diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index bc2aacc8..1382ccb9 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -1,6 +1,13 @@ name: Check Pull Requests +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} + on: + # this workflow is required to be run on pull_request_target as it modifies the PR comments + # care should be taken that the jobs do not run any untrusted input + # zizmor: ignore[dangerous-triggers] pull_request_target: types: - opened @@ -8,23 +15,21 @@ on: - synchronize - labeled - unlabeled - merge_group: - -permissions: - pull-requests: write jobs: check-title: + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - name: Check PR title if: github.event_name == 'pull_request_target' - uses: amannn/action-semantic-pull-request@v5 + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5 id: check_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Add comment indicating we require pull request titles to follow conventional commits specification - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2 if: always() && (steps.check_pr_title.outputs.error_message != null) with: header: pr-title-lint-error @@ -39,40 +44,42 @@ jobs: # Delete a previous comment when the issue has been resolved - if: ${{ steps.check_pr_title.outputs.error_message == null }} - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2 with: header: pr-title-lint-error delete: true check-breaking-change-label: + permissions: + pull-requests: write runs-on: ubuntu-latest env: # use an environment variable to pass untrusted input to the script # see https://securitylab.github.com/research/github-actions-untrusted-input/ PR_TITLE: ${{ github.event.pull_request.title }} steps: - - name: Check breaking change label - id: check_breaking_change - run: | - pattern='^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\(\w+\))?!:' - # Check if pattern matches - if echo "${PR_TITLE}" | grep -qE "$pattern"; then - echo "breaking_change=true" >> $GITHUB_OUTPUT - else - echo "breaking_change=false" >> $GITHUB_OUTPUT - fi - - name: Add label - if: steps.check_breaking_change.outputs.breaking_change == 'true' - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['Type: Breaking Change'] - }) + - name: Check breaking change label + id: check_breaking_change + run: | + pattern='^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\(\w+\))?!:' + # Check if pattern matches + if echo "${PR_TITLE}" | grep -qE "$pattern"; then + echo "breaking_change=true" >> $GITHUB_OUTPUT + else + echo "breaking_change=false" >> $GITHUB_OUTPUT + fi + - name: Add label + if: steps.check_breaking_change.outputs.breaking_change == 'true' + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['Type: Breaking Change'] + }) do-not-merge: if: ${{ contains(github.event.*.labels.*.name, 'do not merge') }} diff --git a/.github/workflows/check-semver.yml b/.github/workflows/check-semver.yml index b443354d..27de05c3 100644 --- a/.github/workflows/check-semver.yml +++ b/.github/workflows/check-semver.yml @@ -1,5 +1,9 @@ name: Check Semver +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} + on: pull_request: branches: @@ -11,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Check semver - uses: obi1kenobi/cargo-semver-checks-action@v2 + uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e086a7e0..de9dcc4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,9 @@ name: Continuous Integration +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} + on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -25,11 +29,15 @@ jobs: name: Check Formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@nightly - with: { components: rustfmt } - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: nightly + components: rustfmt + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + - uses: taiki-e/install-action@491d37bbaa844af8400b3595395e1bca723e6141 # v2 with: tool: taplo-cli - run: cargo xtask format --check @@ -40,8 +48,10 @@ jobs: name: Check Typos runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: crate-ci/typos@master + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: crate-ci/typos@392b78fe18a52790c53f42456e46124f77346842 # master # Check for any disallowed dependencies in the codebase due to license / security issues. # See @@ -49,9 +59,15 @@ jobs: name: Check Dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: taiki-e/install-action@cargo-deny + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable + - uses: taiki-e/install-action@491d37bbaa844af8400b3595395e1bca723e6141 # v2 + with: + tool: cargo-deny - run: cargo deny --log-level info --all-features check # Check for any unused dependencies in the codebase. @@ -60,8 +76,10 @@ jobs: name: Check Unused Dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: bnjbvr/cargo-machete@v0.8.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: bnjbvr/cargo-machete@b54422fa3319b3cac180f6030b663fe57af51635 # v0.8.0 # Run cargo clippy. # @@ -77,12 +95,14 @@ jobs: toolchain: ["stable", "beta"] continue-on-error: ${{ matrix.toolchain == 'beta' }} steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@master + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master with: toolchain: ${{ matrix.toolchain }} components: clippy - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask clippy # Run markdownlint on all markdown files in the repository. @@ -90,8 +110,10 @@ jobs: name: Check Markdown runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DavidAnson/markdownlint-cli2-action@v20 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e # v20 with: globs: | '**/*.md' @@ -103,14 +125,19 @@ jobs: name: Coverage Report runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable components: llvm-tools - - uses: taiki-e/install-action@cargo-llvm-cov - - uses: Swatinem/rust-cache@v2 + - uses: taiki-e/install-action@491d37bbaa844af8400b3595395e1bca723e6141 # v2 + with: + tool: cargo-llvm-cov + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask coverage - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -125,22 +152,27 @@ jobs: toolchain: ["1.85.0", "stable"] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@master + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master with: toolchain: ${{ matrix.toolchain }} - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask check --all-features build-no-std: name: Build No-Std runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable targets: x86_64-unknown-none - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 # This makes it easier to debug the exact versions of the dependencies - run: cargo tree --target