Commit 5c3b179
Changed files (7)
.github
.github/workflows/codeql.yml
@@ -8,6 +8,8 @@ on:
schedule:
- cron: '28 6 * * 3'
+permissions: {}
+
jobs:
analyze:
name: Analyze (${{ matrix.language }})
.github/workflows/dev-publish.yml
@@ -3,6 +3,8 @@ name: Dev Publish
on:
workflow_dispatch:
+permissions: {}
+
jobs:
build:
runs-on: ubuntu-latest
.github/workflows/docs.yml
@@ -8,6 +8,8 @@ concurrency:
group: 'pages'
cancel-in-progress: false
+permissions: {}
+
jobs:
deploy:
permissions:
.github/workflows/npm-publish.yml
@@ -5,6 +5,8 @@ on:
release:
types: [created]
+permissions: {}
+
jobs:
build:
runs-on: ubuntu-latest
.github/workflows/osv.yml
@@ -11,6 +11,8 @@
name: OSV-Scanner
+permissions: {}
+
on:
pull_request:
branches: ['main']
.github/workflows/zizmor.yml
@@ -0,0 +1,30 @@
+name: Zizmor
+
+on:
+ push:
+ branches: ['main']
+ pull_request:
+ branches: ['**']
+
+permissions: {}
+
+jobs:
+ zizmor:
+ name: zizmor
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ actions: read
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ persist-credentials: false
+
+ - name: Install the latest version of uv
+ uses: astral-sh/setup-uv@v5
+ with:
+ enable-cache: false
+
+ - name: Run zizmor
+ run: uvx zizmor@1.5.0 .github/workflows -v -p --min-severity=medium
package.json
@@ -90,7 +90,7 @@
"test:smoke:cjs": "node ./test/smoke/node.test.cjs",
"test:smoke:mjs": "node ./test/smoke/node.test.mjs",
"test:smoke:deno": "deno test ./test/smoke/deno.test.js --allow-read --allow-sys --allow-env --allow-run",
- "test:workflow": "zizmor .github/workflows -v -p"
+ "test:workflow": "zizmor .github/workflows -v -p --min-severity=medium"
},
"devDependencies": {
"@size-limit/file": "11.2.0",