diff --git a/.github/matchers/actionlint.json b/.github/matchers/actionlint.json deleted file mode 100644 index 4613e16..0000000 --- a/.github/matchers/actionlint.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "actionlint", - "pattern": [ - { - "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", - "file": 1, - "line": 2, - "column": 3, - "message": 4, - "code": 5 - } - ] - } - ] -} diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index dd19d10..0000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: actionlint - -on: - push: - branches: [main] - pull_request: - -jobs: - actionlint: - runs-on: ubuntu-latest - - env: - GO_VERSION: ~1.23 - ACTIONLINT_VERSION: v1.7.7 - - steps: - # Set up Go so we can build actionlint from the source - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - # Cache it so we don't have to download it every time - - name: cache actionlint - uses: actions/cache@v4 - id: cache - with: - path: /root/go/bin/actionlint - key: actionlint-${{ runner.os }}-${{ env.GO_VERSION }}-${{ env.ACTIONLINT_VERSION }} - - # Install it from a GitHub link with commit hash, meaning we're building it from source from a known version - - name: install from source - if: ${{ !steps.cache.outputs.cache-hit }} - run: go install github.com/rhysd/actionlint/cmd/actionlint@${{ env.ACTIONLINT_VERSION }} - - - uses: actions/checkout@v4 - - # Add matcher so we get annotations in PRs - - name: add matcher - run: echo "::add-matcher::.github/matchers/actionlint.json" - - # Run it! - - name: lint workflow files - run: actionlint diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 1152e77..ee6c40a 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -9,26 +9,29 @@ on: workflow_dispatch: permissions: - contents: write - pull-requests: write - id-token: write + contents: read jobs: changesets: runs-on: ubuntu-latest + concurrency: + group: changesets + cancel-in-progress: true + permissions: - contents: write - id-token: write - issues: read - pull-requests: write + contents: write # pushing tags + id-token: write # oidc token & provenance for npm + issues: read # finding issues and prs for changelog + pull-requests: write # to create release pr steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 with: + persist-credentials: false fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -38,7 +41,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -53,7 +56,7 @@ jobs: - name: Update release PR / Publish packages to `npm` id: changesets - uses: changesets/action@v1 + uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 with: title: Release commit: Release new version diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6948501..649ccfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,14 +6,19 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -23,7 +28,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -37,7 +42,7 @@ jobs: - run: pnpm publint - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: dist path: dist/ @@ -47,14 +52,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: dist path: dist/ - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -64,7 +71,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -82,9 +89,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -94,7 +103,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -110,9 +119,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -122,7 +133,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -146,14 +157,16 @@ jobs: runs-on: ${{ matrix.runner }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: dist path: dist/ - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: ${{ matrix.node }} @@ -164,7 +177,7 @@ jobs: run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" shell: bash - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..0e5989e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: zizmor + +on: + push: + branches: [main] + paths: [.github/workflows/*] + pull_request: + paths: [.github/workflows/*] + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + lint-workflows: + runs-on: ubuntu-latest + + permissions: + contents: read # only required in private repos + actions: read # only required in private repos + security-events: write # allow writing security events + + steps: + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + annotations: true + advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..74cea03 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + anonymous-definition: + disable: true diff --git a/bench/package.json b/bench/package.json index ab82971..d743fe8 100644 --- a/bench/package.json +++ b/bench/package.json @@ -3,13 +3,13 @@ "type": "module", "private": true, "version": "0.0.0", - "packageManager": "pnpm@10.10.0", + "packageManager": "pnpm@10.23.0", "scripts": { "bench": "node --experimental-strip-types bench.ts" }, "devDependencies": { "mitata": "1.0.34", "tinywhich": "link:../", - "which": "5.0.0" + "which": "6.0.0" } } diff --git a/bench/pnpm-lock.yaml b/bench/pnpm-lock.yaml index 4fd8cfc..8ebd3ac 100644 --- a/bench/pnpm-lock.yaml +++ b/bench/pnpm-lock.yaml @@ -15,8 +15,8 @@ importers: specifier: link:../ version: link:.. which: - specifier: 5.0.0 - version: 5.0.0 + specifier: 6.0.0 + version: 6.0.0 packages: @@ -27,9 +27,9 @@ packages: mitata@1.0.34: resolution: {integrity: sha512-Mc3zrtNBKIMeHSCQ0XqRLo1vbdIx1wvFV9c8NJAiyho6AjNfMY8bVhbS12bwciUdd1t4rj8099CH3N3NFahaUA==} - which@5.0.0: - resolution: {integrity: sha512-JEdGzHwwkrbWoGOlIHqQ5gtprKGOenpDHpxE9zVR1bWbOtYRyPPHMe9FaP6x61CmNaTThSkb0DAJte5jD+DmzQ==} - engines: {node: ^18.17.0 || >=20.5.0} + which@6.0.0: + resolution: {integrity: sha512-f+gEpIKMR9faW/JgAgPK1D7mekkFoqbmiwvNzuhsHetni20QSgzg9Vhn0g2JSJkkfehQnqdUAx7/e15qS1lPxg==} + engines: {node: ^20.17.0 || >=22.9.0} hasBin: true snapshots: @@ -38,6 +38,6 @@ snapshots: mitata@1.0.34: {} - which@5.0.0: + which@6.0.0: dependencies: isexe: 3.1.1