diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 6931952..5d47851 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -3,9 +3,13 @@ name: Build, Lint, and Test on: workflow_call: +permissions: {} + jobs: prepare: name: Prepare + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout and setup environment @@ -17,13 +21,15 @@ jobs: lint: name: Lint needs: prepare + permissions: + contents: read runs-on: ubuntu-latest steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@89c66bb715514a0abd2e6bbfb3cae312b0100913 # v3.2.0 with: is-high-risk-environment: false - cache-node-modules: true - run: yarn lint - name: Validate RC changelog if: ${{ startsWith(github.head_ref, 'release/') }} diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 9b6050c..7b3a4fa 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -14,6 +14,8 @@ on: description: 'A specific version to bump to. Mutually exclusive with "release-type".' required: false +permissions: {} + jobs: create-release-pr: runs-on: ubuntu-latest @@ -21,7 +23,7 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # This is to guarantee that the most recent tag is fetched. # This can be configured to a more reasonable value by consumers. @@ -33,6 +35,8 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' + - name: Enable Corepack + run: corepack enable - uses: MetaMask/action-create-release-pr@4b3b9f5e764afa2e028c1759fcc9891e591d6782 # v5.0.0 with: release-type: ${{ github.event.inputs.release-type }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6a36a97..2e3860c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,12 +5,16 @@ on: branches: [main] pull_request: +permissions: {} + jobs: check-workflows: name: Check workflows + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.7.7 @@ -31,11 +35,14 @@ jobs: build-lint-test: name: Build, lint, and test + permissions: + contents: read uses: ./.github/workflows/build-lint-test.yml needs: check-workflows all-jobs-completed: name: All jobs completed + permissions: {} runs-on: ubuntu-latest needs: - check-workflows @@ -51,6 +58,7 @@ jobs: all-jobs-pass: name: All jobs pass if: ${{ always() }} + permissions: {} runs-on: ubuntu-latest needs: all-jobs-completed steps: @@ -65,6 +73,8 @@ jobs: name: Determine whether this is a release merge commit needs: all-jobs-pass if: github.event_name == 'push' + permissions: + contents: read runs-on: ubuntu-latest outputs: IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }} diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 0d679a7..4ca3aac 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -14,6 +14,8 @@ on: repository_dispatch: types: [new_repository_created] +permissions: {} + jobs: create-sast-pr: runs-on: ubuntu-latest @@ -22,7 +24,7 @@ jobs: contents: read steps: - name: Checkout scanner action repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: scanner-repo @@ -79,12 +81,18 @@ jobs: private-key: ${{ secrets.ONBOARDING_APP_PRIVATE_KEY }} owner: ${{ steps.target.outputs.organization }} repositories: ${{ steps.target.outputs.repo_name }} + permission-metadata: read + permission-contents: write + permission-pull-requests: write - name: Detect default branch id: detect_branch run: | echo "Detecting default branch for $REPO..." - BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch' 2>/dev/null) || BASE_BRANCH="" + if ! BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch' 2>&1); then + echo "::error::GitHub API call failed while detecting default branch for $REPO: $BASE_BRANCH" + exit 1 + fi if [ -z "$BASE_BRANCH" ] || [ "$BASE_BRANCH" = "null" ]; then echo "Repository is empty or default branch not found. Defaulting to 'main'" @@ -154,7 +162,7 @@ jobs: - name: Checkout target repository if: steps.check_opt_out.outputs.opted_out != 'true' && steps.check_empty.outputs.is_empty == 'false' - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ steps.target.outputs.repository }} token: ${{ steps.app_token.outputs.token }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 9dd6d5f..42281ea 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -19,12 +19,18 @@ on: SLACK_WEBHOOK_URL: required: true +permissions: {} + jobs: announce-release: name: Announce release + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - id: name-hash name: Get Slack name and hash shell: bash @@ -38,13 +44,16 @@ jobs: shell: bash if: inputs.slack-subteam != '' run: | - DEFAULT_TEXT="\`${{ steps.name-hash.outputs.NAME_VERSION }}\` is awaiting deployment :rocket: \n " - SUBTEAM_TEXT="${{ inputs.slack-subteam }}" + DEFAULT_TEXT="\`${STEPS_NAME_HASH_OUTPUTS_NAME_VERSION}\` is awaiting deployment :rocket: \n " + SUBTEAM_TEXT="${INPUTS_SLACK_SUBTEAM}" FINAL_TEXT="$DEFAULT_TEXT" if [[ ! "$SUBTEAM_TEXT" == "" ]]; then FINAL_TEXT=" $DEFAULT_TEXT" fi echo "FINAL_TEXT=$FINAL_TEXT" >> "$GITHUB_OUTPUT" + env: + STEPS_NAME_HASH_OUTPUTS_NAME_VERSION: ${{ steps.name-hash.outputs.NAME_VERSION }} + INPUTS_SLACK_SUBTEAM: ${{ inputs.slack-subteam }} - name: Post to a Slack channel if: inputs.slack-subteam != '' uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 @@ -69,12 +78,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # This is to guarantee that the most recent tag is fetched, which we # need for updating the shorthand major version tag. fetch-depth: 0 ref: ${{ github.sha }} + persist-credentials: false - name: Publish release uses: MetaMask/action-publish-release@b842808ef45c9e3b085060b94b1d4a1fac00aa81 # v3.2.2 id: publish-release @@ -82,5 +92,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update shorthand major version tag run: | + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" ./.github/workflows/scripts/update-major-version-tag.sh \ - ${{ steps.publish-release.outputs.release-version }} + "${STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION}" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION: ${{ steps.publish-release.outputs.release-version }} diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 37c83f4..8f55a85 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -68,14 +68,14 @@ jobs: matrix: ${{ steps.detect-languages.outputs.matrix }} steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -102,14 +102,14 @@ jobs: security-events: write steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -137,14 +137,14 @@ jobs: security-events: write steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -168,7 +168,7 @@ jobs: contents: read steps: - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} diff --git a/.github/workflows/test-semgrep.yml b/.github/workflows/test-semgrep.yml index 1b15484..6abdaf4 100644 --- a/.github/workflows/test-semgrep.yml +++ b/.github/workflows/test-semgrep.yml @@ -2,12 +2,16 @@ name: Test Semgrep Rules on: [push] +permissions: {} + jobs: validate-and-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Semgrep run: | diff --git a/.github/workflows/validate-conventional-commits.yml b/.github/workflows/validate-conventional-commits.yml index f01df3e..c65dcf4 100644 --- a/.github/workflows/validate-conventional-commits.yml +++ b/.github/workflows/validate-conventional-commits.yml @@ -5,8 +5,12 @@ on: - main types: [opened, edited, reopened, synchronize] +permissions: {} + jobs: pr-title-linter: + permissions: + pull-requests: read runs-on: ubuntu-latest if: ${{ !startsWith(github.head_ref , 'release/') }} steps: diff --git a/.github/workflows/webhook.yml b/.github/workflows/webhook.yml index efcc28b..a150233 100644 --- a/.github/workflows/webhook.yml +++ b/.github/workflows/webhook.yml @@ -5,6 +5,8 @@ on: repository_dispatch: types: [code_scanning_alert] +permissions: {} + jobs: run-security-scan: permissions: diff --git a/.nvmrc b/.nvmrc index 2edeafb..cabf43b 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -20 \ No newline at end of file +24 \ No newline at end of file diff --git a/packages/codeql-action/action.yaml b/packages/codeql-action/action.yaml index ecc7f62..d185a59 100644 --- a/packages/codeql-action/action.yaml +++ b/packages/codeql-action/action.yaml @@ -107,14 +107,14 @@ runs: - name: Checkout Custom Query Repository id: checkout-custom-query - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: metamask/CodeQL-Queries ref: main path: ${{ github.workspace }}/custom-queries - name: Initialize CodeQL - uses: github/codeql-action/init@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: config-file: ${{ github.workspace }}/codeql-config-generated.yml languages: ${{ inputs.language }} @@ -142,13 +142,13 @@ runs: - name: Run CodeQL Analysis id: codeql-analysis - uses: github/codeql-action/analyze@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: upload: false checkout_path: ${{ github.workspace }}/${{ inputs.repo }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: ${{ steps.codeql-analysis.outputs.sarif-output }} category: codeql-${{ inputs.language }} diff --git a/packages/language-detector/action.yml b/packages/language-detector/action.yml index 019234c..18006fb 100644 --- a/packages/language-detector/action.yml +++ b/packages/language-detector/action.yml @@ -39,7 +39,11 @@ runs: - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: '20' + node-version: '24' + + - name: Enable Corepack + run: corepack enable + shell: bash - name: Install dependencies shell: bash diff --git a/packages/semgrep-action/action.yml b/packages/semgrep-action/action.yml index 0d6f51f..3187887 100644 --- a/packages/semgrep-action/action.yml +++ b/packages/semgrep-action/action.yml @@ -31,7 +31,7 @@ runs: continue-on-error: true - name: Upload Semgrep Results to GitHub - uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: semgrep-results.sarif checkout_path: ${{ github.workspace }} diff --git a/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml b/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml index 5eeeefc..1673a77 100644 --- a/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml +++ b/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml @@ -8,7 +8,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Test basic npx usage in GitHub Actions - should be flagged - name: Run tests diff --git a/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml b/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml index bad55fe..0504758 100644 --- a/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml +++ b/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml @@ -14,7 +14,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: publish-release steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest needs: publish-npm-dry-run steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node