diff --git a/.github/workflows/build-blog-only.yml b/.github/workflows/build-blog-only.yml index c5e83a3df520..3e28728c85aa 100644 --- a/.github/workflows/build-blog-only.yml +++ b/.github/workflows/build-blog-only.yml @@ -7,14 +7,17 @@ on: paths: - packages/docusaurus/** +permissions: + contents: read + jobs: build: name: Build Blog-only timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 + - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn diff --git a/.github/workflows/build-perf.yml b/.github/workflows/build-perf.yml index ad7b3c5c247b..077ca06a936c 100644 --- a/.github/workflows/build-perf.yml +++ b/.github/workflows/build-perf.yml @@ -12,18 +12,26 @@ on: paths-ignore: - website/docs/** +permissions: + contents: read + jobs: build-size: + permissions: + checks: write # for preactjs/compressed-size-action to create and update the checks + contents: read # for actions/checkout to fetch code + issues: write # for preactjs/compressed-size-action to create comments + pull-requests: write # for preactjs/compressed-size-action to write a PR review name: Build Size Report timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 + - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn - - uses: preactjs/compressed-size-action@v2 + - uses: preactjs/compressed-size-action@8119d3d31b6e57b167e09c81dfa877eada3bcb35 # v2 with: repo-token: ${{ secrets.GITHUB_TOKEN }} build-script: build:website:en @@ -37,8 +45,8 @@ jobs: timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 + - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: cache: yarn - name: Installation diff --git a/.github/workflows/canary-release.yml b/.github/workflows/canary-release.yml index e7557b4d79f6..7b9f217dad3d 100644 --- a/.github/workflows/canary-release.yml +++ b/.github/workflows/canary-release.yml @@ -7,16 +7,19 @@ on: paths: - packages/** +permissions: + contents: read + jobs: publish-canary: name: Publish Canary runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3 with: fetch-depth: 0 # Needed to get the commit number with "git rev-list --count HEAD" - name: Set up Node - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 69cb617ef87f..0958cf4ebca1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,12 +27,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c # v1 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c # v1 diff --git a/.github/workflows/lighthouse-report.yml b/.github/workflows/lighthouse-report.yml index 5e7fc7d70fe0..c4c0eb830380 100644 --- a/.github/workflows/lighthouse-report.yml +++ b/.github/workflows/lighthouse-report.yml @@ -10,16 +10,16 @@ jobs: name: Lighthouse Report runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Wait for the Netlify Preview - uses: jakepartusch/wait-for-netlify-action@v1 + uses: jakepartusch/wait-for-netlify-action@7dcdeb40c6bc3710a8099702a1fa1ce2c5e322a6 # v1 id: netlify with: site_name: docusaurus-2 max_timeout: 600 - name: Audit URLs using Lighthouse id: lighthouse_audit - uses: treosh/lighthouse-ci-action@9.3.0 + uses: treosh/lighthouse-ci-action@b4dfae3eb959c5226e2c5c6afd563d493188bfaf # 9.3.0 with: urls: | https://deploy-preview-$PR_NUMBER--docusaurus-2.netlify.app/ @@ -30,7 +30,7 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number}} - name: Format lighthouse score id: format_lighthouse_score - uses: actions/github-script@v6 + uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e # v6 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -55,7 +55,7 @@ jobs: - name: Add Lighthouse stats as comment id: comment_to_pr - uses: marocchino/sticky-pull-request-comment@v2.2.0 + uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443 # v2.2.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7a69a1362274..1622d0f8e0ad 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,14 +5,17 @@ on: branches: - main +permissions: + contents: read + jobs: lint: name: Lint timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 + - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn diff --git a/.github/workflows/showcase-test.yml b/.github/workflows/showcase-test.yml index 83ad82c4cd5c..b019e67cbd01 100644 --- a/.github/workflows/showcase-test.yml +++ b/.github/workflows/showcase-test.yml @@ -7,15 +7,18 @@ on: paths: - website/src/data/** +permissions: + contents: read + jobs: validate-config: name: Validate Showcase Config timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Set up Node - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn diff --git a/.github/workflows/tests-e2e.yml b/.github/workflows/tests-e2e.yml index 7bb9f842ffc6..00b215a39b43 100644 --- a/.github/workflows/tests-e2e.yml +++ b/.github/workflows/tests-e2e.yml @@ -12,6 +12,9 @@ on: paths-ignore: - website/** +permissions: + contents: read + jobs: yarn-v1: name: E2E — Yarn v1 @@ -21,9 +24,9 @@ jobs: matrix: node: ['14', '16', '17'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: ${{ matrix.node }} cache: yarn @@ -59,9 +62,9 @@ jobs: - variant: -st nodeLinker: pnp steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Use Node.js 16 - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn @@ -104,9 +107,9 @@ jobs: timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3 - name: Use Node.js 16 - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn @@ -133,9 +136,9 @@ jobs: timeout-minutes: 30 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3 - name: Use Node.js 16 - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: '16' cache: yarn diff --git a/.github/workflows/tests-swizzle.yml b/.github/workflows/tests-swizzle.yml index 611b92c8834a..058b927b7cae 100644 --- a/.github/workflows/tests-swizzle.yml +++ b/.github/workflows/tests-swizzle.yml @@ -7,6 +7,9 @@ on: paths: - packages/** +permissions: + contents: read + jobs: test: name: Swizzle @@ -17,9 +20,9 @@ jobs: action: ['eject', 'wrap'] variant: ['js', 'ts'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Use Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: 14 cache: yarn diff --git a/.github/workflows/tests-windows.yml b/.github/workflows/tests-windows.yml index 213ef8a3e0f6..96a3969876e4 100644 --- a/.github/workflows/tests-windows.yml +++ b/.github/workflows/tests-windows.yml @@ -7,6 +7,9 @@ on: paths-ignore: - website/** +permissions: + contents: read + jobs: windows-test: name: Windows Tests @@ -18,9 +21,9 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: ${{ matrix.node }} - name: Installation diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 33992216fe48..a8dbafc13bb5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,6 +7,9 @@ on: paths-ignore: - website/** +permissions: + contents: read + jobs: test: name: Tests @@ -16,9 +19,9 @@ jobs: matrix: node: ['14', '16', '17'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3 - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v3 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3 with: node-version: ${{ matrix.node }} cache: yarn