diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..d89d38d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 + +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + ignore: + - dependency-name: DeterminateSystems/* + commit-message: + prefix: ci diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index b7e02ef..b3b7837 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -12,11 +12,17 @@ jobs: contents: read steps: - name: git checkout - uses: actions/checkout@v4 - - uses: DeterminateSystems/determinate-nix-action@v3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix develop -c action-validator -v ./.github/workflows/workflow.yml - - run: nix develop -c prettier --check . + - name: Validate Action + run: nix develop -c action-validator -v ./.github/workflows/workflow.yml + - name: Check syntax + run: nix develop -c prettier --check . + - name: Check GitHub Actions security compliance + run: nix develop -c zizmor .github DeterminateCI: uses: ./.github/workflows/workflow.yml diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index e448815..019ab56 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -97,12 +97,14 @@ jobs: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false # disabled pending strategy discussion on exposing tunables # - uses: Determinatesystems/flake-checker-action@main - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 - uses: DeterminateSystems/flakehub-cache-action@main - - uses: webfactory/ssh-agent@v0.9.0 + - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 if: ${{ inputs.enable-ssh-agent }} with: ssh-private-key: ${{ secrets.ssh-private-key }} @@ -127,14 +129,16 @@ jobs: contents: read steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/determinate-nix-action@v3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 with: extra-conf: | extra-experimental-features = provenance ${{ inputs.extra-nix-conf }} - uses: DeterminateSystems/flakehub-cache-action@main - - uses: webfactory/ssh-agent@v0.9.0 + - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 if: ${{ inputs.enable-ssh-agent }} with: ssh-private-key: ${{ secrets.ssh-private-key }} @@ -166,9 +170,11 @@ jobs: if: | contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - - uses: actions/checkout@main + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - - uses: DeterminateSystems/determinate-nix-action@v3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3.21.1 if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} - uses: DeterminateSystems/flakehub-cache-action@main if: ${{ !github.repository.fork && inputs.visibility != '' && (github.ref == format('refs/heads/{0}', inputs.default-branch) || startsWith(github.ref, 'refs/tags/')) }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..abdc40b --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin diff --git a/flake.lock b/flake.lock index 6418f3c..d7250e9 100644 --- a/flake.lock +++ b/flake.lock @@ -2,36 +2,21 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", - "revCount": 785333, + "lastModified": 1780930886, + "narHash": "sha256-rppURzHviaQN131F+nLiLdGfcb0uCd9gGP0E5+iw9MI=", + "rev": "8c3cede7ddc26bd659d2d383b5610efbd2c7a16e", + "revCount": 1012902, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.785333%2Brev-ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c/01965c00-a987-7897-9240-abc0268d7590/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.1012902%2Brev-8c3cede7ddc26bd659d2d383b5610efbd2c7a16e/019eab22-bd1e-7e40-b919-277db893c789/source.tar.gz" }, "original": { "type": "tarball", "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/%2A" } }, - "nixpkgs-old": { - "locked": { - "lastModified": 1745279238, - "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=", - "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", - "revCount": 717196, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2411.717196%2Brev-9684b53175fc6c09581e94cc85f05ab77464c7e3/019660c5-eae1-7a61-9902-4417eac98039/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2411.717196" - } - }, "root": { "inputs": { - "nixpkgs": "nixpkgs", - "nixpkgs-old": "nixpkgs-old" + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index 9499a5d..af131ae 100644 --- a/flake.nix +++ b/flake.nix @@ -1,15 +1,10 @@ { - inputs = { - nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/*"; - - # For action-validator, which is broken with new rust versions - nixpkgs-old.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2411.717196"; - }; + inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/*"; outputs = - { nixpkgs, nixpkgs-old, ... }: + { self, ... }@inputs: let - inherit (nixpkgs) lib; + inherit (inputs.nixpkgs) lib; systems = [ "aarch64-linux" @@ -20,27 +15,23 @@ forEachSystem = f: lib.genAttrs systems ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - pkgs-old = nixpkgs-old.legacyPackages.${system}; - in - f { inherit pkgs pkgs-old; } + system: f { pkgs = import inputs.nixpkgs { inherit system; }; } ); in { - devShells = forEachSystem ( - { pkgs, pkgs-old }: + { pkgs }: { default = pkgs.mkShellNoCC { - buildInputs = [ - pkgs.nodePackages.prettier - - pkgs-old.action-validator + packages = with pkgs; [ + action-validator + prettier + zizmor ]; }; } ); + + formatter = forEachSystem ({ pkgs }: pkgs.nixfmt); }; }