From 2114e05388290ec38b1e0c0533bda86df622e999 Mon Sep 17 00:00:00 2001 From: Sheraff Date: Tue, 12 May 2026 20:37:28 +0200 Subject: [PATCH 1/4] ci: add zizmor workflow --- .github/workflows/autofix.yml | 2 ++ .github/workflows/check-skills.yml | 31 +++++++++++++++---------- .github/workflows/dependency-review.yml | 6 ++++- .github/workflows/notify-playbooks.yml | 4 ++++ .github/workflows/pr.yml | 13 +++++++++-- .github/workflows/release.yml | 11 +++++---- .github/workflows/triage-agent.yml | 4 +++- .github/workflows/validate-skills.yml | 5 ++++ .github/workflows/zizmor.yml | 24 +++++++++++++++++++ 9 files changed, 80 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 43ba0475..8f56919a 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -19,6 +19,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Fix formatting diff --git a/.github/workflows/check-skills.yml b/.github/workflows/check-skills.yml index 6fa86fa1..3752b26c 100644 --- a/.github/workflows/check-skills.yml +++ b/.github/workflows/check-skills.yml @@ -17,18 +17,21 @@ on: workflow_dispatch: {} permissions: - contents: write - pull-requests: write + contents: read jobs: check: name: Check for stale skills runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 + persist-credentials: false - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -108,24 +111,25 @@ jobs: if: steps.stale.outputs.has_stale == 'true' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ github.event.release.tag_name || 'manual' }} + SUMMARY: ${{ steps.summary.outputs.summary }} + PROMPT: ${{ steps.summary.outputs.prompt }} run: | - VERSION="${{ github.event.release.tag_name || 'manual' }}" BRANCH="skills/review-${VERSION}" git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git checkout -b "$BRANCH" git commit --allow-empty -m "chore: review stale skills for ${VERSION}" - git push origin "$BRANCH" + git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$BRANCH" - gh pr create \ - --title "Review stale skills (${VERSION})" \ - --body "$(cat <<'PREOF' - ## Stale Skills Detected + node <<'NODE' + const fs = require('fs') + fs.writeFileSync('pr-body.md', `## Stale Skills Detected The following skills may need updates after the latest release: - ${{ steps.summary.outputs.summary }} + ${process.env.SUMMARY} --- @@ -134,10 +138,13 @@ jobs: Paste this into your coding agent (Claude Code, Cursor, etc.): ~~~ - ${{ steps.summary.outputs.prompt }} + ${process.env.PROMPT} ~~~ + `) + NODE - PREOF - )" \ + gh pr create \ + --title "Review stale skills (${VERSION})" \ + --body-file pr-body.md \ --head "$BRANCH" \ --base main diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9689d73b..ddca56d3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,15 +9,19 @@ concurrency: permissions: contents: read - pull-requests: write jobs: review: name: Review dependency changes runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@e58c696e52cac8e62d61cc21fda89565d71505d7 # v4.3.1 diff --git a/.github/workflows/notify-playbooks.yml b/.github/workflows/notify-playbooks.yml index f1132e11..c6a39cd4 100644 --- a/.github/workflows/notify-playbooks.yml +++ b/.github/workflows/notify-playbooks.yml @@ -22,6 +22,9 @@ on: - 'docs/**' - 'packages/*/src/**' +permissions: + contents: read + jobs: notify: name: Notify TanStack Intent @@ -31,6 +34,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 + persist-credentials: false - name: Collect changed files id: changes diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 70618405..7c657efb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -12,21 +12,24 @@ env: permissions: contents: read - pull-requests: write jobs: test: name: Test runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Get base and head commits for `nx affected` - uses: nrwl/nx-set-shas@15514ee4353489ef5a1644bcdae44f0ae2ea45f3 # v4.4.0 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0 with: main-branch-name: main - name: Run Checks @@ -37,6 +40,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Build Packages @@ -49,6 +54,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check Provenance uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1 with: @@ -59,6 +66,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Changeset Preview diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39132f87..73f79c17 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,15 +14,17 @@ env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} permissions: - contents: write - id-token: write - pull-requests: write + contents: read jobs: release: name: Release if: github.repository_owner == 'TanStack' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pull-requests: write # Configure required reviewers / wait timer