-latest strategy: matrix: - node-version: [22] + node-version: [24] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35acdce..5b3ba1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,20 +7,26 @@ on: - alpha - experimental +permissions: + contents: write + issues: write + pull-requests: write + id-token: write + jobs: release: name: Release runs-on: ubuntu-latest strategy: matrix: - node-version: [22] + node-version: [24] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' @@ -37,5 +43,4 @@ jobs: - name: Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} run: pnpm semantic-release