diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 48e2d9b0f..dd44f8e94 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -21,6 +21,7 @@ jobs: (github.event_name == 'issues' && contains(github.event.issue.body, '@claude')) ) runs-on: ubuntu-latest + timeout-minutes: "60" permissions: contents: write pull-requests: write @@ -31,6 +32,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 + persist-credentials: false - name: Setup pnpm uses: ./.github/actions/pnpm-setup diff --git a/.github/workflows/database-ci.yml b/.github/workflows/database-ci.yml index f37b598ef..be4ab5f5b 100644 --- a/.github/workflows/database-ci.yml +++ b/.github/workflows/database-ci.yml @@ -17,8 +17,12 @@ jobs: name: PGTap Tests timeout-minutes: 10 runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: supabase/setup-cli@d347ba47d3fb7eeeddbbc793bc8d4779caf773ea # v1.5.0 with: version: latest diff --git a/.github/workflows/discussion-comment-to-slack.yml b/.github/workflows/discussion-comment-to-slack.yml index 3a93defbc..a1fa62b8e 100644 --- a/.github/workflows/discussion-comment-to-slack.yml +++ b/.github/workflows/discussion-comment-to-slack.yml @@ -5,6 +5,8 @@ on: jobs: discussion_commented: if: github.event.discussion && github.event.comment + permissions: + contents: read uses: route06/actions/.github/workflows/gh_discussion_comment_to_slack.yml@155715656c4cd9079f1213d08d058e78dd00cae7 # v2.6.0 secrets: slack-webhook-url: ${{ secrets.SLACK_GHD_WEBHOOK_URL }} diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml index 9a2246eec..7b68704a4 100644 --- a/.github/workflows/e2e_tests.yml +++ b/.github/workflows/e2e_tests.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.deployment.sha }} + persist-credentials: false - name: Check deployment conditions id: check diff --git a/.github/workflows/figma-to-css-variables.yml b/.github/workflows/figma-to-css-variables.yml index 6d2cf8914..f038a9531 100644 --- a/.github/workflows/figma-to-css-variables.yml +++ b/.github/workflows/figma-to-css-variables.yml @@ -18,6 +18,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/pnpm-setup - run: pnpm --filter @liam-hq/figma-to-css-variables sync --output '../../apps/service-site/src/styles' --filter-modes "Dark,Mode 1" env: diff --git a/.github/workflows/frontend-ci.yml b/.github/workflows/frontend-ci.yml index 03d0251e0..ea5a62e9d 100644 --- a/.github/workflows/frontend-ci.yml +++ b/.github/workflows/frontend-ci.yml @@ -19,6 +19,8 @@ jobs: has-changes: ${{ steps.changes.outputs.has-changes }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: @@ -39,9 +41,13 @@ jobs: if: ${{ needs.setup-job.outputs.has-changes == 'true' }} runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/pnpm-setup - run: pnpm lint @@ -50,9 +56,13 @@ jobs: if: ${{ needs.setup-job.outputs.has-changes == 'true' }} runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/pnpm-setup - run: pnpm --filter @liam-hq/db supabase:start - run: cp .env.template .env diff --git a/.github/workflows/ghalint.yml b/.github/workflows/ghalint.yml index 881ded6cf..22abd2dce 100644 --- a/.github/workflows/ghalint.yml +++ b/.github/workflows/ghalint.yml @@ -64,19 +64,4 @@ jobs: fi - name: Run ghalint - run: | - # Run ghalint and filter for only action_ref_should_be_full_length_commit_sha policy - set +e # Don't exit on error immediately - - # Run ghalint and capture output - ghalint run 2>&1 | tee ghalint_output.txt - - # Check for action_ref_should_be_full_length_commit_sha errors - echo "=== Checking for action_ref_should_be_full_length_commit_sha violations ===" - if grep "action_ref_should_be_full_length_commit_sha" ghalint_output.txt; then - echo "❌ Found action_ref_should_be_full_length_commit_sha violations!" - exit 1 - else - echo "✅ No action_ref_should_be_full_length_commit_sha violations found" - exit 0 - fi + run: ghalint run diff --git a/.github/workflows/license-report-update.yml b/.github/workflows/license-report-update.yml index d7a53b9a9..919a17816 100644 --- a/.github/workflows/license-report-update.yml +++ b/.github/workflows/license-report-update.yml @@ -28,10 +28,13 @@ jobs: with: app-id: ${{ vars.LICENSE_CI_TRIGGER_APP_ID }} private-key: ${{ secrets.LICENSE_CI_TRIGGER_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ steps.app-token.outputs.token }} + persist-credentials: false - uses: ./.github/actions/pnpm-setup - name: Install License Finder run: sudo gem install -N license_finder diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 10995d39d..e3d707b75 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -14,9 +14,13 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} timeout-minutes: 10 + permissions: + contents: read steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # To make the success of this job a prerequisite for merging into the main branch, # set a filter here instead of on: to determine whether or not to proceed to the next step. - name: Cache dependency files diff --git a/.github/workflows/notify_supabase_failure.yml b/.github/workflows/notify_supabase_failure.yml index e3c3adcbc..659ef8d27 100644 --- a/.github/workflows/notify_supabase_failure.yml +++ b/.github/workflows/notify_supabase_failure.yml @@ -7,6 +7,9 @@ on: jobs: notify_slack: runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read if: github.event.check_suite.app.name == 'Supabase' && github.event.check_suite.conclusion == 'failure' && github.event.check_suite.head_branch == 'main' steps: - name: Slack Notification for Supabase Failure diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f64ed370..ad0b4a7b7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,10 +25,14 @@ jobs: with: app-id: ${{ vars.CHANGESET_CI_TRIGGER_APP_ID }} private-key: ${{ secrets.CHANGESET_CI_TRIGGER_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write + permission-actions: write - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ steps.app-token.outputs.token }} + persist-credentials: false - uses: ./.github/actions/pnpm-setup - name: Create Release Pull Request or Publish to npm id: changesets-action diff --git a/.github/workflows/released_package_test.yml b/.github/workflows/released_package_test.yml index 409321403..d682d0a57 100644 --- a/.github/workflows/released_package_test.yml +++ b/.github/workflows/released_package_test.yml @@ -21,6 +21,8 @@ jobs: test: timeout-minutes: 15 runs-on: ubuntu-latest + permissions: + contents: read steps: - name: sleep run: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e180020f4..1c5ebef2f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,8 +7,8 @@ on: jobs: stale: - runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write pull-requests: write diff --git a/.github/workflows/trigger_dev_preview.yml b/.github/workflows/trigger_dev_preview.yml index fa714d67e..6e637c942 100644 --- a/.github/workflows/trigger_dev_preview.yml +++ b/.github/workflows/trigger_dev_preview.yml @@ -11,8 +11,12 @@ jobs: trigger_dev: runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/pnpm-setup - name: Deploy to trigger.dev preview diff --git a/.github/workflows/trigger_dev_production.yml b/.github/workflows/trigger_dev_production.yml index c952baa86..827ac9b36 100644 --- a/.github/workflows/trigger_dev_production.yml +++ b/.github/workflows/trigger_dev_production.yml @@ -20,8 +20,12 @@ jobs: trigger_dev: runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ./.github/actions/pnpm-setup - name: Deploy to trigger.dev production