[pull] main from vitest-dev:main

.github/actions/setup-playwright/action.yml

@@ -18,10 +18,6 @@ runs:
           "
         )" >> $GITHUB_OUTPUT
 
-    - name: Print versions
-      shell: bash
-      run: echo "${{ toJson(steps.resolve-package-versions.outputs) }}"
-
     - name: Check resolved package versions
       shell: bash
       if: |

.github/workflows/ci.yml

@@ -27,6 +27,8 @@ jobs:
     name: 'Lint: node-latest, ubuntu-latest'
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
 
@@ -66,6 +68,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -98,6 +102,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
         with:
@@ -160,6 +166,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
         with:
@@ -196,6 +204,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
         with:
@@ -229,6 +239,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
         with:
@@ -278,6 +290,8 @@ jobs:
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-and-cache
 
@@ -313,5 +327,7 @@ jobs:
 
       - name: Link report viewer
         run: |
-          echo "::notice title=Vitest HTML report::View HTML report: https://viewer.vitest.dev/?url=${{ steps.upload-report.outputs.artifact-url }}"
-          echo "[View HTML report](https://viewer.vitest.dev/?url=${{ steps.upload-report.outputs.artifact-url }})" >> $GITHUB_STEP_SUMMARY
+          echo "::notice title=Vitest HTML report::View HTML report: https://viewer.vitest.dev/?url=${STEPS_UPLOAD_REPORT_OUTPUTS_ARTIFACT_URL}"
+          echo "[View HTML report](https://viewer.vitest.dev/?url=${STEPS_UPLOAD_REPORT_OUTPUTS_ARTIFACT_URL})" >> $GITHUB_STEP_SUMMARY
+        env:
+          STEPS_UPLOAD_REPORT_OUTPUTS_ARTIFACT_URL: ${{ steps.upload-report.outputs.artifact-url }}

.github/workflows/cr.yml

@@ -22,6 +22,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0

.github/workflows/ecosystem-ci-trigger.yml

@@ -4,9 +4,16 @@ on:
   issue_comment:
     types: [created]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   trigger:
     runs-on: ubuntu-latest
+    name: Run Ecosystem CI Tests
     if: github.repository == 'vitest-dev/vitest' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
     permissions:
       issues: write # to add / delete reactions, post comments
@@ -66,11 +73,14 @@ jobs:
               repo: pr.head.repo.full_name
             }
       - id: generate-token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: actions/create-github-app-token@v3
         with:
-          app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
-          installation_retrieval_payload: '${{ github.repository_owner }}/vitest-ecosystem-ci'
-          private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
+          private-key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
+          repositories: |
+            vitest
+            vitest-ecosystem-ci
+          permission-actions: write
       - uses: actions/github-script@v8
         id: trigger
         env:

.github/workflows/issue-close-require.yml

@@ -5,9 +5,12 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   close-issues:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
+    name: Close Marked Issues
     permissions:
       issues: write # for actions-cool/issues-helper to update issues
     steps:
@@ -27,7 +30,8 @@ jobs:
           inactive-day: 3
 
   close-prs:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
+    name: Close Marked PRs
     permissions:
       issues: read # to query PRs by label via the issues API
       pull-requests: write # to close pull requests

.github/workflows/issue-labeled.yml

@@ -3,29 +3,43 @@ name: Issue Labeled
 on:
   issues:
     types: [labeled]
+  # zizmor: ignore[dangerous-triggers]
+  # We don't use any information from the PR content itself except the login of the user.
+  # The login is used only in the GitHub comment, not passed down as untrusted code.
   pull_request_target:
     types: [labeled]
 
-# for actions-cool/issues-helper to update issues
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
-  reply-labeled:
-    runs-on: ubuntu-latest
+  reproduction-reply-labeled:
+    runs-on: ubuntu-slim
+    if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'needs reproduction'
+    name: Minimal Reproduction Label
+    permissions:
+      issues: write # adding a label
     steps:
       - name: needs reproduction
-        if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'needs reproduction'
         uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
         with:
           actions: create-comment
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
           body: |
             Hello @${{ github.event.issue.user.login }}. Please provide a [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) using a GitHub repository or [StackBlitz](https://vitest.new) (you can also use [examples](https://github.com/vitest-dev/vitest/tree/main/examples)). Issues marked with `needs reproduction` will be closed if they have no activity within 3 days.
-      - name: maybe automated (issues)
-        if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'maybe automated' && github.event_name == 'issues'
+
+  issue-clanker-comment:
+    runs-on: ubuntu-slim
+    if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'maybe automated' && github.event_name == 'issues'
+    name: Comment on Bot Issue
+    permissions:
+      issues: write # sending a comment
+    steps:
+      - name: maybe automated
         uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
         with:
           actions: create-comment
@@ -42,8 +56,15 @@ jobs:
             If you believe this was flagged by mistake, leave a comment.
 