for this environment in # repo settings → Environments → release. Until configured, this only # creates a deployment record (no gating). @@ -32,13 +34,14 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Tools uses: TanStack/config/.github/setup@e4b48f16568324f76f467aa4c2aac2f05db632c3 # main - name: Run Tests run: pnpm run test:ci - name: Run Changesets (version or publish) id: changesets - uses: changesets/action@e87c8ed249971350e47fab7515075f44eb134e5b # v1.7.0 + uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0 with: version: pnpm run changeset:version publish: pnpm run changeset:publish diff --git a/.github/workflows/triage-agent.yml b/.github/workflows/triage-agent.yml index 405b71b2..5ac8c448 100644 --- a/.github/workflows/triage-agent.yml +++ b/.github/workflows/triage-agent.yml @@ -11,9 +11,11 @@ jobs: issues: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Triage issue with Warp Agent - uses: warpdotdev/warp-agent-action@039f8de15fe60704b4308850e8cafb5cc0958bf2 # v1 + uses: warpdotdev/warp-agent-action@fee7dc8441f64d14a4ae22596eb68167ced24a1a # v1 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/validate-skills.yml b/.github/workflows/validate-skills.yml index 5d3d75a6..65f43e23 100644 --- a/.github/workflows/validate-skills.yml +++ b/.github/workflows/validate-skills.yml @@ -12,6 +12,9 @@ on: - 'skills/**' - '**/skills/**' +permissions: + contents: read + jobs: validate: name: Validate skill files @@ -19,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..86d4b5b3 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: [main] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true From d71e5a1f156e1f5b08089f2e09e4f51e3ca26ca3 Mon Sep 17 00:00:00 2001 From: Sheraff Date: Wed, 13 May 2026 00:19:46 +0200 Subject: [PATCH 2/4] ci: clarify skill review push credentials --- .github/workflows/check-skills.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-skills.yml b/.github/workflows/check-skills.yml index 3752b26c..e56f150d 100644 --- a/.github/workflows/check-skills.yml +++ b/.github/workflows/check-skills.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - persist-credentials: false + persist-credentials: true # review job pushes a generated branch - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -121,7 +121,7 @@ jobs: git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git checkout -b "$BRANCH" git commit --allow-empty -m "chore: review stale skills for ${VERSION}" - git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$BRANCH" + git push origin "$BRANCH" node <<'NODE' const fs = require('fs') From 3f1ed4164c2fc266d1fb775a6b1c131697308f75 Mon Sep 17 00:00:00 2001 From: Sheraff Date: Wed, 13 May 2026 00:22:57 +0200 Subject: [PATCH 3/4] ci: simplify stale skills PR body generation --- .github/workflows/check-skills.yml | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/.github/workflows/check-skills.yml b/.github/workflows/check-skills.yml index e56f150d..d12f81c4 100644 --- a/.github/workflows/check-skills.yml +++ b/.github/workflows/check-skills.yml @@ -123,25 +123,17 @@ jobs: git commit --allow-empty -m "chore: review stale skills for ${VERSION}" git push origin "$BRANCH" - node <<'NODE' - const fs = require('fs') - fs.writeFileSync('pr-body.md', `## Stale Skills Detected - - The following skills may need updates after the latest release: - - ${process.env.SUMMARY} - - --- - - ### Update Prompt - - Paste this into your coding agent (Claude Code, Cursor, etc.): - - ~~~ - ${process.env.PROMPT} - ~~~ - `) - NODE + { + printf '%s\n\n' '## Stale Skills Detected' + printf '%s\n\n' 'The following skills may need updates after the latest release:' + printf '%s\n\n' "$SUMMARY" + printf '%s\n\n' '---' + printf '%s\n\n' '### Update Prompt' + printf '%s\n\n' 'Paste this into your coding agent (Claude Code, Cursor, etc.):' + printf '%s\n' '~~~' + printf '%s\n' "$PROMPT" + printf '%s\n' '~~~' + } > pr-body.md gh pr create \ --title "Review stale skills (${VERSION})" \ From ad78be619670ae4da2aa5af947ff129a006cc28e Mon Sep 17 00:00:00 2001 From: Flo Date: Wed, 13 May 2026 00:28:57 +0200 Subject: [PATCH 4/4] Update .github/workflows/triage-agent.yml --- .github/workflows/triage-agent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/triage-agent.yml b/.github/workflows/triage-agent.yml index 5ac8c448..c0c16206 100644 --- a/.github/workflows/triage-agent.yml +++ b/.github/workflows/triage-agent.yml @@ -15,7 +15,7 @@ jobs: persist-credentials: false - name: Triage issue with Warp Agent - uses: warpdotdev/warp-agent-action@fee7dc8441f64d14a4ae22596eb68167ced24a1a # v1 + uses: warpdotdev/warp-agent-action@fee7dc8441f64d14a4ae22596eb68167ced24a1a # v1.0.18 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: