From f9336f0fc8c0cc51514d1a6e064b3fe21458d436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 11:31:23 +0100 Subject: [PATCH 1/7] Update Node.js version in .nvmrc and enable Corepack in actions using node --- .github/workflows/create-release-pr.yml | 2 ++ .nvmrc | 2 +- packages/language-detector/action.yml | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 9b6050c..4afe321 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -33,6 +33,8 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' + - name: Enable Corepack + run: corepack enable - uses: MetaMask/action-create-release-pr@4b3b9f5e764afa2e028c1759fcc9891e591d6782 # v5.0.0 with: release-type: ${{ github.event.inputs.release-type }} diff --git a/.nvmrc b/.nvmrc index 2edeafb..cabf43b 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -20 \ No newline at end of file +24 \ No newline at end of file diff --git a/packages/language-detector/action.yml b/packages/language-detector/action.yml index 019234c..019e987 100644 --- a/packages/language-detector/action.yml +++ b/packages/language-detector/action.yml @@ -41,6 +41,10 @@ runs: with: node-version: '20' + - name: Enable Corepack + run: corepack enable + shell: bash + - name: Install dependencies shell: bash run: | From 0cf4f023ac6c5d8832505ded0c17cd355aff00a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:00:36 +0100 Subject: [PATCH 2/7] Enhance GitHub Actions workflows with permissions updates - Added permissions configuration to multiple workflows to ensure proper access control. - Updated jobs in build-lint-test, create-release-pr, main, onboard-new-repo, publish-release, test-semgrep, validate-conventional-commits, and webhook workflows to specify 'contents: read' where necessary. - Improved clarity and security by explicitly defining permissions for various jobs. --- .github/workflows/build-lint-test.yml | 6 ++++++ .github/workflows/create-release-pr.yml | 2 ++ .github/workflows/main.yml | 10 ++++++++++ .github/workflows/onboard-new-repo.yml | 4 ++++ .github/workflows/publish-release.yml | 18 +++++++++++++++--- .github/workflows/test-semgrep.yml | 4 ++++ .../validate-conventional-commits.yml | 4 ++++ .github/workflows/webhook.yml | 2 ++ 8 files changed, 47 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 6931952..8ab7077 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -3,9 +3,13 @@ name: Build, Lint, and Test on: workflow_call: +permissions: {} + jobs: prepare: name: Prepare + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout and setup environment @@ -17,6 +21,8 @@ jobs: lint: name: Lint needs: prepare + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout and setup environment diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 4afe321..c1b3e65 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -14,6 +14,8 @@ on: description: 'A specific version to bump to. Mutually exclusive with "release-type".' required: false +permissions: {} + jobs: create-release-pr: runs-on: ubuntu-latest diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6a36a97..3582485 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,9 +5,13 @@ on: branches: [main] pull_request: +permissions: {} + jobs: check-workflows: name: Check workflows + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 @@ -31,11 +35,14 @@ jobs: build-lint-test: name: Build, lint, and test + permissions: + contents: read uses: ./.github/workflows/build-lint-test.yml needs: check-workflows all-jobs-completed: name: All jobs completed + permissions: {} runs-on: ubuntu-latest needs: - check-workflows @@ -51,6 +58,7 @@ jobs: all-jobs-pass: name: All jobs pass if: ${{ always() }} + permissions: {} runs-on: ubuntu-latest needs: all-jobs-completed steps: @@ -65,6 +73,8 @@ jobs: name: Determine whether this is a release merge commit needs: all-jobs-pass if: github.event_name == 'push' + permissions: + contents: read runs-on: ubuntu-latest outputs: IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }} diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 0d679a7..da76290 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -14,6 +14,8 @@ on: repository_dispatch: types: [new_repository_created] +permissions: {} + jobs: create-sast-pr: runs-on: ubuntu-latest @@ -79,6 +81,8 @@ jobs: private-key: ${{ secrets.ONBOARDING_APP_PRIVATE_KEY }} owner: ${{ steps.target.outputs.organization }} repositories: ${{ steps.target.outputs.repo_name }} + permission-contents: write + permission-pull-requests: write - name: Detect default branch id: detect_branch diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 9dd6d5f..4ae969d 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -19,12 +19,18 @@ on: SLACK_WEBHOOK_URL: required: true +permissions: {} + jobs: announce-release: name: Announce release + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + with: + persist-credentials: false - id: name-hash name: Get Slack name and hash shell: bash @@ -38,13 +44,16 @@ jobs: shell: bash if: inputs.slack-subteam != '' run: | - DEFAULT_TEXT="\`${{ steps.name-hash.outputs.NAME_VERSION }}\` is awaiting deployment :rocket: \n " - SUBTEAM_TEXT="${{ inputs.slack-subteam }}" + DEFAULT_TEXT="\`${STEPS_NAME_HASH_OUTPUTS_NAME_VERSION}\` is awaiting deployment :rocket: \n " + SUBTEAM_TEXT="${INPUTS_SLACK_SUBTEAM}" FINAL_TEXT="$DEFAULT_TEXT" if [[ ! "$SUBTEAM_TEXT" == "" ]]; then FINAL_TEXT=" $DEFAULT_TEXT" fi echo "FINAL_TEXT=$FINAL_TEXT" >> "$GITHUB_OUTPUT" + env: + STEPS_NAME_HASH_OUTPUTS_NAME_VERSION: ${{ steps.name-hash.outputs.NAME_VERSION }} + INPUTS_SLACK_SUBTEAM: ${{ inputs.slack-subteam }} - name: Post to a Slack channel if: inputs.slack-subteam != '' uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 @@ -75,6 +84,7 @@ jobs: # need for updating the shorthand major version tag. fetch-depth: 0 ref: ${{ github.sha }} + persist-credentials: false - name: Publish release uses: MetaMask/action-publish-release@b842808ef45c9e3b085060b94b1d4a1fac00aa81 # v3.2.2 id: publish-release @@ -83,4 +93,6 @@ jobs: - name: Update shorthand major version tag run: | ./.github/workflows/scripts/update-major-version-tag.sh \ - ${{ steps.publish-release.outputs.release-version }} + ${STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION} + env: + STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION: ${{ steps.publish-release.outputs.release-version }} diff --git a/.github/workflows/test-semgrep.yml b/.github/workflows/test-semgrep.yml index 1b15484..d280fc8 100644 --- a/.github/workflows/test-semgrep.yml +++ b/.github/workflows/test-semgrep.yml @@ -2,8 +2,12 @@ name: Test Semgrep Rules on: [push] +permissions: {} + jobs: validate-and-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout Code diff --git a/.github/workflows/validate-conventional-commits.yml b/.github/workflows/validate-conventional-commits.yml index f01df3e..c65dcf4 100644 --- a/.github/workflows/validate-conventional-commits.yml +++ b/.github/workflows/validate-conventional-commits.yml @@ -5,8 +5,12 @@ on: - main types: [opened, edited, reopened, synchronize] +permissions: {} + jobs: pr-title-linter: + permissions: + pull-requests: read runs-on: ubuntu-latest if: ${{ !startsWith(github.head_ref , 'release/') }} steps: diff --git a/.github/workflows/webhook.yml b/.github/workflows/webhook.yml index efcc28b..a150233 100644 --- a/.github/workflows/webhook.yml +++ b/.github/workflows/webhook.yml @@ -5,6 +5,8 @@ on: repository_dispatch: types: [code_scanning_alert] +permissions: {} + jobs: run-security-scan: permissions: From 13ae9b623c2d088b93461f33019f439207ce3152 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:08:00 +0100 Subject: [PATCH 3/7] Update actions/checkout to latest commit for consistency across workflows - Replaced the checkout action version in multiple workflows with the latest commit hash to ensure uniformity and leverage any recent improvements. - This change affects the create-release-pr, main, onboard-new-repo, publish-release, security-scan, test-semgrep, and codeql-action workflows. --- .github/workflows/create-release-pr.yml | 2 +- .github/workflows/main.yml | 2 +- .github/workflows/onboard-new-repo.yml | 4 ++-- .github/workflows/publish-release.yml | 4 ++-- .github/workflows/security-scan.yml | 14 +++++++------- .github/workflows/test-semgrep.yml | 2 +- packages/codeql-action/action.yaml | 2 +- .../test/generic/npx-usage/npx-usage-yml.test.yml | 2 +- .../publish-actions-cache-used.test.yaml | 6 +++--- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index c1b3e65..7b3a4fa 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -23,7 +23,7 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # This is to guarantee that the most recent tag is fetched. # This can be configured to a more reasonable value by