From 42791bd58a0b53f7107215537b02c82fe7cd74c2 Mon Sep 17 00:00:00 2001 From: Adam Date: Sat, 22 Nov 2025 01:15:27 +0100 Subject: [PATCH 1/3] update which to v6 in benchmark --- bench/package.json | 4 ++-- bench/pnpm-lock.yaml | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bench/package.json b/bench/package.json index ab82971..d743fe8 100644 --- a/bench/package.json +++ b/bench/package.json @@ -3,13 +3,13 @@ "type": "module", "private": true, "version": "0.0.0", - "packageManager": "pnpm@10.10.0", + "packageManager": "pnpm@10.23.0", "scripts": { "bench": "node --experimental-strip-types bench.ts" }, "devDependencies": { "mitata": "1.0.34", "tinywhich": "link:../", - "which": "5.0.0" + "which": "6.0.0" } } diff --git a/bench/pnpm-lock.yaml b/bench/pnpm-lock.yaml index 4fd8cfc..8ebd3ac 100644 --- a/bench/pnpm-lock.yaml +++ b/bench/pnpm-lock.yaml @@ -15,8 +15,8 @@ importers: specifier: link:../ version: link:.. which: - specifier: 5.0.0 - version: 5.0.0 + specifier: 6.0.0 + version: 6.0.0 packages: @@ -27,9 +27,9 @@ packages: mitata@1.0.34: resolution: {integrity: sha512-Mc3zrtNBKIMeHSCQ0XqRLo1vbdIx1wvFV9c8NJAiyho6AjNfMY8bVhbS12bwciUdd1t4rj8099CH3N3NFahaUA==} - which@5.0.0: - resolution: {integrity: sha512-JEdGzHwwkrbWoGOlIHqQ5gtprKGOenpDHpxE9zVR1bWbOtYRyPPHMe9FaP6x61CmNaTThSkb0DAJte5jD+DmzQ==} - engines: {node: ^18.17.0 || >=20.5.0} + which@6.0.0: + resolution: {integrity: sha512-f+gEpIKMR9faW/JgAgPK1D7mekkFoqbmiwvNzuhsHetni20QSgzg9Vhn0g2JSJkkfehQnqdUAx7/e15qS1lPxg==} + engines: {node: ^20.17.0 || >=22.9.0} hasBin: true snapshots: @@ -38,6 +38,6 @@ snapshots: mitata@1.0.34: {} - which@5.0.0: + which@6.0.0: dependencies: isexe: 3.1.1 From 749c572c64cd71b4702d1583a21adfbf39d3b8ee Mon Sep 17 00:00:00 2001 From: Adam Date: Sat, 22 Nov 2025 01:29:01 +0100 Subject: [PATCH 2/3] update workflows --- .github/matchers/actionlint.json | 17 ------------- .github/workflows/actionlint.yml | 43 -------------------------------- .github/workflows/changesets.yml | 8 +++--- .github/workflows/ci.yml | 36 +++++++++++++------------- .github/workflows/zizmor.yml | 37 +++++++++++++++++++++++++++ 5 files changed, 59 insertions(+), 82 deletions(-) delete mode 100644 .github/matchers/actionlint.json delete mode 100644 .github/workflows/actionlint.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/matchers/actionlint.json b/.github/matchers/actionlint.json deleted file mode 100644 index 4613e16..0000000 --- a/.github/matchers/actionlint.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "actionlint", - "pattern": [ - { - "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", - "file": 1, - "line": 2, - "column": 3, - "message": 4, - "code": 5 - } - ] - } - ] -} diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index dd19d10..0000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: actionlint - -on: - push: - branches: [main] - pull_request: - -jobs: - actionlint: - runs-on: ubuntu-latest - - env: - GO_VERSION: ~1.23 - ACTIONLINT_VERSION: v1.7.7 - - steps: - # Set up Go so we can build actionlint from the source - - uses: actions/setup-go@v5 - with: - go-version: ${{ env.GO_VERSION }} - - # Cache it so we don't have to download it every time - - name: cache actionlint - uses: actions/cache@v4 - id: cache - with: - path: /root/go/bin/actionlint - key: actionlint-${{ runner.os }}-${{ env.GO_VERSION }}-${{ env.ACTIONLINT_VERSION }} - - # Install it from a GitHub link with commit hash, meaning we're building it from source from a known version - - name: install from source - if: ${{ !steps.cache.outputs.cache-hit }} - run: go install github.com/rhysd/actionlint/cmd/actionlint@${{ env.ACTIONLINT_VERSION }} - - - uses: actions/checkout@v4 - - # Add matcher so we get annotations in PRs - - name: add matcher - run: echo "::add-matcher::.github/matchers/actionlint.json" - - # Run it! - - name: lint workflow files - run: actionlint diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 1152e77..44b6145 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -24,11 +24,11 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -38,7 +38,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -53,7 +53,7 @@ jobs: - name: Update release PR / Publish packages to `npm` id: changesets - uses: changesets/action@v1 + uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 with: title: Release commit: Release new version diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6948501..de4b994 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -23,7 +23,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -37,7 +37,7 @@ jobs: - run: pnpm publint - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: dist path: dist/ @@ -47,14 +47,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: dist path: dist/ - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -64,7 +64,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -82,9 +82,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -94,7 +94,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -110,9 +110,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: 22 @@ -122,7 +122,7 @@ jobs: id: cache run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -146,14 +146,14 @@ jobs: runs-on: ${{ matrix.runner }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: dist path: dist/ - - uses: actions/setup-node@v4 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: node-version: ${{ matrix.node }} @@ -164,7 +164,7 @@ jobs: run: echo "path=$(pnpm store path)" >> "$GITHUB_OUTPUT" shell: bash - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.cache.outputs.path }} key: v1-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6300ad3 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: zizmor + +on: + push: + branches: [main] + paths: [.github/workflows/*] + pull_request: + paths: [.github/workflows/*] + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + lint-workflows: + runs-on: ubuntu-latest + + permissions: + contents: read # only required in private repos + actions: read # only required in private repos + security-events: write # allow writing security events + + steps: + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + persona: pedantic + annotations: true + advanced-security: false From b5e0d0eda0fc6b02856bc7e84dd2dca616c227f1 Mon Sep 17 00:00:00 2001 From: Adam Date: Sat, 22 Nov 2025 01:38:40 +0100 Subject: [PATCH 3/3] fix zizmor issues --- .github/workflows/changesets.yml | 17 ++++++++++------- .github/workflows/ci.yml | 13 +++++++++++++ .github/workflows/zizmor.yml | 1 - .github/zizmor.yml | 3 +++ 4 files changed, 26 insertions(+), 8 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 44b6145..ee6c40a 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -9,23 +9,26 @@ on: workflow_dispatch: permissions: - contents: write - pull-requests: write - id-token: write + contents: read jobs: changesets: runs-on: ubuntu-latest + concurrency: + group: changesets + cancel-in-progress: true + permissions: - contents: write - id-token: write - issues: read - pull-requests: write + contents: write # pushing tags + id-token: write # oidc token & provenance for npm + issues: read # finding issues and prs for changelog + pull-requests: write # to create release pr steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 with: + persist-credentials: false fetch-depth: 0 - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de4b994..649ccfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,12 +6,17 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: @@ -48,6 +53,8 @@ jobs: steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: @@ -83,6 +90,8 @@ jobs: steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: @@ -111,6 +120,8 @@ jobs: steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 with: @@ -147,6 +158,8 @@ jobs: steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + with: + persist-credentials: false - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 6300ad3..0e5989e 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -32,6 +32,5 @@ jobs: - name: Run zizmor 🌈 uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 with: - persona: pedantic annotations: true advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..74cea03 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + anonymous-definition: + disable: true