x86_64-unknown-none -p ratatui-core - run: cargo tree --target x86_64-unknown-none -p ratatui-widgets @@ -156,9 +188,13 @@ jobs: name: Check README runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-rdme + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 + - uses: taiki-e/install-action@491d37bbaa844af8400b3595395e1bca723e6141 # v2 + with: + tool: cargo-rdme - run: cargo xtask readme --check # Run cargo rustdoc with the same options that would be used by docs.rs, taking into account the @@ -169,10 +205,16 @@ jobs: env: RUSTDOCFLAGS: -Dwarnings steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@nightly - - uses: dtolnay/install@cargo-docs-rs - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: nightly + - uses: dtolnay/install@74f735cdf643820234e37ae1c4089a08fd266d8a # master + with: + crate: cargo-docs-rs + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask docs # Run cargo test on the documentation of the crate. This will catch any code examples that don't @@ -181,9 +223,13 @@ jobs: name: Test Docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask test-docs # Run cargo test on the libraries of the crate. @@ -195,9 +241,13 @@ jobs: matrix: toolchain: ["1.85.0", "stable"] steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask test-libs # Run cargo test on all the backends. @@ -214,7 +264,11 @@ jobs: - os: windows-latest backend: termion steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable + - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2 - run: cargo xtask test-backend ${{ matrix.backend }} diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml index bcd747a0..5fb6f319 100644 --- a/.github/workflows/release-alpha.yml +++ b/.github/workflows/release-alpha.yml @@ -1,5 +1,9 @@ name: Release alpha version +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} + on: workflow_dispatch: schedule: @@ -20,21 +24,25 @@ jobs: contents: write steps: - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + # probably needs to be set to true for git-cliff to work - check build + persist-credentials: false - name: Calculate the next release run: .github/workflows/calculate-alpha-release.bash - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable - name: Publish run: cargo publish --allow-dirty --token ${{ secrets.CARGO_TOKEN }} - name: Generate a changelog - uses: orhun/git-cliff-action@v4 + uses: orhun/git-cliff-action@4a4a951bc43fafe41cd2348d181853f52356bee7 # v4 with: config: cliff.toml args: --unreleased --tag ${{ env.NEXT_TAG }} --strip header @@ -42,7 +50,7 @@ jobs: OUTPUT: BODY.md - name: Publish on GitHub - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@bcfe5470707e8832e12347755757cec0eb3c22af # v1 with: tag: ${{ env.NEXT_TAG }} prerelease: true diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 9e75b074..7d6f8210 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -1,8 +1,8 @@ name: Release-plz -permissions: - pull-requests: write - contents: write +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} on: push: @@ -14,17 +14,23 @@ jobs: # Release unpublished packages. release-plz-release: name: Release-plz release + permissions: + pull-requests: write + contents: write runs-on: ubuntu-latest if: ${{ github.repository_owner == 'ratatui' }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable - name: Run release-plz - uses: release-plz/action@v0.5 + uses: release-plz/action@8724d33cd97b8295051102e2e19ca592962238f5 # v0.5 with: command: release env: @@ -34,6 +40,8 @@ jobs: # Create a PR with the new versions and changelog, preparing the next release. release-plz-pr: name: Release-plz PR + permissions: + pull-requests: write runs-on: ubuntu-latest if: ${{ github.repository_owner == 'ratatui' }} concurrency: @@ -41,13 +49,16 @@ jobs: cancel-in-progress: false steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable - name: Run release-plz - uses: release-plz/action@v0.5 + uses: release-plz/action@8724d33cd97b8295051102e2e19ca592962238f5 # v0.5 with: command: release-pr env: diff --git a/.github/workflows/release-stable.yml b/.github/workflows/release-stable.yml index b9b6bcec..8bd00291 100644 --- a/.github/workflows/release-stable.yml +++ b/.github/workflows/release-stable.yml @@ -1,5 +1,9 @@ name: Release stable version +# Set the permissions of the github token to the minimum and only enable what is needed +# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions +permissions: {} + on: push: tags: @@ -13,12 +17,14 @@ jobs: contents: write steps: - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + # this possibly needs to be set to true for git-cliff to work - check build results + persist-credentials: false - name: Generate a changelog - uses: orhun/git-cliff-action@v4 + uses: orhun/git-cliff-action@4a4a951bc43fafe41cd2348d181853f52356bee7 # v4 with: config: cliff.toml args: --latest --strip header @@ -26,7 +32,7 @@ jobs: OUTPUT: BODY.md - name: Publish on GitHub - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@bcfe5470707e8832e12347755757cec0eb3c22af # v1 with: prerelease: false bodyFile: BODY.md @@ -36,10 +42,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master + with: + toolchain: stable - name: Publish run: cargo publish --token ${{ secrets.CARGO_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..797a861c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +# docs https://docs.zizmor.sh/integrations/#github-actions + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1 diff --git a/bacon.toml b/bacon.toml index 4706e6ec..5187e315 100644 --- a/bacon.toml +++ b/bacon.toml @@ -60,6 +60,22 @@ command = ["cargo", "xtask", "hack"] [jobs.format] command = ["cargo", "xtask", "format"] +[jobs.zizmor-offline] +# zizmor checks the workflow files for security issues. The offline version is generally faster, but +# checks for fewer issues. +command = ["zizmor", "--color", "always", ".github/workflows", "--offline"] +need_stdout = true +default_watch = false +watch = [".github/workflows/"] + +[jobs.zizmor-online] +# zizmor checks the workflow files for security issues. The online version is a bit slower, but it +# checks for more issues +command = ["zizmor", "--color", "always", ".github/workflows"] +need_stdout = true +default_watch = false +watch = [".github/workflows/"] + # You may define here keybindings that would be specific to # a project, for example a shortcut to launch a specific job. # Shortcuts to internal functions (scrolling, toggling, etc.) @@ -74,3 +90,5 @@ ctrl-v = "job:coverage-unit-tests-only" u = "job:test-unit" n = "job:nextest" f = "job:format" +z = "job:zizmor-offline" +shift-z = "job:zizmor-online"