diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 8a5c53a139..f48269e0d9 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -3,18 +3,22 @@ description: "This action caches neovim dependencies" runs: using: "composite" steps: - - run: echo "CACHE_KEY=${{ github.workflow }}" >> $GITHUB_ENV + - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - - run: echo "CACHE_KEY=${{ github.job }}" >> $GITHUB_ENV + - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - if: ${{ matrix }} - run: echo "CACHE_KEY=$CACHE_KEY-${{ join(matrix.*, '-') }}" >> $GITHUB_ENV + env: + MATRIX_JOIN: ${{ join(matrix.*, '-') }} + run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - if: ${{ matrix.build }} - run: echo "CACHE_KEY=$CACHE_KEY-${{ join(matrix.build.*, '-') }}" >> $GITHUB_ENV + env: + MATRIX_JOIN: ${{ join(matrix.build.*, '-') }} + run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - id: image diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index dfa3101abc..a3ad2e98c5 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -10,7 +10,7 @@ runs: steps: - name: Set $BIN_DIR shell: bash - run: echo "$BIN_DIR" >> $GITHUB_PATH + run: echo "$BIN_DIR" >> $GITHUB_PATH # zizmor: ignore[github-env] - if: ${{ runner.os != 'Windows' }} name: Set ulimit @@ -22,7 +22,9 @@ runs: shell: pwsh - name: Install dependencies - run: ./.github/scripts/install_deps.sh ${{ inputs.install_flags }} + env: + INSTALL_FLAGS: ${{ inputs.install_flags }} + run: ./.github/scripts/install_deps.sh ${INSTALL_FLAGS} shell: bash - name: Cache diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e96fd5286f..70f4a2749a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,5 @@ updates: interval: "daily" commit-message: prefix: "ci" + cooldown: + default-days: 7 diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index f29f0bad8d..31708b84fe 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -2,6 +2,9 @@ name: backport on: pull_request_target: types: [closed, labeled] + +permissions: {} + jobs: backport: permissions: @@ -12,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/create-github-app-token@v2 id: app-token @@ -21,7 +26,7 @@ jobs: - name: Create backport PR id: backport - uses: korthout/backport-action@v4 + uses: korthout/backport-action@4aaf0e03a94ff0a619c9a511b61aeb42adea5b02 # v4.2.0 with: pull_title: "${pull_title}" label_pattern: "^ci:backport ([^ ]+)$" @@ -43,4 +48,6 @@ jobs: if: ${{ steps.backport.outputs.was_successful == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh pr merge --rebase --auto ${{ steps.backport.outputs.created_pull_numbers }} + CREATED_PULL_NUMBERS: ${{ steps.backport.outputs.created_pull_numbers }} + run: | + gh pr merge --rebase --auto "${CREATED_PULL_NUMBERS}" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52a45f1ae7..978517dba0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: - '.github/**' workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -30,6 +33,9 @@ jobs: CMAKE_VERSION: '3.16.0' steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Install minimum required version of cmake @@ -59,6 +65,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Build bundled dependencies diff --git a/.github/workflows/build_dummy.yml b/.github/workflows/build_dummy.yml index 141bdfaeda..c29a3a7800 100644 --- a/.github/workflows/build_dummy.yml +++ b/.github/workflows/build_dummy.yml @@ -14,6 +14,8 @@ on: - 'cmake.*/**' - '.github/**' +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fcd8ef7736..edd0d1ba63 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,6 +12,8 @@ on: branches: [ "master" ] workflow_dispatch: +permissions: {} + jobs: analyze: name: Analyze @@ -23,6 +25,9 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Initialize CodeQL diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 10a934a5d6..67c6dbc822 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -4,11 +4,17 @@ on: - cron: '10 0 * * *' # Run every day at 00:10 workflow_dispatch: +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Download Coverity diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 46bc0293e9..40787a1b8f 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -2,6 +2,9 @@ name: docs on: pull_request: types: [opened, synchronize, reopened, ready_for_review] + +permissions: {} + jobs: docs: runs-on: ubuntu-latest @@ -11,6 +14,8 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: ./.github/actions/setup - name: Generate docs diff --git a/.github/workflows/labeler_issue.yml b/.github/workflows/labeler_issue.yml index 1c4d3b9402..75c7c1f2e9 100644 --- a/.github/workflows/labeler_issue.yml +++ b/.github/workflows/labeler_issue.yml @@ -2,6 +2,9 @@ name: "labeler: issue" on: issues: types: [opened] + +permissions: {} + jobs: labeler: permissions: diff --git a/.github/workflows/labeler_pr.yml b/.github/workflows/labeler_pr.yml index f476b2fda8..ed9321a897 100644 --- a/.github/workflows/labeler_pr.yml +++ b/.github/workflows/labeler_pr.yml @@ -2,6 +2,9 @@ name: "labeler: PR" on: pull_request_target: types: [opened] + +permissions: {} + jobs: changed-files: runs-on: ubuntu-latest @@ -10,6 +13,9 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/labeler@v6 with: configuration-path: .github/scripts/labeler_configuration.yml diff --git a/.github/workflows/lintcommit.yml b/.github/workflows/lintcommit.yml index 560c980dd6..1bcb2becb9 100644 --- a/.github/workflows/lintcommit.yml +++ b/.github/workflows/lintcommit.yml @@ -4,6 +4,10 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: - 'master' + +permissions: + contents: read + jobs: lint-commits: runs-on: ubuntu-latest @@ -13,6 +17,7 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - uses: ./.github/actions/setup diff --git a/.github/workflows/lintcommit_dummy.yml b/.github/workflows/lintcommit_dummy.yml index e4a0c4af2d..fde80474b7 100644 --- a/.github/workflows/lintcommit_dummy.yml +++ b/.github/workflows/lintcommit_dummy.yml @@ -8,6 +8,9 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: - 'release-[0-9]+.[0-9]+' + +permissions: {} + jobs: lint-commits: runs-on: ubuntu-latest diff --git a/.github/workflows/lintdocurls.yml b/.github/workflows/lintdocurls.yml index 0fbe4d36f2..424429933e 100644 --- a/.github/workflows/lintdocurls.yml +++ b/.github/workflows/lintdocurls.yml @@ -4,6 +4,8 @@ on: - cron: '22 22 * * 5' workflow_dispatch: +permissions: {} + jobs: check-unreachable-urls: runs-on: ubuntu-latest @@ -15,6 +17,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up git config run: | diff --git a/.github/workflows/news.yml b/.github/workflows/news.yml index 84e6c36b02..f14be08651 100644 --- a/.github/workflows/news.yml +++ b/.github/workflows/news.yml @@ -4,6 +4,10 @@ on: types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] branches: - 'master' + +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest @@ -13,14 +17,17 @@ jobs: with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: news.txt needs to be updated + env: + PULL_REQUEST_COMMITS: ${{ github.event.pull_request.commits }} run: | - for commit in $(git rev-list HEAD~${{ github.event.pull_request.commits }}..HEAD); do + for commit in $(git rev-list "HEAD~${PULL_REQUEST_COMMITS}..HEAD"); do message=$(git log -n1 --pretty=format:%s $commit) type="$(echo "$message" | sed -E 's|([[:alpha:]]+)(\(.*\))?!?:.*|\1|')" breaking="$(echo "$message" | sed -E 's|[[:alpha:]]+(\(.*\))?!:.*|breaking-change|')" if [[ "$type" == "feat" ]] || [[ "$type" == "perf" ]] || [[ "$breaking" == "breaking-change" ]]; then - ! git diff HEAD~${{ github.event.pull_request.commits }}..HEAD --quiet runtime/doc/news.txt runtime/doc/deprecated.txt || + ! git diff "HEAD~${PULL_REQUEST_COMMITS}..HEAD" --quiet runtime/doc/news.txt runtime/doc/deprecated.txt || { echo " Pull request includes a new feature, performance improvement diff --git a/.github/workflows/optional.yml b/.github/workflows/optional.yml index 540daccc56..acaf3644c7 100644 --- a/.github/workflows/optional.yml +++ b/.github/workflows/optional.yml @@ -4,6 +4,9 @@ on: types: [labeled, opened, synchronize, reopened] workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fca0eb87a7..4e8af28707 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ on: tags: - v[0-9]+.[0-9]+.[0-9]+ +permissions: + contents: read + # Build on the oldest supported images, so we have broader compatibility jobs: setup: @@ -59,12 +62,20 @@ jobs: with: # Perform a full checkout #13471 fetch-depth: 0 + persist-credentials: false - run: ./.github/scripts/install_deps.sh - run: sudo apt-get install -y libfuse2 - - run: echo "CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }}" >> $GITHUB_ENV + + - run: echo "CMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}" >> $GITHUB_ENV + env: + CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }} + - name: appimage + env: + APPIMAGE_TAG: ${{ needs.setup.outputs.appimage_tag }} run: | - ./scripts/genappimage.sh ${{ needs.setup.outputs.appimage_tag }} + ./scripts/genappimage.sh "${APPIMAGE_TAG}" + - name: tar.gz run: cpack --config build/CPackConfig.cmake -G TGZ - uses: actions/upload-artifact@v7 @@ -99,25 +110,27 @@ jobs: arch: arm64 runs-on: ${{ matrix.runner }} env: + CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }} MACOSX_DEPLOYMENT_TARGET: 11.0 steps: - uses: actions/checkout@v6 with: # Perform a full checkout #13471 fetch-depth: 0 + persist-credentials: false - name: Install dependencies run: ./.github/scripts/install_deps.sh - name: Build deps run: | cmake -S cmake.deps -B .deps -G Ninja \ - -D CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} \ + -D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" \ -D CMAKE_FIND_FRAMEWORK=NEVER cmake --build .deps - name: Build neovim run: | cmake -B build -G Ninja \ - -D CMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} \ + -D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" \ -D ENABLE_LIBINTL=OFF \ -D CMAKE_FIND_FRAMEWORK=NEVER cmake --build build @@ -142,11 +155,14 @@ jobs: arch: arm64 archive_name: nvim-win-arm64 runs-on: ${{ matrix.runner }} + env: + CMAKE_BUILD_TYPE: ${{ needs.setup.outputs.build_type }} steps: - uses: actions/checkout@v6 with: # Perform a full checkout #13471 fetch-depth: 0 + persist-credentials: false - run: .github/scripts/env.ps1 env: BUILD_ARCH: ${{ matrix.arch }} @@ -156,12 +172,14 @@ jobs: Expand-Archive -Path "wix314-binaries.zip" -DestinationPath "C:/wix" echo "C:\wix" >> $env:GITHUB_PATH - name: Build deps + shell: pwsh run: | - cmake -S cmake.deps -B .deps -G Ninja -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} + cmake -S cmake.deps -B .deps -G Ninja -DCMAKE_BUILD_TYPE="${env:CMAKE_BUILD_TYPE}" cmake --build .deps - name: Build package + shell: pwsh run: | - cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build_type }} + cmake -B build -G Ninja -DCMAKE_BUILD_TYPE="${env:CMAKE_BUILD_TYPE}" cmake --build build --target package - name: Upload artifact uses: actions/upload-artifact@v7 @@ -184,6 +202,8 @@ jobs: # Must perform checkout first, since it deletes the target directory # before running, and would therefore delete the downloaded artifacts - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/download-artifact@v8 @@ -191,25 +211,31 @@ jobs: run: sudo apt-get update && sudo apt-get install -y gettext-base - if: github.event_name == 'workflow_dispatch' - run: echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV + env: + TAG_NAME: ${{ github.event.inputs.tag_name }} + run: echo "TAG_NAME=${TAG_NAME}" >> $GITHUB_ENV + - if: github.event_name == 'schedule' run: echo 'TAG_NAME=nightly' >> $GITHUB_ENV + - if: github.event_name == 'push' run: | - TAG_NAME=${{ github.ref }} - echo "TAG_NAME=${TAG_NAME#refs/tags/}" >> $GITHUB_ENV + echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + - if: env.TAG_NAME == 'nightly' run: | (echo 'SUBJECT=Nvim development (prerelease) build'; echo 'PRERELEASE=--prerelease') >> $GITHUB_ENV gh release delete nightly --yes || true git push origin :nightly || true + - if: env.TAG_NAME != 'nightly' run: | (echo 'SUBJECT=Nvim release build'; echo 'PRERELEASE=') >> $GITHUB_ENV gh release delete stable --yes || true git push origin :stable || true + - name: Publish release env: NVIM_VERSION: ${{ needs.linux.outputs.version }} diff --git a/.github/workflows/response.yml b/.github/workflows/response.yml index ad17381fd6..b104334bb4 100644 --- a/.github/workflows/response.yml +++ b/.github/workflows/response.yml @@ -5,6 +5,8 @@ on: workflow_dispatch: issue_comment: +permissions: {} + jobs: close: if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' @@ -14,6 +16,9 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/github-script@v8 with: script: | @@ -28,6 +33,9 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: actions/github-script@v8 with: script: | diff --git a/.github/workflows/reviewers_add.yml b/.github/workflows/reviewers_add.yml index 06292fb759..5f07f4994e 100644 --- a/.github/workflows/reviewers_add.yml +++ b/.github/workflows/reviewers_add.yml @@ -3,6 +3,9 @@ on: pull_request_target: types: [labeled, ready_for_review, reopened] workflow_call: + +permissions: {} + jobs: request-reviewer: if: github.event.pull_request.state == 'open' && github.event.pull_request.draft == false && !endsWith(github.actor, '[bot]') @@ -11,6 +14,9 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - name: 'Request reviewers' uses: actions/github-script@v8 with: diff --git a/.github/workflows/reviewers_remove.yml b/.github/workflows/reviewers_remove.yml index b4b523bd4d..98a207264e 100644 --- a/.github/workflows/reviewers_remove.yml +++ b/.github/workflows/reviewers_remove.yml @@ -2,6 +2,9 @@ name: "reviewers: remove" on: pull_request_target: types: [converted_to_draft, closed] + +permissions: {} + jobs: remove-reviewers: runs-on: ubuntu-latest @@ -9,6 +12,9 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - name: 'Remove reviewers' uses: actions/github-script@v8 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 68a2344bc7..9402bfa252 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,9 @@ on: - 'release-[0-9]+.[0-9]+' workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -34,6 +37,9 @@ jobs: CC: clang steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Install stylua @@ -56,7 +62,9 @@ jobs: - if: "!cancelled()" name: Determine if run should be aborted id: abort_job - run: echo "status=${{ job.status }}" >> $GITHUB_OUTPUT + env: + JOB_STATUS: ${{ job.status }} + run: echo "status=${JOB_STATUS}" >> $GITHUB_OUTPUT - if: success() || failure() && steps.abort_job.outputs.status == 'success' name: stylua @@ -97,6 +105,9 @@ jobs: CC: clang steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Build third-party deps run: | @@ -142,6 +153,9 @@ jobs: NVIM_TEST_INTEG: ${{ matrix.build.flavor == 'release' && '1' || '0' }} steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup with: install_flags: "--test" @@ -163,13 +177,17 @@ jobs: run: cmake -E rm -rf -- .git - name: Build third-party deps + env: + BUILD_DEPS_FLAGS: ${{ matrix.build.deps_flags }} run: | - cmake -S cmake.deps --preset ci -D CMAKE_BUILD_TYPE=Debug ${{ matrix.build.deps_flags }} + cmake -S cmake.deps --preset ci -D CMAKE_BUILD_TYPE=Debug $BUILD_DEPS_FLAGS cmake --build .deps - name: Build + env: + BUILD_FLAGS: ${{ matrix.build.flags }} run: | - cmake --preset ci -D CMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX:PATH=$INSTALL_PREFIX ${{ matrix.build.flags }} + cmake --preset ci -D CMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX:PATH=$INSTALL_PREFIX $BUILD_FLAGS cmake --build build - if: ${{ matrix.test == 'unittest' }} @@ -236,7 +254,10 @@ jobs: OPTS: -Doptimize=ReleaseSafe steps: - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + with: + persist-credentials: false + + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: 0.15.2 - run: sudo apt-get install -y inotify-tools @@ -256,7 +277,10 @@ jobs: name: build using zig build (macos 15) steps: - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + with: + persist-credentials: false + + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: 0.15.2 @@ -270,7 +294,10 @@ jobs: name: build using zig build (windows) steps: - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + with: + persist-credentials: false + + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: 0.15.2 @@ -290,6 +317,9 @@ jobs: CC: gcc steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Install dependencies diff --git a/.github/workflows/test_windows.yml b/.github/workflows/test_windows.yml index b23d9bed07..aac8480e78 100644 --- a/.github/workflows/test_windows.yml +++ b/.github/workflows/test_windows.yml @@ -9,6 +9,9 @@ on: type: number workflow_dispatch: +permissions: + contents: read + jobs: windows: runs-on: windows-2025 @@ -19,6 +22,9 @@ jobs: test: [functional, old] steps: - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: ./.github/actions/setup - name: Build deps @@ -27,8 +33,10 @@ jobs: cmake --build .deps - name: Build + env: + BUILD_FLAGS: ${{ inputs.build_flags }} run: | - cmake --preset ci -D CMAKE_BUILD_TYPE='RelWithDebInfo' ${{ inputs.build_flags }} + cmake --preset ci -D CMAKE_BUILD_TYPE='RelWithDebInfo' $env:BUILD_FLAGS cmake --build build - name: Install test deps @@ -66,7 +74,7 @@ jobs: exit $exitCode - if: ${{ matrix.test == 'old' }} - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0 with: update: true install: unzip diff --git a/.github/workflows/vim_patches.yml b/.github/workflows/vim_patches.yml index c2e2cac188..73c2c97fac 100644 --- a/.github/workflows/vim_patches.yml +++ b/.github/workflows/vim_patches.yml @@ -4,6 +4,8 @@ on: - cron: '3 3 * * *' workflow_dispatch: +permissions: {} + jobs: update-vim-patches: runs-on: ubuntu-latest @@ -18,12 +20,14 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - uses: actions/checkout@v6 with: repository: vim/vim path: ${{ env.VIM_SOURCE_DIR }} fetch-depth: 0 + persist-credentials: false - run: sudo apt-get install libfuse2 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..2976bbe3fa --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,15 @@ +rules: + cache-poisoning: + ignore: + - test.yml + dangerous-triggers: + ignore: + - backport.yml + - labeler_pr.yml + - reviewers_add.yml + - reviewers_remove.yml + unpinned-uses: + config: + policies: + actions/*: ref-pin + github/*: ref-pin