diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fe08f8801de6a..9c58a04469d95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,7 @@ updates: commit-message: prefix: meta cooldown: - default-days: 3 + default-days: 7 open-pull-requests-limit: 10 - package-ecosystem: npm @@ -22,7 +22,7 @@ updates: commit-message: prefix: meta cooldown: - default-days: 3 + default-days: 7 groups: lint: patterns: diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index cf0a579ea1881..b9694a4a573ce 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -5,14 +5,22 @@ on: - cron: '*/15 * * * *' workflow_dispatch: -permissions: - pull-requests: write - contents: write +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +permissions: {} jobs: auto-merge: + name: Auto-merge if: github.repository == 'nodejs/nodejs.org' runs-on: ubuntu-latest + permissions: + # Required to approve and merge pull requests + pull-requests: write + # Required to merge pull requests via merge queue + contents: write steps: - name: Harden Runner diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2b329620067f8..8c28a3f179f00 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,9 +25,9 @@ permissions: contents: read actions: read -env: - # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir - TURBO_ARGS: --cache-dir=.turbo/cache +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: build: @@ -61,7 +61,7 @@ jobs: - name: Build Next.js # We want a ISR build on CI to ensure that regular Next.js builds work as expected. - run: node_modules/.bin/turbo build ${{ env.TURBO_ARGS }} + run: node_modules/.bin/turbo build --cache-dir=.turbo/cache env: # We want to ensure we have enough RAM allocated to the Node.js process # this should be a last resort in case by any chances the build memory gets too high @@ -78,7 +78,7 @@ jobs: - name: Build Next.js (Static Export) # We want to generate a static build, as it is a requirement of our website. - run: node_modules/.bin/turbo deploy ${{ env.TURBO_ARGS }} + run: node_modules/.bin/turbo deploy --cache-dir=.turbo/cache env: # We want to ensure we have enough RAM allocated to the Node.js process # this should be a last resort in case by any chances the build memory gets too high diff --git a/.github/workflows/bundle-compare.yml b/.github/workflows/bundle-compare.yml index 24e73ed288986..ba7604fb431d6 100644 --- a/.github/workflows/bundle-compare.yml +++ b/.github/workflows/bundle-compare.yml @@ -8,13 +8,18 @@ on: permissions: contents: read actions: read - # To create the comment - pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.id }} + cancel-in-progress: true jobs: compare: name: Compare Bundle Stats runs-on: ubuntu-latest + permissions: + # Required to comment on pull requests + pull-requests: write if: github.event.workflow_run.event == 'pull_request' steps: @@ -25,6 +30,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download Stats (HEAD) uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index facc4d2635757..aaa7aabc69484 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -29,6 +29,10 @@ defaults: # This ensures that the working directory is the root of the repository working-directory: ./ +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name != 'push' }} + permissions: contents: read actions: read diff --git a/.github/workflows/create-release-post.yml b/.github/workflows/create-release-post.yml index fd3fa877a09cc..a008351424834 100644 --- a/.github/workflows/create-release-post.yml +++ b/.github/workflows/create-release-post.yml @@ -19,13 +19,21 @@ defaults: # This ensures that the working directory is the root of the repository working-directory: ./ -permissions: - contents: write - pull-requests: write +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ inputs.version }} + cancel-in-progress: false jobs: create-post: + name: Create Release Blog Post runs-on: ubuntu-latest + permissions: + # Required to push the release branch + contents: write + # Required to create the pull request + pull-requests: write steps: - uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml index d8a27b8a0d7ae..1a04923634f4f 100644 --- a/.github/workflows/lighthouse.yml +++ b/.github/workflows/lighthouse.yml @@ -23,45 +23,22 @@ defaults: permissions: contents: read actions: read - # This permission is required by `thollander/actions-comment-pull-request` - pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true jobs: - get-vercel-preview: + lighthouse-ci: # We want to skip our lighthouse analysis on Dependabot PRs if: | startsWith(github.event.pull_request.head.ref, 'dependabot/') == false && github.event.label.name == 'github_actions:pull-request' - name: Get Vercel Preview - runs-on: ubuntu-latest - outputs: - deployment_found: ${{ steps.set_outputs.outputs.deployment_found }} - url: ${{ steps.set_outputs.outputs.url }} - steps: - - name: Capture Vercel Preview - id: check_deployment - uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - max_timeout: 300 # timeout after 5 minutes - check_interval: 10 # check every 10 seconds - continue-on-error: true - - name: Set Outputs - if: always() - id: set_outputs - run: | - if [[ -z "${{ steps.check_deployment.outputs.url }}" ]]; then - echo "deployment_found=false" >> $GITHUB_OUTPUT - else - echo "deployment_found=true" >> $GITHUB_OUTPUT - echo "url=${{ steps.check_deployment.outputs.url }}" >> $GITHUB_OUTPUT - fi - - lighthouse-ci: - needs: get-vercel-preview - if: needs.get-vercel-preview.outputs.deployment_found == 'true' name: Lighthouse Report runs-on: ubuntu-latest + permissions: + # Required by `thollander/actions-comment-pull-request` + pull-requests: write steps: - name: Harden Runner @@ -69,11 +46,20 @@ jobs: with: egress-policy: audit + - name: Capture Vercel Preview + id: deployment + uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + max_timeout: 300 # timeout after 5 minutes + check_interval: 10 # check every 10 seconds + - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # Provides the Pull Request commit SHA or the GitHub merge group ref ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} + persist-credentials: false - name: Add Comment to PR # Signal that a lighthouse run is about to start @@ -93,12 +79,12 @@ jobs: configPath: './.lighthouserc.json' # These URLS capture critical pages / site functionality. urls: | - ${{ needs.get-vercel-preview.outputs.url }}/en - ${{ needs.get-vercel-preview.outputs.url }}/en/about - ${{ needs.get-vercel-preview.outputs.url }}/en/about/previous-releases - ${{ needs.get-vercel-preview.outputs.url }}/en/download - ${{ needs.get-vercel-preview.outputs.url }}/en/download/archive/current - ${{ needs.get-vercel-preview.outputs.url }}/en/blog + ${{ steps.deployment.outputs.url }}/en + ${{ steps.deployment.outputs.url }}/en/about + ${{ steps.deployment.outputs.url }}/en/about/previous-releases + ${{ steps.deployment.outputs.url }}/en/download + ${{ steps.deployment.outputs.url }}/en/download/archive/current + ${{ steps.deployment.outputs.url }}/en/blog uploadArtifacts: true # save results as a action artifacts temporaryPublicStorage: true # upload lighthouse report to the temporary storage @@ -111,7 +97,7 @@ jobs: # see https://github.com/actions/github-script#use-env-as-input LIGHTHOUSE_RESULT: ${{ steps.lighthouse_audit.outputs.manifest }} LIGHTHOUSE_LINKS: ${{ steps.lighthouse_audit.outputs.links }} - VERCEL_PREVIEW_URL: ${{ needs.get-vercel-preview.outputs.url }} + VERCEL_PREVIEW_URL: ${{ steps.deployment.outputs.url }} with: # Run as a separate file so we do not have to inline all of our formatting logic. # See https://github.com/actions/github-script#run-a-separate-file for more info. diff --git a/.github/workflows/lint-and-tests.yml b/.github/workflows/lint-and-tests.yml index 7174a00bf82c8..659122038a8fb 100644 --- a/.github/workflows/lint-and-tests.yml +++ b/.github/workflows/lint-and-tests.yml @@ -33,9 +33,9 @@ permissions: contents: read actions: read -env: - # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir - TURBO_ARGS: --cache-dir=.turbo/cache +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: lint: @@ -73,7 +73,7 @@ jobs: if: | (github.event_name == 'push' || github.event_name == 'merge_group') || (github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'chore/crowdin') - run: node_modules/.bin/turbo lint lint:types prettier ${{ env.TURBO_ARGS }} + run: node_modules/.bin/turbo lint lint:types prettier --cache-dir=.turbo/cache - name: Save Lint Cache # We only want to save caches on `push` events or `pull_request_target` events @@ -108,7 +108,7 @@ jobs: - name: Run Unit Tests # We want to run Unit Tests in every circumstance, including Crowdin PRs and Dependabot PRs to ensure # that changes to dependencies or translations don't break the Unit Tests - run: node --run test:ci -- ${{ env.TURBO_ARGS }} + run: node --run test:ci -- --cache-dir=.turbo/cache - name: Upload test coverage to Codecov if: ${{ !cancelled() && github.event_name != 'merge_group' }} diff --git a/.github/workflows/notify-on-push.yml b/.github/workflows/notify-on-push.yml index bcec8d1cd0751..9ac17633e30bd 100644 --- a/.github/workflows/notify-on-push.yml +++ b/.github/workflows/notify-on-push.yml @@ -7,6 +7,10 @@ name: Notify on Push permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.sha }} + cancel-in-progress: false + jobs: notify_on_push: name: Notify on any direct push to `main` diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index d4fe720108753..c9ef1865e2000 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -21,35 +21,7 @@ permissions: actions: read jobs: - get-vercel-preview: - name: Get Vercel Preview - runs-on: ubuntu-latest - outputs: - deployment_found: ${{ steps.set_outputs.outputs.deployment_found }} - url: ${{ steps.set_outputs.outputs.url }} - steps: - - name: Capture Vercel Preview - id: check_deployment - uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - max_timeout: 300 # timeout after 5 minutes - check_interval: 10 # check every 10 seconds - continue-on-error: true - - name: Set Outputs - if: always() - id: set_outputs - run: | - if [[ -z "${{ steps.check_deployment.outputs.url }}" ]]; then - echo "deployment_found=false" >> $GITHUB_OUTPUT - else - echo "deployment_found=true" >> $GITHUB_OUTPUT - echo "url=${{ steps.check_deployment.outputs.url }}" >> $GITHUB_OUTPUT - fi - playwright: - needs: get-vercel-preview - if: needs.get-vercel-preview.outputs.deployment_found == 'true' name: Playwright Tests runs-on: ubuntu-latest @@ -60,6 +32,14 @@ jobs: use-version-file: true fetch-depth: 2 + - name: Capture Vercel Preview + id: deployment + uses: patrickedqvist/wait-for-vercel-preview@d7982701e6fcd3ae073bff929e408e004404d38d # v1.3.3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + max_timeout: 300 # timeout after 5 minutes + check_interval: 10 # check every 10 seconds + - name: Get Playwright version id: playwright-version working-directory: apps/site @@ -80,7 +60,7 @@ jobs: working-directory: apps/site run: node --run playwright env: - PLAYWRIGHT_BASE_URL: ${{ needs.get-vercel-preview.outputs.url }} + PLAYWRIGHT_BASE_URL: ${{ steps.deployment.outputs.url }} - name: Upload Playwright test results if: always() diff --git a/.github/workflows/pnpm-updater.yml b/.github/workflows/pnpm-updater.yml index 3a2497d04afa3..3714e447a6978 100644 --- a/.github/workflows/pnpm-updater.yml +++ b/.github/workflows/pnpm-updater.yml @@ -11,13 +11,21 @@ on: schedule: - cron: '0 0 1 * *' -permissions: - contents: write - pull-requests: write +permissions: {} + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false jobs: update-pnpm: + name: Update pnpm runs-on: ubuntu-latest + permissions: + # Required to push changes to the update branch + contents: write + # Required to create the pull request + pull-requests: write steps: - name: Harden Runner @@ -27,6 +35,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index 3f14c14026281..7a44fe552b7f3 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -17,14 +17,17 @@ on: permissions: contents: read - # For npm OIDC (https://docs.npmjs.com/trusted-publishers) - id-token: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false env: COMMIT_SHA: ${{ github.sha }} jobs: prepare-packages: + name: Prepare Packages runs-on: ubuntu-latest outputs: # Output the matrix of packages to publish for use in the publish job @@ -63,6 +66,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 # Need at least 2 commits to detect changes between commits + persist-credentials: false - name: Generate package matrix id: generate-matrix @@ -95,8 +99,12 @@ jobs: fi publish: + name: Publish needs: prepare-packages runs-on: ubuntu-latest + permissions: + # Required for npm OIDC (https://docs.npmjs.com/trusted-publishers) + id-token: write # Skip if no packages need to be published if: fromJson(needs.prepare-packages.outputs.matrix).package[0] != null # Use the dynamic matrix from prepare-packages job to create parallel jobs for each package diff --git a/.github/workflows/pull-request-label.yml b/.github/workflows/pull-request-label.yml index a4891ebda8078..0dfa4f683f006 100644 --- a/.github/workflows/pull-request-label.yml +++ b/.github/workflows/pull-request-label.yml @@ -18,9 +18,11 @@ defaults: # This ensures that the working directory is the root of the repository working-directory: ./ -permissions: - # This permission is required by `actions-ecosystem/action-remove-label` - pull-requests: write +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true jobs: # This Job removes the `github_actions:pull-request` label after it got applied @@ -29,6 +31,9 @@ jobs: remove_pull_request_label: name: Remove Pull Request Label runs-on: ubuntu-latest + permissions: + # Required by `actions-ecosystem/action-remove-label` to remove labels + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 diff --git a/.github/workflows/request-codeowner-review.yml b/.github/workflows/request-codeowner-review.yml index 261a992c1be36..60d59c4e3f195 100644 --- a/.github/workflows/request-codeowner-review.yml +++ b/.github/workflows/request-codeowner-review.yml @@ -6,14 +6,23 @@ on: permissions: contents: read - pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true jobs: request-reviews: + name: Request Codeowner Reviews runs-on: ubuntu-latest + permissions: + # Required to request reviews and post comments + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Request Codeowner Reviews uses: pkgjs/request-codeowner-review@d39b61c5e1399655dce6287b3b119af93dee235a # v1.1.0 diff --git a/.github/workflows/sync-orama.yml b/.github/workflows/sync-orama.yml index 4e2b22d155dbd..c094f8c25971f 100644 --- a/.github/workflows/sync-orama.yml +++ b/.github/workflows/sync-orama.yml @@ -22,6 +22,10 @@ on: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name != 'push' }} + jobs: sync-orama-cloud: name: Sync Orama Cloud diff --git a/.github/workflows/tmp-cloudflare-open-next-deploy.yml b/.github/workflows/tmp-cloudflare-open-next-deploy.yml index d8ed25a0893b9..31eee9dfc4abc 100644 --- a/.github/workflows/tmp-cloudflare-open-next-deploy.yml +++ b/.github/workflows/tmp-cloudflare-open-next-deploy.yml @@ -36,6 +36,8 @@ jobs: - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 diff --git a/.github/workflows/translations-pr-lint.yml b/.github/workflows/translations-pr-lint.yml index 54e7b7cc42368..3b3695b09cf0d 100644 --- a/.github/workflows/translations-pr-lint.yml +++ b/.github/workflows/translations-pr-lint.yml @@ -23,8 +23,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: read +permissions: {} jobs: comment_on_translation_pr: diff --git a/.github/workflows/translations-sync.yml b/.github/workflows/translations-sync.yml index 6ef3302db12f6..ddb569e2b2873 100644 --- a/.github/workflows/translations-sync.yml +++ b/.github/workflows/translations-sync.yml @@ -23,6 +23,7 @@ env: jobs: synchronize-with-crowdin: + name: Synchronize with Crowdin runs-on: ubuntu-latest steps: - name: Harden Runner @@ -34,6 +35,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.CROWDIN_GITHUB_BOT_TOKEN }} + persist-credentials: false # see all the options at https://github.com/crowdin/github-action - name: Crowdin PR @@ -57,6 +59,7 @@ jobs: CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }} format_crowdin_pull_request: + name: Format Crowdin Pull Request needs: synchronize-with-crowdin runs-on: ubuntu-latest diff --git a/.github/workflows/translations-upload.yml b/.github/workflows/translations-upload.yml index 33c7ec4057d66..bdbe86bdc9432 100644 --- a/.github/workflows/translations-upload.yml +++ b/.github/workflows/translations-upload.yml @@ -12,8 +12,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: upload-to-crowdin: + name: Upload to Crowdin runs-on: ubuntu-latest steps: @@ -24,6 +28,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # see all the options at https://github.com/crowdin/github-action - name: crowdin action diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000000..97a13621d022c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + zizmor: + name: Zizmor Security Analysis + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2