consumers. diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3582485..2e3860c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,7 +14,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.7.7 diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index da76290..f73bb78 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -24,7 +24,7 @@ jobs: contents: read steps: - name: Checkout scanner action repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: scanner-repo @@ -158,7 +158,7 @@ jobs: - name: Checkout target repository if: steps.check_opt_out.outputs.opted_out != 'true' && steps.check_empty.outputs.is_empty == 'false' - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ steps.target.outputs.repository }} token: ${{ steps.app_token.outputs.token }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 4ae969d..7f579a1 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -28,7 +28,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - id: name-hash @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # This is to guarantee that the most recent tag is fetched, which we # need for updating the shorthand major version tag. diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 37c83f4..8f55a85 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -68,14 +68,14 @@ jobs: matrix: ${{ steps.detect-languages.outputs.matrix }} steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -102,14 +102,14 @@ jobs: security-events: write steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -137,14 +137,14 @@ jobs: security-events: write steps: - name: Checkout monorepo (for local actions) - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: MetaMask/action-security-code-scanner ref: ${{ inputs.scanner-ref }} path: ${{ env.MONOREPO_PATH }} - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} @@ -168,7 +168,7 @@ jobs: contents: read steps: - name: Checkout target repository - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: ${{ inputs.repo }} path: ${{ inputs.repo }} diff --git a/.github/workflows/test-semgrep.yml b/.github/workflows/test-semgrep.yml index d280fc8..6abdaf4 100644 --- a/.github/workflows/test-semgrep.yml +++ b/.github/workflows/test-semgrep.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Semgrep run: | diff --git a/packages/codeql-action/action.yaml b/packages/codeql-action/action.yaml index ecc7f62..519a6bb 100644 --- a/packages/codeql-action/action.yaml +++ b/packages/codeql-action/action.yaml @@ -107,7 +107,7 @@ runs: - name: Checkout Custom Query Repository id: checkout-custom-query - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: metamask/CodeQL-Queries ref: main diff --git a/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml b/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml index 5eeeefc..1673a77 100644 --- a/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml +++ b/packages/semgrep-action/rules/test/generic/npx-usage/npx-usage-yml.test.yml @@ -8,7 +8,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # Test basic npx usage in GitHub Actions - should be flagged - name: Run tests diff --git a/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml b/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml index bad55fe..0504758 100644 --- a/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml +++ b/packages/semgrep-action/rules/test/github-actions/publish-actions-cache-used.test.yaml @@ -14,7 +14,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: publish-release steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest needs: publish-npm-dry-run steps: - - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Install Node From 468bd571f67ef056e2b315c1d706a87ecd6fc258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:14:03 +0100 Subject: [PATCH 4/7] Update publish-release workflow and CodeQL action versions - Modified the publish-release workflow to set the Git remote URL with the GitHub token for improved authentication. - Updated CodeQL action versions to the latest commit hashes for consistency and to leverage recent improvements in the analysis and upload steps. --- .github/workflows/publish-release.yml | 4 +++- packages/codeql-action/action.yaml | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 7f579a1..42281ea 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -92,7 +92,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update shorthand major version tag run: | + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" ./.github/workflows/scripts/update-major-version-tag.sh \ - ${STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION} + "${STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION}" env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} STEPS_PUBLISH_RELEASE_OUTPUTS_RELEASE_VERSION: ${{ steps.publish-release.outputs.release-version }} diff --git a/packages/codeql-action/action.yaml b/packages/codeql-action/action.yaml index 519a6bb..d185a59 100644 --- a/packages/codeql-action/action.yaml +++ b/packages/codeql-action/action.yaml @@ -114,7 +114,7 @@ runs: path: ${{ github.workspace }}/custom-queries - name: Initialize CodeQL - uses: github/codeql-action/init@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: config-file: ${{ github.workspace }}/codeql-config-generated.yml languages: ${{ inputs.language }} @@ -142,13 +142,13 @@ runs: - name: Run CodeQL Analysis id: codeql-analysis - uses: github/codeql-action/analyze@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: upload: false checkout_path: ${{ github.workspace }}/${{ inputs.repo }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: ${{ steps.codeql-analysis.outputs.sarif-output }} category: codeql-${{ inputs.language }} From 5fcf16555af147836c4e34aebf1a4f6978c3978e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:16:23 +0100 Subject: [PATCH 5/7] Update CodeQL action version in Semgrep workflow for consistency --- packages/semgrep-action/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/semgrep-action/action.yml b/packages/semgrep-action/action.yml index 0d6f51f..3187887 100644 --- a/packages/semgrep-action/action.yml +++ b/packages/semgrep-action/action.yml @@ -31,7 +31,7 @@ runs: continue-on-error: true - name: Upload Semgrep Results to GitHub - uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: semgrep-results.sarif checkout_path: ${{ github.workspace }} From 0998f6edf7e35a9c0c8e57e45c7c35d3055e051a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:35:23 +0100 Subject: [PATCH 6/7] Update Node.js version to 24 in language-detector action and checkout action version in build-lint-test workflow for consistency --- .github/workflows/build-lint-test.yml | 2 +- packages/language-detector/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 8ab7077..5d47851 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -25,11 +25,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@89c66bb715514a0abd2e6bbfb3cae312b0100913 # v3.2.0 with: is-high-risk-environment: false - cache-node-modules: true - run: yarn lint - name: Validate RC changelog if: ${{ startsWith(github.head_ref, 'release/') }} diff --git a/packages/language-detector/action.yml b/packages/language-detector/action.yml index 019e987..18006fb 100644 --- a/packages/language-detector/action.yml +++ b/packages/language-detector/action.yml @@ -39,7 +39,7 @@ runs: - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: '20' + node-version: '24' - name: Enable Corepack run: corepack enable From a41e04c5d1898ebe7451cbc07e9101938e8c29a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82?= Date: Tue, 9 Jun 2026 12:55:32 +0100 Subject: [PATCH 7/7] Enhance onboarding workflow with error handling and permission updates - Added 'permission-metadata: read' to the onboarding workflow for improved access control. - Implemented error handling for the GitHub API call when detecting the default branch, providing clearer feedback in case of failure. --- .github/workflows/onboard-new-repo.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index f73bb78..4ca3aac 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -81,6 +81,7 @@ jobs: private-key: ${{ secrets.ONBOARDING_APP_PRIVATE_KEY }} owner: ${{ steps.target.outputs.organization }} repositories: ${{ steps.target.outputs.repo_name }} + permission-metadata: read permission-contents: write permission-pull-requests: write @@ -88,7 +89,10 @@ jobs: id: detect_branch run: | echo "Detecting default branch for $REPO..." - BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch' 2>/dev/null) || BASE_BRANCH="" + if ! BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch' 2>&1); then + echo "::error::GitHub API call failed while detecting default branch for $REPO: $BASE_BRANCH" + exit 1 + fi if [ -z "$BASE_BRANCH" ] || [ "$BASE_BRANCH" = "null" ]; then echo "Repository is empty or default branch not found. Defaulting to 'main'"