             *These measures help us reduce maintenance burden and keep the team's work efficient. See our [AI contributions policy](https://github.com/vitest-dev/vitest/blob/main/CONTRIBUTING.md#ai-contributions) for more context.*
-      - name: maybe automated (pr)
-        if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'maybe automated' && github.event_name == 'pull_request_target'
+
+  issue-pr-comment:
+    runs-on: ubuntu-slim
+    if: github.repository == 'vitest-dev/vitest' && github.event.label.name == 'maybe automated' && github.event_name == 'pull_request_target'
+    name: Comment on Bot PR
+    permissions:
+      pull-requests: write # sending a comment
+    steps:
+      - name: maybe automated
         uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
         with:
           actions: create-comment

.github/workflows/lock-closed-issues.yml

@@ -4,13 +4,15 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   action:
     if: github.repository == 'vitest-dev/vitest'
     runs-on: ubuntu-latest
+    name: Lock Closed Issues
+    permissions:
+      issues: write # to lock issue
     steps:
       - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with:

.github/workflows/pr-labeled-automated.yml

@@ -1,22 +1,46 @@
 name: Label Automated PR
 
 on:
+  # zizmor: ignore[dangerous-triggers]
+  # Information from the PR is used only inside builtin `contains` function, it's not passed down as untrusted code.
   pull_request_target:
     types: [opened, edited]
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   label:
     runs-on: ubuntu-latest
     if: github.repository == 'vitest-dev/vitest' && contains(github.event.pull_request.body, '<!-- VITEST_AUTOMATED_PR -->')
+    name: Automatic Clanker Alert
+    permissions:
+      pull-requests: write # comment and label on PRs
     steps:
-      - name: maybe automated
+      - name: maybe automated (label)
         uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
         with:
           actions: add-labels
           token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
           labels: maybe automated
+      - name: maybe automated (pr)
+        uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
+        with:
+          actions: create-comment
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Hello @${{ github.event.pull_request.user.login }}. Your PR has been labeled `maybe automated` because it appears to have been fully generated by AI with no human involvement. It will be **closed automatically in 3 days** unless a real person responds.
+
+            If you're a real person behind this contribution, please:
+            - Confirm you've personally reviewed and stand behind its content
+            - Make sure it follows our [contribution guidelines](https://github.com/vitest-dev/vitest/blob/main/CONTRIBUTING.md) and uses the correct [GitHub template](https://github.com/vitest-dev/vitest/blob/main/.github/PULL_REQUEST_TEMPLATE.md)
+            - Disclose any AI tools you used (e.g. Claude, Copilot, Codex)
+
+            If you believe this was flagged by mistake, leave a comment.
+
+            *These measures help us reduce maintenance burden and keep the team's work efficient. See our [AI contributions policy](https://github.com/vitest-dev/vitest/blob/main/CONTRIBUTING.md#ai-contributions) for more context.*

.github/workflows/publish.yml

@@ -5,22 +5,26 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: write
-  id-token: write
+permissions: {}
 
 env:
   VITE_TEST_WATCHER_DEBUG: 'false'
 
 jobs:
   publish:
+    # only run on main, don't trigger in forks
     if: github.repository == 'vitest-dev/vitest'
+    name: Publish Vitest
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # trusted publishing and changelog requirement
+      id-token: write # trusted publishing requirement
     environment: Release
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
@@ -30,7 +34,8 @@ jobs:
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org/
-          cache: pnpm
+          # disable cache to avoid cache poisoning
+          package-manager-cache: false
 
       - name: Install
         run: pnpm install --frozen-lockfile --prefer-offline
@@ -41,7 +46,7 @@ jobs:
         run: pnpm build
 
       - name: Publish to npm
-        run: npm i -g npm@^11.5.2 && pnpm run publish-ci "${{ github.ref_name }}"
+        run: npm i -g npm@^11.5.2 && pnpm run publish-ci "${GITHUB_REF_NAME}"
 
       - name: Generate Changelog
         run: npx changelogithub

.github/workflows/zizmor.yml

@@ -0,0 +1,32 @@
+name: Zizmor
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          persona: pedantic

.github/zizmor.yml

@@ -0,0 +1,13 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        github/*: ref-pin
+  concurrency-limits:
+    ignore:
+      # publish workflow doesn't run concurrently and requires a manual approval
+      - publish.yml
+      # the workflow runs on cron schedule
+      - lock-closed-issues.yml
+      - issue-close-require.yml